Your message dated Thu, 27 Aug 2009 18:47:16 +0000
with message-id <e1mgk0c-00045z...@ries.debian.org>
and subject line Bug#541991: fixed in curl 7.19.5-1.1
has caused the Debian Bug report #541991,
regarding CVE-2009-2417: OpenSSL NULL Character Spoofing Vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
541991: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=541991
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: curl
Severity: serious
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for curl.
CVE-2009-2417[0]:
A vulnerability has been reported in cURL, which can be exploited by
malicious people to conduct spoofing attacks.
The vulnerability is caused due to an error when processing
certificate fields containing NULL ('\0') characters. This can be
exploited to e.g. conduct Man-in-the-Middle (MitM) attacks via
specially crafted certificates.
The vulnerability is reported in versions prior to 7.19.6.
Note: This only affects cURL versions with enabled OpenSSL support.
Upstream advisory:
http://curl.haxx.se/docs/adv_20090812.txt
Backported patches for various curl versions:
http://curl.haxx.se/CVE-2009-2417/
Upstream bug report:
http://curl.haxx.se/bug/view.cgi?id=2829955
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417
http://security-tracker.debian.net/tracker/CVE-2009-2417
Cheers,
Giuseppe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqJFdUACgkQNxpp46476aqVdQCgiWQZqdcHchwCtte8vJrz5zqS
mo8Ani2XAt4EZk1AhPC+0+JX+MbGVVty
=fEKN
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: curl
Source-Version: 7.19.5-1.1
We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive:
curl_7.19.5-1.1.diff.gz
to pool/main/c/curl/curl_7.19.5-1.1.diff.gz
curl_7.19.5-1.1.dsc
to pool/main/c/curl/curl_7.19.5-1.1.dsc
curl_7.19.5-1.1_amd64.deb
to pool/main/c/curl/curl_7.19.5-1.1_amd64.deb
libcurl3-dbg_7.19.5-1.1_amd64.deb
to pool/main/c/curl/libcurl3-dbg_7.19.5-1.1_amd64.deb
libcurl3-gnutls_7.19.5-1.1_amd64.deb
to pool/main/c/curl/libcurl3-gnutls_7.19.5-1.1_amd64.deb
libcurl3_7.19.5-1.1_amd64.deb
to pool/main/c/curl/libcurl3_7.19.5-1.1_amd64.deb
libcurl4-gnutls-dev_7.19.5-1.1_amd64.deb
to pool/main/c/curl/libcurl4-gnutls-dev_7.19.5-1.1_amd64.deb
libcurl4-openssl-dev_7.19.5-1.1_amd64.deb
to pool/main/c/curl/libcurl4-openssl-dev_7.19.5-1.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 541...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <n...@debian.org> (supplier of updated curl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 27 Aug 2009 20:10:51 +0200
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl4-openssl-dev libcurl4-gnutls-dev
libcurl3-dbg
Architecture: source amd64
Version: 7.19.5-1.1
Distribution: unstable
Urgency: high
Maintainer: Domenico Andreoli <ca...@debian.org>
Changed-By: Nico Golde <n...@debian.org>
Description:
curl - Get a file from an HTTP, HTTPS or FTP server
libcurl3 - Multi-protocol file transfer library (OpenSSL)
libcurl3-dbg - libcurl compiled with debug symbols
libcurl3-gnutls - Multi-protocol file transfer library (GnuTLS)
libcurl4-gnutls-dev - Development files and documentation for libcurl (GnuTLS)
libcurl4-openssl-dev - Development files and documentation for libcurl
(OpenSSL)
Closes: 541991
Changes:
curl (7.19.5-1.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix possible mitm via injected null byte (CVE-2009-2417; Closes: #541991).
Checksums-Sha1:
5c8997da0b5bba91bfd0761d9f46a903683bb7b6 1419 curl_7.19.5-1.1.dsc
52e60de2f2eec0e941cfdb7eefc75ce5d58ed6ff 87406 curl_7.19.5-1.1.diff.gz
80fbc19281a6da44d5ac8d266df540d9d05900de 196140 curl_7.19.5-1.1_amd64.deb
4d9236f75f37f483f6c5c236443da34fc8cac75f 222268 libcurl3_7.19.5-1.1_amd64.deb
ca970ccc5d1bcd88c6f7d5ea6c723b3adda2ef0c 204120
libcurl3-gnutls_7.19.5-1.1_amd64.deb
897c8c5a07e652e355782c7867860d83912731a7 1000172
libcurl4-openssl-dev_7.19.5-1.1_amd64.deb
4036383f66d90b33f816b5ffc458cf1020a136b6 977030
libcurl4-gnutls-dev_7.19.5-1.1_amd64.deb
bd9b03de14acdb5c8826fa5e63ca1067fd1af960 75860
libcurl3-dbg_7.19.5-1.1_amd64.deb
Checksums-Sha256:
755ceffe58b371bb3ee689862b1a6149f6c3c21747b4ade952b7751483144450 1419
curl_7.19.5-1.1.dsc
a686d672b129a37b454c0228cb173f3286db0c214f1fb22ce68d220208ae540a 87406
curl_7.19.5-1.1.diff.gz
d4730d2cf0b9248a16a4c971041731cb2a50070423869d60c97866e10c4d710f 196140
curl_7.19.5-1.1_amd64.deb
1fff6f4f6a4e77b5640a21c1f0901df98a72a3bcff6797eb6f751cdb217493e5 222268
libcurl3_7.19.5-1.1_amd64.deb
2261ba204677f2ab9b6d833fe2e9c2f756aee916877f638943dad17a21797158 204120
libcurl3-gnutls_7.19.5-1.1_amd64.deb
86dde0448f86a12c7abd21296d609800730ae8c92a8d89d0e25b43d9cb6f72b0 1000172
libcurl4-openssl-dev_7.19.5-1.1_amd64.deb
c28f3b7da7631f8f7347bb7e33691569d9d35ad9b74656892f008f1116578788 977030
libcurl4-gnutls-dev_7.19.5-1.1_amd64.deb
5784f3abe3c058e978fd9f217b8813ef67719a81759bb10e864d3df219ed9ea4 75860
libcurl3-dbg_7.19.5-1.1_amd64.deb
Files:
5155a5ec2d1c39152d348c2321915d45 1419 web optional curl_7.19.5-1.1.dsc
429794d635a801c74478978b027fb1e4 87406 web optional curl_7.19.5-1.1.diff.gz
02f127932ebce206ee8d6edf0c6260f5 196140 web optional curl_7.19.5-1.1_amd64.deb
115a2881d9963d6e4eb5db2d1b8e46ba 222268 libs optional
libcurl3_7.19.5-1.1_amd64.deb
e00eb15b2245e1c7f86092eb47ee73cc 204120 libs optional
libcurl3-gnutls_7.19.5-1.1_amd64.deb
dfdfb52caba8e69f14d6b4c986fcc26b 1000172 libdevel optional
libcurl4-openssl-dev_7.19.5-1.1_amd64.deb
f09063f005edb3eb6222b3b9057a2843 977030 libdevel optional
libcurl4-gnutls-dev_7.19.5-1.1_amd64.deb
e9ad00d65ff689ffd910898e63e29d58 75860 debug extra
libcurl3-dbg_7.19.5-1.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqW0n8ACgkQHYflSXNkfP9TcQCcDWb0AilIn1gmuC2QjFCpH5Hf
G14AmwW3f9+GJk0ZHEVTPXrAhSaAr4y4
=k8R1
-----END PGP SIGNATURE-----
--- End Message ---