Bug#541991: marked as done (CVE-2009-2417: OpenSSL NULL Character Spoofing Vulnerability)

Debian Bug Tracking System Thu, 27 Aug 2009 12:07:12 -0700

Your message dated Thu, 27 Aug 2009 18:47:16 +0000
with message-id <e1mgk0c-00045z...@ries.debian.org>
and subject line Bug#541991: fixed in curl 7.19.5-1.1
has caused the Debian Bug report #541991,
regarding CVE-2009-2417: OpenSSL NULL Character Spoofing Vulnerability
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
541991: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=541991
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: curl
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for curl.

CVE-2009-2417[0]:
A vulnerability has been reported in cURL, which can be exploited by
malicious people to conduct spoofing attacks.

The vulnerability is caused due to an error when processing
certificate fields containing NULL ('\0') characters. This can be
exploited to e.g. conduct Man-in-the-Middle (MitM) attacks via
specially crafted certificates.

The vulnerability is reported in versions prior to 7.19.6.

Note: This only affects cURL versions with enabled OpenSSL support.


Upstream advisory:
http://curl.haxx.se/docs/adv_20090812.txt

Backported patches for various curl versions:
http://curl.haxx.se/CVE-2009-2417/

Upstream bug report:
http://curl.haxx.se/bug/view.cgi?id=2829955

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417
    http://security-tracker.debian.net/tracker/CVE-2009-2417

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqJFdUACgkQNxpp46476aqVdQCgiWQZqdcHchwCtte8vJrz5zqS
mo8Ani2XAt4EZk1AhPC+0+JX+MbGVVty
=fEKN
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: curl
Source-Version: 7.19.5-1.1

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive:

curl_7.19.5-1.1.diff.gz
  to pool/main/c/curl/curl_7.19.5-1.1.diff.gz
curl_7.19.5-1.1.dsc
  to pool/main/c/curl/curl_7.19.5-1.1.dsc
curl_7.19.5-1.1_amd64.deb
  to pool/main/c/curl/curl_7.19.5-1.1_amd64.deb
libcurl3-dbg_7.19.5-1.1_amd64.deb
  to pool/main/c/curl/libcurl3-dbg_7.19.5-1.1_amd64.deb
libcurl3-gnutls_7.19.5-1.1_amd64.deb
  to pool/main/c/curl/libcurl3-gnutls_7.19.5-1.1_amd64.deb
libcurl3_7.19.5-1.1_amd64.deb
  to pool/main/c/curl/libcurl3_7.19.5-1.1_amd64.deb
libcurl4-gnutls-dev_7.19.5-1.1_amd64.deb
  to pool/main/c/curl/libcurl4-gnutls-dev_7.19.5-1.1_amd64.deb
libcurl4-openssl-dev_7.19.5-1.1_amd64.deb
  to pool/main/c/curl/libcurl4-openssl-dev_7.19.5-1.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 541...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <n...@debian.org> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 27 Aug 2009 20:10:51 +0200
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl4-openssl-dev libcurl4-gnutls-dev 
libcurl3-dbg
Architecture: source amd64
Version: 7.19.5-1.1
Distribution: unstable
Urgency: high
Maintainer: Domenico Andreoli <ca...@debian.org>
Changed-By: Nico Golde <n...@debian.org>
Description: 
 curl       - Get a file from an HTTP, HTTPS or FTP server
 libcurl3   - Multi-protocol file transfer library (OpenSSL)
 libcurl3-dbg - libcurl compiled with debug symbols
 libcurl3-gnutls - Multi-protocol file transfer library (GnuTLS)
 libcurl4-gnutls-dev - Development files and documentation for libcurl (GnuTLS)
 libcurl4-openssl-dev - Development files and documentation for libcurl 
(OpenSSL)
Closes: 541991
Changes: 
 curl (7.19.5-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix possible mitm via injected null byte (CVE-2009-2417; Closes: #541991).
Checksums-Sha1: 
 5c8997da0b5bba91bfd0761d9f46a903683bb7b6 1419 curl_7.19.5-1.1.dsc
 52e60de2f2eec0e941cfdb7eefc75ce5d58ed6ff 87406 curl_7.19.5-1.1.diff.gz
 80fbc19281a6da44d5ac8d266df540d9d05900de 196140 curl_7.19.5-1.1_amd64.deb
 4d9236f75f37f483f6c5c236443da34fc8cac75f 222268 libcurl3_7.19.5-1.1_amd64.deb
 ca970ccc5d1bcd88c6f7d5ea6c723b3adda2ef0c 204120 
libcurl3-gnutls_7.19.5-1.1_amd64.deb
 897c8c5a07e652e355782c7867860d83912731a7 1000172 
libcurl4-openssl-dev_7.19.5-1.1_amd64.deb
 4036383f66d90b33f816b5ffc458cf1020a136b6 977030 
libcurl4-gnutls-dev_7.19.5-1.1_amd64.deb
 bd9b03de14acdb5c8826fa5e63ca1067fd1af960 75860 
libcurl3-dbg_7.19.5-1.1_amd64.deb
Checksums-Sha256: 
 755ceffe58b371bb3ee689862b1a6149f6c3c21747b4ade952b7751483144450 1419 
curl_7.19.5-1.1.dsc
 a686d672b129a37b454c0228cb173f3286db0c214f1fb22ce68d220208ae540a 87406 
curl_7.19.5-1.1.diff.gz
 d4730d2cf0b9248a16a4c971041731cb2a50070423869d60c97866e10c4d710f 196140 
curl_7.19.5-1.1_amd64.deb
 1fff6f4f6a4e77b5640a21c1f0901df98a72a3bcff6797eb6f751cdb217493e5 222268 
libcurl3_7.19.5-1.1_amd64.deb
 2261ba204677f2ab9b6d833fe2e9c2f756aee916877f638943dad17a21797158 204120 
libcurl3-gnutls_7.19.5-1.1_amd64.deb
 86dde0448f86a12c7abd21296d609800730ae8c92a8d89d0e25b43d9cb6f72b0 1000172 
libcurl4-openssl-dev_7.19.5-1.1_amd64.deb
 c28f3b7da7631f8f7347bb7e33691569d9d35ad9b74656892f008f1116578788 977030 
libcurl4-gnutls-dev_7.19.5-1.1_amd64.deb
 5784f3abe3c058e978fd9f217b8813ef67719a81759bb10e864d3df219ed9ea4 75860 
libcurl3-dbg_7.19.5-1.1_amd64.deb
Files: 
 5155a5ec2d1c39152d348c2321915d45 1419 web optional curl_7.19.5-1.1.dsc
 429794d635a801c74478978b027fb1e4 87406 web optional curl_7.19.5-1.1.diff.gz
 02f127932ebce206ee8d6edf0c6260f5 196140 web optional curl_7.19.5-1.1_amd64.deb
 115a2881d9963d6e4eb5db2d1b8e46ba 222268 libs optional 
libcurl3_7.19.5-1.1_amd64.deb
 e00eb15b2245e1c7f86092eb47ee73cc 204120 libs optional 
libcurl3-gnutls_7.19.5-1.1_amd64.deb
 dfdfb52caba8e69f14d6b4c986fcc26b 1000172 libdevel optional 
libcurl4-openssl-dev_7.19.5-1.1_amd64.deb
 f09063f005edb3eb6222b3b9057a2843 977030 libdevel optional 
libcurl4-gnutls-dev_7.19.5-1.1_amd64.deb
 e9ad00d65ff689ffd910898e63e29d58 75860 debug extra 
libcurl3-dbg_7.19.5-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqW0n8ACgkQHYflSXNkfP9TcQCcDWb0AilIn1gmuC2QjFCpH5Hf
G14AmwW3f9+GJk0ZHEVTPXrAhSaAr4y4
=k8R1
-----END PGP SIGNATURE-----

--- End Message ---

Bug#541991: marked as done (CVE-2009-2417: OpenSSL NULL Character Spoofing Vulnerability)

Reply via email to