#1068418 rust-openssl: CVE-2024-3296

Package:
src:rust-openssl
Source:
src:rust-openssl
Submitter:
Salvatore Bonaccorso
Date:
2025-04-15 17:54:02 UTC
Severity:
normal
Tags:
#1068418#5
Date:
2024-04-04 19:52:33 UTC
From:
To:
Hi,

The following vulnerability was published for rust-openssl.

CVE-2024-3296[0]:
| A timing-based side-channel exists in the rust-openssl package,
| which could be sufficient to recover a plaintext across a network in
| a Bleichenbacher-style attack. To achieve successful decryption, an
| attacker would have to be able to send a large number of trial
| messages for decryption. The vulnerability affects the legacy
| PKCS#1v1.5 RSA encryption padding mode.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-3296
https://www.cve.org/CVERecord?id=CVE-2024-3296
[1] https://github.com/sfackler/rust-openssl/issues/2171

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1068418#10
Date:
2025-04-15 17:51:45 UTC
From:
To:
Tags 1068418 +wontfix

After a bunch of back and forth the upstream maintainer of this crate has stated.