Bug#1101730: openssl: ppc64el: upstream fixed Minerva timing side-channel signal for ECC p384
Package: openssl
Version: 3.4.1-1
Severity: important
Tags: security
X-Debbugs-Cc: debian-powerpc@lists.debian.org, zumbi@debian.org, Debian Security Team <team@security.debian.org>
User: debian-powerpc@lists.debian.org
Usertags: ppc64el
Hello,
The OpenSSL maintainers discovered a timing side channel vulnerability in OpenSSL's P-384 implementation when used with ECDSA. The PPC issue is discussed publicly here: https://github.com/openssl/openssl/issues/24253 and the generic issue is discussed here: https://github.com/openssl/openssl/issues/23860
PR link with fix - https://github.com/openssl/openssl/pull/26709
The last comment says - Merged to the master, 3.5, 3.4, 3.3 and 3.2 branches.
Regards
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.17-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=ca_ES:ca
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openssl depends on:
ii libc6 2.41-6
ii libssl3t64 3.4.1-1
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20241223
-- no debconf information
Reply to: