Bug#901627: marked as done (wolfssl: CVE-2018-12436)

[Debian Bug Tracking System]

Your message dated Fri, 13 Jul 2018 10:00:18 +0000
with message-id <e1fdus6-000g4p...@fasolo.debian.org>
and subject line Bug#901627: fixed in wolfssl 3.15.3+dfsg-1
has caused the Debian Bug report #901627,
regarding wolfssl: CVE-2018-12436
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
901627: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901627
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: wolfssl
Version: 3.13.0+dfsg-1
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for wolfssl.

CVE-2018-12436[0]:
| wolfcrypt/src/ecc.c in wolfSSL before 3.15.1.patch allows a
| memory-cache side-channel attack on ECDSA signatures, aka the Return Of
| the Hidden Number Problem or ROHNP. To discover an ECDSA key, the
| attacker needs access to either the local machine or a different
| virtual machine on the same physical host.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-12436
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12436
[1] 
https://github.com/wolfSSL/wolfssl/commit/9b9568d500f31f964af26ba8d01e542e1f27e5ca
[2] https://www.wolfssl.com/wolfssh-and-rohnp/

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: wolfssl
Source-Version: 3.15.3+dfsg-1

We believe that the bug you reported is fixed in the latest version of
wolfssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 901...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Felix Lechner <felix.lech...@lease-up.com> (supplier of updated wolfssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 12 Jul 2018 15:29:02 -0700
Source: wolfssl
Binary: libwolfssl18 libwolfssl-dev
Architecture: source amd64
Version: 3.15.3+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Felix Lechner <felix.lech...@lease-up.com>
Changed-By: Felix Lechner <felix.lech...@lease-up.com>
Description:
 libwolfssl-dev - Development files for the wolfSSL encryption library
 libwolfssl18 - wolfSSL encryption library
Closes: 901627
Changes:
 wolfssl (3.15.3+dfsg-1) unstable; urgency=medium
 .
   * New upstream release
   * Fixes "return of the hidden number problem" CVE-2018-12436 (Closes: 
#901627)
   * Major number is now 18
   * Updated shared object symbols
   * Debug symbol migration complete; code deleted
   * Shipping examples for C library
   * Removed doxygen-generated files from source tarball
   * Removed non-existing 'm4/wolfssl_darwin_clang.m4' from copyright
   * Updated upstream home page in control
   * Switched to secure URI for copyright format
   * Fixed spelling in patch header
   * Set Standards-Version: 4.1.5
   * Set compat to 11
   * Set Build-Depends: debhelper (>= 11)
Checksums-Sha1:
 f290d20e812d0cd700b0f405f3b623e2f27c3476 1860 wolfssl_3.15.3+dfsg-1.dsc
 62e706da9c4ffcb6397f8f1825bcc7c145d9ea85 4297490 
wolfssl_3.15.3+dfsg.orig.tar.gz
 952ce3cbf66188bf8a4db97bf7835ea7ba8d3b68 17128 
wolfssl_3.15.3+dfsg-1.debian.tar.xz
 821728f5c66b3b8b7bcc2c3bcf0b74210efefa69 689852 
libwolfssl-dev_3.15.3+dfsg-1_amd64.deb
 0e0416a8b98187d795040ca757c05c2b05fb3eab 1219804 
libwolfssl18-dbgsym_3.15.3+dfsg-1_amd64.deb
 890cd4804a3f5b033a9cfe65ea817ce087ee48e1 467704 
libwolfssl18_3.15.3+dfsg-1_amd64.deb
 304e4bc50d957a1b73b04b667a0a215ef8903ec4 6166 
wolfssl_3.15.3+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 ac942bddd1169f03f3e3694184cea61efb1a101ac89375b5fd604765fbebd36f 1860 
wolfssl_3.15.3+dfsg-1.dsc
 1483f124a221989414d4f650b9b7f09b3714ee8c13b12e5871d774f899da756d 4297490 
wolfssl_3.15.3+dfsg.orig.tar.gz
 5238683318f482239497eb8dc8364c8aea87b55f61c003119991b7f255a936c5 17128 
wolfssl_3.15.3+dfsg-1.debian.tar.xz
 af9fb3ef118e14e2f7ffcd00d719e4353eb785479fdbada27c2a3c28da9226a3 689852 
libwolfssl-dev_3.15.3+dfsg-1_amd64.deb
 35181712c25e603b7a7366b5d1952aac653a804270d34950a540982963443733 1219804 
libwolfssl18-dbgsym_3.15.3+dfsg-1_amd64.deb
 0ce5a9caddb62f1cdd80de25bdd6d41f528e76c4450435c4d02cde7f6de5ac5d 467704 
libwolfssl18_3.15.3+dfsg-1_amd64.deb
 8ed023dc5fbcd21ad634b4cd9f543eba44396a6ed3aee50fb8c7329176ced151 6166 
wolfssl_3.15.3+dfsg-1_amd64.buildinfo
Files:
 8dc14be39505c916e16b3bfc27f60334 1860 libs optional wolfssl_3.15.3+dfsg-1.dsc
 91ae11cc9591833624e4066dc293139c 4297490 libs optional 
wolfssl_3.15.3+dfsg.orig.tar.gz
 ab42064173c67925516436ed58d20ead 17128 libs optional 
wolfssl_3.15.3+dfsg-1.debian.tar.xz
 56de9b92de55bfa54fa5c6e3508a6224 689852 libdevel optional 
libwolfssl-dev_3.15.3+dfsg-1_amd64.deb
 497e81286433b3eb139fbf2249957d6b 1219804 debug optional 
libwolfssl18-dbgsym_3.15.3+dfsg-1_amd64.deb
 6ce84cad2ed028bd24696cb7d76364bf 467704 libs optional 
libwolfssl18_3.15.3+dfsg-1_amd64.deb
 5ff7de59706e9e235b92f809bf1ca59c 6166 libs optional 
wolfssl_3.15.3+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIyBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAltIW7YACgkQHpU+J9Qx
HlhPiw/1FOxEObudPzBg+Hz/yphdI9+S55Bl99548wFS2uF3OcrpXY8lJSj2Gc2Y
KpC2G1wk/ESFpxVtJfA2LtmS2SC0iJo0t8XpDkMMmVp9XJRVeoRaYf2KY9Mj+L52
xQM581ezYkRjqgH1W5zLwB4mEcJJpP/m+G31J9AdbQ1XLBo3aepcaRlzjnGIGdSR
D6D+p4Np7uLzNm3aFk6eYc3Lgzp5QDLNX3vH+4VnvtB9Svp19/akvXoA6kIIKu/A
3xQ0KD24xlE0Xer5Q7/UmRhR6+juct7VmMC7DsVitjmK9spf4/ngqxA8niFIL0HY
8nahQc/qLC9K/KWrORKLlCigYgs3Wnna57pQ4Kkbo31y8JZdSVmg7q7hTFcnxE6+
J8oflkPFOyejkdYqOgEQImDwZNxKFjSA32pV41qsohQn/CY63Qx0c+b33M5qF6mD
R3aocW3+hO4nDnaqmLyglLh7N3p3QxR+gLS1NGtgdGWdBT7bXEC3LKepJmlgzBPc
+w2wMqG5UrBvAedgZoYiynQ4xQC1zcaMRdATaCouCojd9CRdfXFHVIBPedo7vEdk
l2Tn5O41/rE0nn+ijfqgrWkZ0X8JpxNkrRf7+tuEyewQ0zsfb5wIR883HPutnuzB
x2LIxlZ/ZG4XYaboCOPPWk37sMJE5vElXRQ3lc4SndLmc0ZwCw==
=3Rmi
-----END PGP SIGNATURE-----

--- End Message ---