Your message dated Thu, 13 Nov 2008 19:32:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#505360: fixed in gnutls26 2.6.2-1
has caused the Debian Bug report #505360,
regarding libgnutls26: CVE-2008-4989 security flaw in certificate chain
verification
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
505360: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505360
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: libgnutls26
Version: 2.4.2-2
Severity: grave
Tags: security
Justification: user security hole
redhat has just released an update that fixes a security flaw in gnutls [1].
the CVE page [2] indicates that the issue is currently reserved, but redhat
describes the problem as:
Martin von Gagern discovered a flaw in the way GnuTLS verified certificate
chains provided by a server. A malicious server could use this flaw to
spoof its identity by tricking client applications using the GnuTLS library
to trust invalid certificates. (CVE-2008-4989)
redhat describes this as a "moderate severity" issue, so i assume that this
should be tracked as medium-urgency in debian.
it is not clear which versions are affected. the redhat updates are only
for their enterprise (rhel 5) version, which is gnutls 1.4.1.
[1] https://rhn.redhat.com/errata/RHSA-2008-0982.html
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989
--- End Message ---
--- Begin Message ---
Source: gnutls26
Source-Version: 2.6.2-1
We believe that the bug you reported is fixed in the latest version of
gnutls26, which is due to be installed in the Debian FTP archive:
gnutls-bin_2.6.2-1_i386.deb
to pool/main/g/gnutls26/gnutls-bin_2.6.2-1_i386.deb
gnutls-doc_2.6.2-1_all.deb
to pool/main/g/gnutls26/gnutls-doc_2.6.2-1_all.deb
gnutls26_2.6.2-1.diff.gz
to pool/main/g/gnutls26/gnutls26_2.6.2-1.diff.gz
gnutls26_2.6.2-1.dsc
to pool/main/g/gnutls26/gnutls26_2.6.2-1.dsc
gnutls26_2.6.2.orig.tar.gz
to pool/main/g/gnutls26/gnutls26_2.6.2.orig.tar.gz
guile-gnutls_2.6.2-1_i386.deb
to pool/main/g/gnutls26/guile-gnutls_2.6.2-1_i386.deb
libgnutls-dev_2.6.2-1_i386.deb
to pool/main/g/gnutls26/libgnutls-dev_2.6.2-1_i386.deb
libgnutls26-dbg_2.6.2-1_i386.deb
to pool/main/g/gnutls26/libgnutls26-dbg_2.6.2-1_i386.deb
libgnutls26_2.6.2-1_i386.deb
to pool/main/g/gnutls26/libgnutls26_2.6.2-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <[EMAIL PROTECTED]> (supplier of updated gnutls26 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 13 Nov 2008 19:30:06 +0100
Source: gnutls26
Binary: libgnutls-dev libgnutls26 libgnutls26-dbg gnutls-bin gnutls-doc
guile-gnutls
Architecture: source all i386
Version: 2.6.2-1
Distribution: experimental
Urgency: low
Maintainer: Debian GnuTLS Maintainers <[EMAIL PROTECTED]>
Changed-By: Andreas Metzler <[EMAIL PROTECTED]>
Description:
gnutls-bin - the GNU TLS library - commandline utilities
gnutls-doc - the GNU TLS library - documentation and examples
guile-gnutls - the GNU TLS library - GNU Guile bindings
libgnutls-dev - the GNU TLS library - development files
libgnutls26 - the GNU TLS library - runtime library
libgnutls26-dbg - GNU TLS library - debugger symbols
Closes: 505360
Changes:
gnutls26 (2.6.2-1) experimental; urgency=low
.
* New upstream version.
+ Fixes certification verifaction error CVE-2008-4989. Closes: #505360
+ Drop 20_fix_501077.diff.
* ia64 has guile-1.8 nowadays, let's try building the guile-gnutls wrappper
there.
* Add Simon Josefsson to uploaders.
Checksums-Sha1:
62cec831e2cc4c1a494669a3c8b77672e3f610a3 1576 gnutls26_2.6.2-1.dsc
b894618226dab33e1cfc6da04572359607be895f 6078585 gnutls26_2.6.2.orig.tar.gz
046c53f8ea7cbec90884ee647d6abd2277f5314b 14664 gnutls26_2.6.2-1.diff.gz
0fd4f50a163e40340dba70d4b9c5e528cff23d2e 2835304 gnutls-doc_2.6.2-1_all.deb
b38f0498fb82f1981d3ad691d913fc3092eec54a 545362 libgnutls-dev_2.6.2-1_i386.deb
5f00108c713304cf55563f6788f842cb8bc2c4fd 476672 libgnutls26_2.6.2-1_i386.deb
587aa3106a9260b2b72b36672b3ce611dfb4e2fa 1054680
libgnutls26-dbg_2.6.2-1_i386.deb
70d38c0fffdd2280d7e110020963b3a7d4afbdc5 280420 gnutls-bin_2.6.2-1_i386.deb
1011ad7110269067113086ad1faa1b5c530b7429 215210 guile-gnutls_2.6.2-1_i386.deb
Checksums-Sha256:
4f60a3fc3ec5a2fb71edab3cbe508aa6526e5b1f24d341dba149dcd47bdaa18f 1576
gnutls26_2.6.2-1.dsc
bc229ea11085666fda7eeaad1ecd44de4bbc83bdc0b836688f6e6bc8f0c95b5f 6078585
gnutls26_2.6.2.orig.tar.gz
6f1666fcefafe3b4f58cf5ed89ef6cd0a0b3d8a13070187b75a2f4f69d830dcd 14664
gnutls26_2.6.2-1.diff.gz
fce39ca3741bca3d90225ba2d200d1e8794af7766a508a1595dd712b27407dac 2835304
gnutls-doc_2.6.2-1_all.deb
37b3e40678f79ffd8ddab2ea4e19e9abcca70eaea8099747cb645e21a9854e48 545362
libgnutls-dev_2.6.2-1_i386.deb
7d6fc0beaaad60ac28eea9485d762531970e39d2056a8e65a14fe0cde6a7551b 476672
libgnutls26_2.6.2-1_i386.deb
bdb5ff2e1f22209ca4ec8719e53abe1a4ec85ae291d08321d1528e919acc671b 1054680
libgnutls26-dbg_2.6.2-1_i386.deb
6d959d80851b76ba4586af27e85d9c13190b12d16e27b3d3bb05f51a823aa4e8 280420
gnutls-bin_2.6.2-1_i386.deb
2bf24b41386a71ed7f7b3594dcfdd151026f6697fce306e4d3407c685ed1071c 215210
guile-gnutls_2.6.2-1_i386.deb
Files:
d44197263107dc4d2028bf2903feb34f 1576 devel optional gnutls26_2.6.2-1.dsc
2962ff0164669294a510a87e8914f1a5 6078585 devel optional
gnutls26_2.6.2.orig.tar.gz
dee5666c158aa5344d52f8469262d944 14664 devel optional gnutls26_2.6.2-1.diff.gz
6c1eb51fde88f64b5e44d167f2af2dda 2835304 doc optional
gnutls-doc_2.6.2-1_all.deb
c39e42ac84086152d205e3341c958011 545362 libdevel optional
libgnutls-dev_2.6.2-1_i386.deb
08e096dfde7592f9607d6b9ea2b66eea 476672 libs important
libgnutls26_2.6.2-1_i386.deb
4fc8b46623c43e5f3ba4c86ab310d0d1 1054680 devel extra
libgnutls26-dbg_2.6.2-1_i386.deb
f2198cc89af33f7d8a75f254d47fae37 280420 net optional
gnutls-bin_2.6.2-1_i386.deb
4944355a92455a39c54538519e5565e9 215210 libs optional
guile-gnutls_2.6.2-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkcfSgACgkQHTOcZYuNdmPYxwCfb5euK5ibqXeUj0AbH2PLRJfD
QfAAoIwV0WvAG+f3w3hi8V9UW7fRiPkG
=iPCg
-----END PGP SIGNATURE-----
--- End Message ---
