Your message dated Sat, 17 Jan 2009 17:46:58 +0100
with message-id <20090117164658.ga24...@country.nixsys.be>
and subject line Forgot the Closes: stanza
has caused the Debian Bug report #511261,
regarding CVE-2008-0049: Inproper certificate validation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
511261: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511261
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: belpic
Severity: grave
Tags: security
Justification: user security hole
Hi Wouter,
CVE-2009-0049:
Belgian eID middleware (eidlib) 2.6.0 and earlier does not properly check the
return value from the OpenSSL EVP_VerifyFinal function, which allows remote
attackers to bypass validation of the certificate chain via a malformed SSL/TLS
signature, a similar vulnerability to CVE-2008-5077.
http://www.ocert.org/advisories/ocert-2008-016.html
Cheers,
Moritz
-- System Information:
Debian Release: 5.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Version: 2.6.0-6
I forgot to add a 'Closes: #511261' to the -6 upload, but it does fix
this bug. Oops.
Here's the .changes file:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 08 Aug 2008 17:02:33 -0300
Source: belpic
Binary: libbeidlibopensc2 libbeidlibopensc2-dev libbeidlibopensc2-dbg
beid-tools libbeid2 libbeid2-dev libbeid2-dbg beidgui
Architecture: source powerpc
Version: 2.6.0-6
Distribution: unstable
Urgency: high
Maintainer: Wouter Verhelst <wou...@debian.org>
Changed-By: Wouter Verhelst <wou...@debian.org>
Description:
beid-tools - SmartCard utilities from the OpenSC project, compiled against lib
beidgui - application to read out information from the Belgian electronic I
libbeid2 - library to read identity information from the Belgian electronic
libbeid2-dbg - library to read identity information from the Belgian eID card
(d
libbeid2-dev - development library to read identity information from the
Belgian
libbeidlibopensc2 - belgian eID PKCS11 library
libbeidlibopensc2-dbg - belgian eID PKCS11 library, debugging symbols
libbeidlibopensc2-dev - belgian eID PKCS11 library, development files
Changes:
belpic (2.6.0-6) unstable; urgency=high
.
* Remove libopenct1-dev builddep, and single leftover linkage to
libopenct. This code was not actually active anymore since 2.6.0-4,
but there were some leftovers.
* Copy reader-pcsc.c over from a more recent version of opensc;
interfaces have changed since this code was written, and otherwise
it wouldn't compile anymore.
* Include fix for CVE-2009-0049: EVP_VerifyFinal() return value is
not correctly checked. Checked with upstream. Since this is a rather
important security issue, urgency=high.
Checksums-Sha1:
afe141e1d2611a8353932f07882d4772ce72f0f0 1164 belpic_2.6.0-6.dsc
5218f233e98238ca377867206f97b6face016f16 24885 belpic_2.6.0-6.diff.gz
ac1a0546a2b1e972dea8240db546d6584ed52d3c 353940
libbeidlibopensc2_2.6.0-6_powerpc.deb
bbe93b4c3a033d44a708c8831f23ebccc45036c2 1016088
libbeidlibopensc2-dev_2.6.0-6_powerpc.deb
435a43cd6bc28ebb817676e11fa55a6b1fb31edc 864760
libbeidlibopensc2-dbg_2.6.0-6_powerpc.deb
c020cecefa4ca70d71948fe49c9a4dea9deeb1ac 164048 beid-tools_2.6.0-6_powerpc.deb
f55d5be43ec44dc5f44df0358fcc9d1a1c93a415 164666 libbeid2_2.6.0-6_powerpc.deb
667e5ca2e47c50f4d31b3de56481689ae56cc24d 89698 libbeid2-dev_2.6.0-6_powerpc.deb
c02b33a32f43be37e005c27e64b3e44f01ecaf4f 501202
libbeid2-dbg_2.6.0-6_powerpc.deb
40a43043e51e0d86303aea62be7332b9dd8aa53d 320322 beidgui_2.6.0-6_powerpc.deb
Checksums-Sha256:
e33e8c726421087c26c24ec3ddf823d27fdc4d09645a59f8ee15df754874957e 1164
belpic_2.6.0-6.dsc
707d4f67155c791efb68750c2fb3317cef170893e72a78e83ed9c19b2fd44803 24885
belpic_2.6.0-6.diff.gz
754a2e79781470498f6089303eb5193872192a39cbf3f9a5b00aa5c295571175 353940
libbeidlibopensc2_2.6.0-6_powerpc.deb
91589aad829e436d9f23820e63a91a9507a78ea9a1d18aefa1a9228b2ad95757 1016088
libbeidlibopensc2-dev_2.6.0-6_powerpc.deb
d7bf57e2d4feb1af6332a024b570d61db4b55962c948d25563224dc3944afc6a 864760
libbeidlibopensc2-dbg_2.6.0-6_powerpc.deb
5d15c071cb2a3f158471f4006293ef36c9d64ef13f45f63d68d2365f3830789f 164048
beid-tools_2.6.0-6_powerpc.deb
48dea045fcc94203b708313d7c82d45b59475e240c19da83717af6c7d1427dea 164666
libbeid2_2.6.0-6_powerpc.deb
b442579085b0c44d9cf3aa468111e6ffce8f48f87ae34dd8df88b9ee5625e1fe 89698
libbeid2-dev_2.6.0-6_powerpc.deb
e8be692bd78fc76d5d1eacaf42d9ccbd38d2594209ad67e790d30b9bd6b3a74e 501202
libbeid2-dbg_2.6.0-6_powerpc.deb
0498ad9027e4a46800e1173a753ca60113458b6cd9fb3a439b5e1b3bdf32854f 320322
beidgui_2.6.0-6_powerpc.deb
Files:
3c6c750a87e6d56ada5c86e23e691f0e 1164 - extra belpic_2.6.0-6.dsc
0122c1b95c6defcd5cce00d2f9135756 24885 - extra belpic_2.6.0-6.diff.gz
ddb4b70a73c0979ec07e3a0badc7df20 353940 libs extra
libbeidlibopensc2_2.6.0-6_powerpc.deb
9aed08318bace9f2bbb9eff6e7e6797b 1016088 libdevel extra
libbeidlibopensc2-dev_2.6.0-6_powerpc.deb
629942ddefb838b7fefbad347a0cd0d0 864760 libdevel extra
libbeidlibopensc2-dbg_2.6.0-6_powerpc.deb
c34f09ae8eb7b4fe522adfd5e1b8a195 164048 utils extra
beid-tools_2.6.0-6_powerpc.deb
e98f75101810fbbb811fc7ecc20eaf29 164666 libs extra libbeid2_2.6.0-6_powerpc.deb
3655332b5c418fb9c167c3e5582e30c7 89698 libdevel extra
libbeid2-dev_2.6.0-6_powerpc.deb
e7bd1986f9adc19d52505709af9e6977 501202 libdevel extra
libbeid2-dbg_2.6.0-6_powerpc.deb
65e90d2a6508b620a6143ca3a1903a22 320322 utils extra beidgui_2.6.0-6_powerpc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAklspJEACgkQPfwsYq950p6WwwCeL3elnAS4Ssd/KG0ZuEuVeZ0Z
bgMAnR21R8TU7k946S2vkLUkEKKcmxJv
=8yWO
-----END PGP SIGNATURE-----
Regards,
--
<Lo-lan-do> Home is where you have to wash the dishes.
-- #debian-devel, Freenode, 2004-09-22
--- End Message ---
