Your message dated Mon, 02 Feb 2009 10:32:10 +0000
with message-id <e1ltw66-0007wn...@ries.debian.org>
and subject line Bug#511519: fixed in libcrypt-openssl-dsa-perl 0.13-4
has caused the Debian Bug report #511519,
regarding libcrypt-openssl-dsa-perl: return values of openssl functions.
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
511519: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511519
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libcrypt-openssl-dsa-perl
Severity: serious
Tags: security
Hi,
I've been checking packages to see if they properly check the return
value of some of the functions in openssl.
It seems that your package calls functions like DSA_verify
and DSA_do_verify and just returns those values. Looking
at the documentation, it seems to suggest that != 0 would
mean that it was succesful.
However those functions can also return -1 on failure. This
would then mean that other applications making use of this
could wrongly check the return value.
Kurt
--- End Message ---
--- Begin Message ---
Source: libcrypt-openssl-dsa-perl
Source-Version: 0.13-4
We believe that the bug you reported is fixed in the latest version of
libcrypt-openssl-dsa-perl, which is due to be installed in the Debian FTP
archive:
libcrypt-openssl-dsa-perl_0.13-4.diff.gz
to
pool/main/libc/libcrypt-openssl-dsa-perl/libcrypt-openssl-dsa-perl_0.13-4.diff.gz
libcrypt-openssl-dsa-perl_0.13-4.dsc
to
pool/main/libc/libcrypt-openssl-dsa-perl/libcrypt-openssl-dsa-perl_0.13-4.dsc
libcrypt-openssl-dsa-perl_0.13-4_amd64.deb
to
pool/main/libc/libcrypt-openssl-dsa-perl/libcrypt-openssl-dsa-perl_0.13-4_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 511...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Damyan Ivanov <d...@debian.org> (supplier of updated libcrypt-openssl-dsa-perl
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 02 Feb 2009 12:02:51 +0200
Source: libcrypt-openssl-dsa-perl
Binary: libcrypt-openssl-dsa-perl
Architecture: source amd64
Version: 0.13-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: Damyan Ivanov <d...@debian.org>
Description:
libcrypt-openssl-dsa-perl - module which implements the DSA signature
verification system
Closes: 511519
Changes:
libcrypt-openssl-dsa-perl (0.13-4) unstable; urgency=medium
.
* Medium urgency for fixing a security-related bug.
.
[ gregor herrmann ]
* Add debian/README.source to document quilt usage, as required by
Debian Policy since 3.8.0.
* debian/control: Changed: Switched Vcs-Browser field to ViewSVN
(source stanza).
.
[ Damyan Ivanov ]
* add security_croak-in-do_verify-too.patch making do_verify() croak on
error the same way verify() already does. Document that verify() and
do_verify() croak on errors.
Closes: #511519. Thanks to Kurt Roeckx
* add description to Makefile.PL--no-ssl-in-LIBS.patch
* add fix-manpage-errors.patch fixing missing =over/-back around =item's in
Crypt::OpenSSL::DSA::Signature's POD.
* Extend the long description a bit
* Standards-Version: 3.8.0 (no changes)
Checksums-Sha1:
cd088776e41ff52aaa423d6f23bf4e43c09c03d0 1398
libcrypt-openssl-dsa-perl_0.13-4.dsc
cc45424fbe4fd7f227673ab2511a701713bf37d6 3845
libcrypt-openssl-dsa-perl_0.13-4.diff.gz
fc3585408538917a4fc9a66e73ef06986045c44a 27746
libcrypt-openssl-dsa-perl_0.13-4_amd64.deb
Checksums-Sha256:
a38730d4d1f0e9aafd4d5edb644f09e23d159fbfebfc3eb3bdca6dcfabd966a9 1398
libcrypt-openssl-dsa-perl_0.13-4.dsc
c57c4fed7136bf6fecf8df8dc8663594f8a62d8f8e8261e8afe4328fde93d792 3845
libcrypt-openssl-dsa-perl_0.13-4.diff.gz
af14980461fafcb0eed21e345f602aec0299d714d0207c3e242a2bf87214a6cc 27746
libcrypt-openssl-dsa-perl_0.13-4_amd64.deb
Files:
a22a337866c28b413366ff36d4a09e16 1398 perl optional
libcrypt-openssl-dsa-perl_0.13-4.dsc
e914a56f00f2298bdf810f37d5c88a2f 3845 perl optional
libcrypt-openssl-dsa-perl_0.13-4.diff.gz
a2ccc603efbd329aad4c3c68dd08dd67 27746 perl optional
libcrypt-openssl-dsa-perl_0.13-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmGyvQACgkQHqjlqpcl9js7dwCgid0CME6ZeSXI2UIAthF6iJOY
R+AAnAxTqqwdi7fUaVwt+2kZNRUZUn9u
=qH/X
-----END PGP SIGNATURE-----
--- End Message ---
