Your message dated Mon, 08 Jun 2009 17:47:15 +0000
with message-id <e1mdiwf-00072c...@ries.debian.org>
and subject line Bug#532037: fixed in openssl 0.9.8k-2
has caused the Debian Bug report #532037,
regarding CVE-2009-138{6,7}: Two OpenSSL DTLS remote DoS
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
532037: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532037
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: openssl
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for openssl.
CVE-2009-1386[0]:
| ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause
| a denial of service (NULL pointer dereference and daemon crash) via a
| DTLS ChangeCipherSpec packet that occurs before ClientHello.
CVE-2009-1387[1]:
| The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in
| OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial
| of service (NULL pointer dereference and daemon crash) via an
| out-of-sequence DTLS handshake message, related to a "fragment bug."
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1386
http://security-tracker.debian.net/tracker/CVE-2009-1386
http://rt.openssl.org/Ticket/Display.html?id=1679&user=guest&pass=guest
http://cvs.openssl.org/chngview?cn=17369
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1387
http://security-tracker.debian.net/tracker/CVE-2009-1387
http://rt.openssl.org/Ticket/Display.html?id=1838&user=guest&pass=guest
http://cvs.openssl.org/chngview?cn=17958
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkopl+kACgkQNxpp46476apHCwCgkOZVb6btWoJtE+xgbtiKfefF
U2kAn3B3ScTrmgrx8Px6WAJAx2AQ0aep
=vFTu
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 0.9.8k-2
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:
libcrypto0.9.8-udeb_0.9.8k-2_amd64.udeb
to pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8k-2_amd64.udeb
libssl-dev_0.9.8k-2_amd64.deb
to pool/main/o/openssl/libssl-dev_0.9.8k-2_amd64.deb
libssl0.9.8-dbg_0.9.8k-2_amd64.deb
to pool/main/o/openssl/libssl0.9.8-dbg_0.9.8k-2_amd64.deb
libssl0.9.8_0.9.8k-2_amd64.deb
to pool/main/o/openssl/libssl0.9.8_0.9.8k-2_amd64.deb
openssl_0.9.8k-2.diff.gz
to pool/main/o/openssl/openssl_0.9.8k-2.diff.gz
openssl_0.9.8k-2.dsc
to pool/main/o/openssl/openssl_0.9.8k-2.dsc
openssl_0.9.8k-2_amd64.deb
to pool/main/o/openssl/openssl_0.9.8k-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 532...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kurt Roeckx <k...@roeckx.be> (supplier of updated openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 08 Jun 2009 19:05:56 +0200
Source: openssl
Binary: openssl libssl0.9.8 libcrypto0.9.8-udeb libssl-dev libssl0.9.8-dbg
Architecture: source amd64
Version: 0.9.8k-2
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSL Team <pkg-openssl-de...@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <k...@roeckx.be>
Description:
libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
libssl-dev - SSL development libraries, header files and documentation
libssl0.9.8 - SSL shared libraries
libssl0.9.8-dbg - Symbol tables for libssl and libcrypto
openssl - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 532037 532336
Changes:
openssl (0.9.8k-2) unstable; urgency=low
.
* Move libssl0.9.8-dbg to the debug section.
* Use the rc4 assembler on kfreebsd-amd64 (Closes: #532336)
* Split the line to generate md5-x86_64.s in the Makefile. This will
hopefully fix the build issue on kfreebsd that now outputs the file
to stdout instead of the file.
* Fix denial of service via an out-of-sequence DTLS handshake message
(CVE-2009-1387) (Closes: #532037)
Checksums-Sha1:
8732d3af3c5126db11e3b9f824e26f17b343e8b0 1940 openssl_0.9.8k-2.dsc
796d7595eb79c24e37efa8576ee91c716d575f34 56115 openssl_0.9.8k-2.diff.gz
8c0b5e3173159bf351dfe541e3e6b6e6d5ed816f 1050408 openssl_0.9.8k-2_amd64.deb
a777aa9ac2b50b23f73484e4129a55c9b7f089bb 982468 libssl0.9.8_0.9.8k-2_amd64.deb
24aa0ebb24e91c64a767b99dfe31f9578b52a959 638594
libcrypto0.9.8-udeb_0.9.8k-2_amd64.udeb
e46edba6253c91f46c050ae90308b91cdca1fbc3 2267228 libssl-dev_0.9.8k-2_amd64.deb
2f9f205d76d418d4c10bcb09bbeac851aa36b0fe 1630962
libssl0.9.8-dbg_0.9.8k-2_amd64.deb
Checksums-Sha256:
fa0bc5dbd61df708cbabde9d09efa56d031535a0e95301cfcc055a71bfb1ca4a 1940
openssl_0.9.8k-2.dsc
2ac28c478969a94917ad5ccdc0d0dfee70fc059d3d96950714d5f94c05b75301 56115
openssl_0.9.8k-2.diff.gz
bf72e80feae96b94c24ff87964ce0e9f96556dc5e5442b56bec21c2b53122e73 1050408
openssl_0.9.8k-2_amd64.deb
f8669cc029f35834a8afba1bba8146898e9457b5a69cb395d54c587d6e16149d 982468
libssl0.9.8_0.9.8k-2_amd64.deb
10c84d92dc32baaeb45bc9c46ca212a747875d40371c63f26f5aca17628e53b0 638594
libcrypto0.9.8-udeb_0.9.8k-2_amd64.udeb
f0203c55550f59f79d53768917ae7e073470a14fcd6f4b9e2a8b8dee808a3020 2267228
libssl-dev_0.9.8k-2_amd64.deb
050b1174b8074cbc4e2642670ad07d6e786dd2d0c357317b6902f8a0c935b381 1630962
libssl0.9.8-dbg_0.9.8k-2_amd64.deb
Files:
35b916ab660bddb81608b8adc4fc57d3 1940 utils optional openssl_0.9.8k-2.dsc
b5488d61516de26b438bd5b4408b1ba6 56115 utils optional openssl_0.9.8k-2.diff.gz
b95c88b5301a188d8aa3f9812ad9b336 1050408 utils optional
openssl_0.9.8k-2_amd64.deb
0854251370131c5e3d8c1719ac8cf79f 982468 libs important
libssl0.9.8_0.9.8k-2_amd64.deb
4b279f2efae9b685e3451c0e0d1613b3 638594 debian-installer optional
libcrypto0.9.8-udeb_0.9.8k-2_amd64.udeb
0fa4d7dd3d15868a87d4ded40af62f9d 2267228 libdevel optional
libssl-dev_0.9.8k-2_amd64.deb
87a225d0cb82621f14c8d495bf32e95c 1630962 debug extra
libssl0.9.8-dbg_0.9.8k-2_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQIcBAEBCgAGBQJKLUwUAAoJEGpMZM6DE7Xwj/kP/1+8IE7wBVTbMXYiJL43pvyj
zLlYefQ6nfqBmD6mK0DCUJafuYPoxn1mDSpbqDviNXD1CnkxrH3yAJR3sKRLPjMO
0oHmBG42iJkMKI8u2XIW5PVtUdxWE1re1X0KdE8OHNMmNdSjSBBivj6rgez19jd4
qKS1XZeXMDZd4jP+qDCBPC1dt/v26AhF6E1+51PDyebBHuJTGAtlWsLms5Hpqbvz
4RE5R5XJAvrlZSq/rz4L92mwOACXfjCEuFPiLQTLA7kIiQTdbE4Ee+YkaqXABBdR
tSsPHQBLj0Nxb6oSEQxQSmmH+hzIkURGJKbTz3ubs+f2lRZFB0pFZpzngV0WZD9K
7AkiFVmvsPOsnqFmCyavZdIEoUk/5nC48k6cqys9XCXsgC96ayeM0c44c5h9Ok2I
L02SYAoihkxf0EhxP2cqlfuwuViEw9fPKyQ3JsbwjgZjim7HUB0Kwu3QBWT7bO4i
x9zPqJBgvEBmspN2l6/KBcD0+nbZzdL1OKmcUrkUby9YhSrStxwmGKIJ5pIIZndn
DyK727azMkfyASLSsmjuNT9RT8MgSpz5mVy3ZZPi+MK1BVtLP9n6FbcoEFhByOi6
5ymGUmayCjZa+LaxeeuaMbJQ/ZupSTkFdZg3v0E6FDQyb+PzaBmq1Io7B/S7/qXe
bqU9IK75mdEPpz7eYm/A
=CBHb
-----END PGP SIGNATURE-----
--- End Message ---
