Your message dated Fri, 04 Sep 2009 18:31:47 +0000 with message-id <e1mjdzb-00062v...@ries.debian.org> and subject line Bug#541991: fixed in curl 7.18.2-8lenny3 has caused the Debian Bug report #541991, regarding CVE-2009-2417: OpenSSL NULL Character Spoofing Vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 541991: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=541991 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: curl Severity: serious Tags: security patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for curl. CVE-2009-2417[0]: A vulnerability has been reported in cURL, which can be exploited by malicious people to conduct spoofing attacks. The vulnerability is caused due to an error when processing certificate fields containing NULL ('\0') characters. This can be exploited to e.g. conduct Man-in-the-Middle (MitM) attacks via specially crafted certificates. The vulnerability is reported in versions prior to 7.19.6. Note: This only affects cURL versions with enabled OpenSSL support. Upstream advisory: http://curl.haxx.se/docs/adv_20090812.txt Backported patches for various curl versions: http://curl.haxx.se/CVE-2009-2417/ Upstream bug report: http://curl.haxx.se/bug/view.cgi?id=2829955 If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417 http://security-tracker.debian.net/tracker/CVE-2009-2417 Cheers, Giuseppe. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkqJFdUACgkQNxpp46476aqVdQCgiWQZqdcHchwCtte8vJrz5zqS mo8Ani2XAt4EZk1AhPC+0+JX+MbGVVty =fEKN -----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---Source: curl Source-Version: 7.18.2-8lenny3 We believe that the bug you reported is fixed in the latest version of curl, which is due to be installed in the Debian FTP archive: curl_7.18.2-8lenny3.diff.gz to pool/main/c/curl/curl_7.18.2-8lenny3.diff.gz curl_7.18.2-8lenny3.dsc to pool/main/c/curl/curl_7.18.2-8lenny3.dsc curl_7.18.2-8lenny3_amd64.deb to pool/main/c/curl/curl_7.18.2-8lenny3_amd64.deb libcurl3-dbg_7.18.2-8lenny3_amd64.deb to pool/main/c/curl/libcurl3-dbg_7.18.2-8lenny3_amd64.deb libcurl3-gnutls_7.18.2-8lenny3_amd64.deb to pool/main/c/curl/libcurl3-gnutls_7.18.2-8lenny3_amd64.deb libcurl3_7.18.2-8lenny3_amd64.deb to pool/main/c/curl/libcurl3_7.18.2-8lenny3_amd64.deb libcurl4-gnutls-dev_7.18.2-8lenny3_amd64.deb to pool/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny3_amd64.deb libcurl4-openssl-dev_7.18.2-8lenny3_amd64.deb to pool/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny3_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 541...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nico Golde <n...@debian.org> (supplier of updated curl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Tue, 18 Aug 2009 00:57:34 +0000 Source: curl Binary: curl libcurl3 libcurl3-gnutls libcurl4-openssl-dev libcurl4-gnutls-dev libcurl3-dbg Architecture: source amd64 Version: 7.18.2-8lenny3 Distribution: stable-security Urgency: high Maintainer: Domenico Andreoli <ca...@debian.org> Changed-By: Nico Golde <n...@debian.org> Description: curl - Get a file from an HTTP, HTTPS or FTP server libcurl3 - Multi-protocol file transfer library (OpenSSL) libcurl3-dbg - libcurl compiled with debug symbols libcurl3-gnutls - Multi-protocol file transfer library (GnuTLS) libcurl4-gnutls-dev - Development files and documentation for libcurl (GnuTLS) libcurl4-openssl-dev - Development files and documentation for libcurl (OpenSSL) Closes: 541991 Changes: curl (7.18.2-8lenny3) stable-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix possible midm attack via injected null bytes in the certificate (CVE-2009-2417; Closes: #541991). Checksums-Sha1: d98954b3858b7511539c0fea14a27102a4fae02a 1418 curl_7.18.2-8lenny3.dsc a1a2c6839a22ed2f7c0c1dc8208fb05c99d94331 28454 curl_7.18.2-8lenny3.diff.gz 6bf893c530f1cba51e4dc041f26a1ea13bdf8f46 209390 curl_7.18.2-8lenny3_amd64.deb 3dd6aff192272acb1c83f05154739f132410e31f 231304 libcurl3_7.18.2-8lenny3_amd64.deb 0a935c76971a9fa7eb4ded2ecd17299755bf8eb5 214794 libcurl3-gnutls_7.18.2-8lenny3_amd64.deb 9e9944d9987866f3de20e0dd403ba797ca895963 951970 libcurl4-openssl-dev_7.18.2-8lenny3_amd64.deb ef0ec28fd6d48c4a4aa0e94ff115f7b4e9d38edc 931502 libcurl4-gnutls-dev_7.18.2-8lenny3_amd64.deb e48b91969add5d8250d056f27f58d0b95d6ad695 1180282 libcurl3-dbg_7.18.2-8lenny3_amd64.deb Checksums-Sha256: 0b3facc5386dce07d086e67d95b9cb2b798ea12d70b95dcb9d41d31aa23299fe 1418 curl_7.18.2-8lenny3.dsc f152b4f4a553a2d455ef1d375277c1b4a5f8d9f445686f45268747a617669c5f 28454 curl_7.18.2-8lenny3.diff.gz 053e6c2bddd3ecee8a62eb085295bdb4954b7f537b63f98a87f19b2189af97fd 209390 curl_7.18.2-8lenny3_amd64.deb 2fd4bcc1da6ae9fb9d960a072c795c1b6718168624ead3998a2667e7e98ee4af 231304 libcurl3_7.18.2-8lenny3_amd64.deb cd2543e62f36c899862abef9b69e00e0a0e6db112c217b1f6d821963a33b15d6 214794 libcurl3-gnutls_7.18.2-8lenny3_amd64.deb 5322b6fca3dd34c4dfc5fc8064dd6b9b3a2c90a2317bb4052d82c248f2dfe2fe 951970 libcurl4-openssl-dev_7.18.2-8lenny3_amd64.deb a805ea97d8ec3a8b533a3370f3909498b29063c328fcbf0ddb26080074494571 931502 libcurl4-gnutls-dev_7.18.2-8lenny3_amd64.deb d00527c7bc860755dec25c266ed50f64aefed8988ae7378b9785591751548f29 1180282 libcurl3-dbg_7.18.2-8lenny3_amd64.deb Files: 3e5ef96b6eb6a82f64e1cf64e1875993 1418 web optional curl_7.18.2-8lenny3.dsc 487521b6a73326007edf8fc4c9d78237 28454 web optional curl_7.18.2-8lenny3.diff.gz ca551875a2c6b5da345a975026fab4bb 209390 web optional curl_7.18.2-8lenny3_amd64.deb 4388ed20c067994e775435a981afc5e4 231304 libs optional libcurl3_7.18.2-8lenny3_amd64.deb 4bfea4f769972eada3bf7a28871351a9 214794 libs optional libcurl3-gnutls_7.18.2-8lenny3_amd64.deb 1c49faf2e628f2c336be48beb5188afa 951970 libdevel optional libcurl4-openssl-dev_7.18.2-8lenny3_amd64.deb 6e677616ca0e25dd94e710380ed99082 931502 libdevel optional libcurl4-gnutls-dev_7.18.2-8lenny3_amd64.deb 678d1e653eeb162ca227ff3c2edf8bc1 1180282 libdevel extra libcurl3-dbg_7.18.2-8lenny3_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkqKANkACgkQHYflSXNkfP9X8wCfamQpUL7bij1GojAnK9kfnbn3 t/kAn3eHpIj16j5AspUIuvQqrtnyewDV =mwux -----END PGP SIGNATURE-----
--- End Message ---
