Your message dated Tue, 25 Aug 2009 02:08:15 +0000
with message-id <e1mflsj-0008qm...@ries.debian.org>
and subject line Bug#541991: fixed in curl 7.15.5-1etch3
has caused the Debian Bug report #541991,
regarding CVE-2009-2417: OpenSSL NULL Character Spoofing Vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
541991: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=541991
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: curl
Severity: serious
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for curl.
CVE-2009-2417[0]:
A vulnerability has been reported in cURL, which can be exploited by
malicious people to conduct spoofing attacks.
The vulnerability is caused due to an error when processing
certificate fields containing NULL ('\0') characters. This can be
exploited to e.g. conduct Man-in-the-Middle (MitM) attacks via
specially crafted certificates.
The vulnerability is reported in versions prior to 7.19.6.
Note: This only affects cURL versions with enabled OpenSSL support.
Upstream advisory:
http://curl.haxx.se/docs/adv_20090812.txt
Backported patches for various curl versions:
http://curl.haxx.se/CVE-2009-2417/
Upstream bug report:
http://curl.haxx.se/bug/view.cgi?id=2829955
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417
http://security-tracker.debian.net/tracker/CVE-2009-2417
Cheers,
Giuseppe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqJFdUACgkQNxpp46476aqVdQCgiWQZqdcHchwCtte8vJrz5zqS
mo8Ani2XAt4EZk1AhPC+0+JX+MbGVVty
=fEKN
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: curl
Source-Version: 7.15.5-1etch3
We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive:
curl_7.15.5-1etch3.diff.gz
to pool/main/c/curl/curl_7.15.5-1etch3.diff.gz
curl_7.15.5-1etch3.dsc
to pool/main/c/curl/curl_7.15.5-1etch3.dsc
curl_7.15.5-1etch3_amd64.deb
to pool/main/c/curl/curl_7.15.5-1etch3_amd64.deb
libcurl3-dbg_7.15.5-1etch3_amd64.deb
to pool/main/c/curl/libcurl3-dbg_7.15.5-1etch3_amd64.deb
libcurl3-dev_7.15.5-1etch3_all.deb
to pool/main/c/curl/libcurl3-dev_7.15.5-1etch3_all.deb
libcurl3-gnutls-dev_7.15.5-1etch3_amd64.deb
to pool/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch3_amd64.deb
libcurl3-gnutls_7.15.5-1etch3_amd64.deb
to pool/main/c/curl/libcurl3-gnutls_7.15.5-1etch3_amd64.deb
libcurl3-openssl-dev_7.15.5-1etch3_amd64.deb
to pool/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch3_amd64.deb
libcurl3_7.15.5-1etch3_amd64.deb
to pool/main/c/curl/libcurl3_7.15.5-1etch3_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 541...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <n...@debian.org> (supplier of updated curl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 18 Aug 2009 00:55:12 +0000
Source: curl
Binary: libcurl3-dbg libcurl3 libcurl3-dev libcurl3-gnutls-dev
libcurl3-openssl-dev libcurl3-gnutls curl
Architecture: source amd64 all
Version: 7.15.5-1etch3
Distribution: oldstable-security
Urgency: high
Maintainer: Domenico Andreoli <ca...@debian.org>
Changed-By: Nico Golde <n...@debian.org>
Description:
curl - Get a file from an HTTP, HTTPS, FTP or GOPHER server
libcurl3 - Multi-protocol file transfer library
libcurl3-dbg - libcurl compiled with debug symbols
libcurl3-dev - Transitional package to libcurl3-openssl-dev
libcurl3-gnutls - Multi-protocol file transfer library
libcurl3-gnutls-dev - Development files and documentation for libcurl
libcurl3-openssl-dev - Development files and documentation for libcurl
Closes: 541991
Changes:
curl (7.15.5-1etch3) oldstable-security; urgency=high
.
* Non-maintainer upload by the security team.
* Fix possible mitm via injected null byte (CVE-2009-2417; Closes: #541991).
Files:
4f03313c10cd1ec65210f1100a131e9f 956 web optional curl_7.15.5-1etch3.dsc
22dce2fb112906acd2e76df82944f142 20848 web optional curl_7.15.5-1etch3.diff.gz
1c79712071486c997e73fd35a4eb0336 163976 web optional
curl_7.15.5-1etch3_amd64.deb
eadeb465edb9926433190a908690b826 171372 libs optional
libcurl3_7.15.5-1etch3_amd64.deb
13e4041382c7e0020ce5b8899aea849e 165714 libs optional
libcurl3-gnutls_7.15.5-1etch3_amd64.deb
e153b2bd7dce8074f567ed33e1ef216c 778648 libdevel optional
libcurl3-openssl-dev_7.15.5-1etch3_amd64.deb
09f1f1c8c5bf1131f283489eb19bea86 771278 libdevel optional
libcurl3-gnutls-dev_7.15.5-1etch3_amd64.deb
7619264c8f7e53dc59a7e69230c676b5 22324 libdevel optional
libcurl3-dev_7.15.5-1etch3_all.deb
3492a7bd3567e3e67aff98be386f3a7a 824510 libdevel extra
libcurl3-dbg_7.15.5-1etch3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqKAKgACgkQHYflSXNkfP85/ACfXLrLN2kHwTB02xM5r2Veuk0w
tPQAni+qtWOH7f5SDhskWWbi4JRg8JH1
=eEwc
-----END PGP SIGNATURE-----
--- End Message ---
