Bug#549293: marked as done (CVE-2009-3490: does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate)

[Debian Bug Tracking System]

Your message dated Tue, 06 Oct 2009 20:19:19 +0000
with message-id <e1mvgvd-0002to...@ries.debian.org>
and subject line Bug#549293: fixed in wget 1.12-1
has caused the Debian Bug report #549293,
regarding CVE-2009-3490: does not properly handle a '\0' character in a domain 
name in the Common Name field of an X.509 certificate
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
549293: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=549293
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: wget
Version: 1.11.4-4
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for wget.

CVE-2009-3490[0]:
| GNU Wget before 1.12 does not properly handle a '\0' character in a
| domain name in the Common Name field of an X.509 certificate, which
| allows man-in-the-middle remote attackers to spoof arbitrary SSL
| servers via a crafted certificate issued by a legitimate Certification
| Authority, a related issue to CVE-2009-2408.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3490
    http://security-tracker.debian.net/tracker/CVE-2009-3490


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrFrkwACgkQNxpp46476aqi+gCePfmrLdxhk/yebah+M5rMO0uC
P3oAn3EA9CZ+IdC2g0Da3eIlIKLEtT8Q
=346W
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: wget
Source-Version: 1.12-1

We believe that the bug you reported is fixed in the latest version of
wget, which is due to be installed in the Debian FTP archive:

wget_1.12-1.diff.gz
  to pool/main/w/wget/wget_1.12-1.diff.gz
wget_1.12-1.dsc
  to pool/main/w/wget/wget_1.12-1.dsc
wget_1.12-1_amd64.deb
  to pool/main/w/wget/wget_1.12-1_amd64.deb
wget_1.12.orig.tar.gz
  to pool/main/w/wget/wget_1.12.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 549...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Noèl Köthe <n...@debian.org> (supplier of updated wget package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 06 Oct 2009 21:00:30 +0200
Source: wget
Binary: wget
Architecture: source amd64
Version: 1.12-1
Distribution: unstable
Urgency: low
Maintainer: Noèl Köthe <n...@debian.org>
Changed-By: Noèl Köthe <n...@debian.org>
Description: 
 wget       - retrieves files from the web
Closes: 250670 288716 338326 405127 481064 528642 549293
Changes: 
 wget (1.12-1) unstable; urgency=low
 .
   * new upstream release from 2009-09-22
     - fix CVE-2009-3490 "does not properly handle a '\0' character in a
       domain name in the Common Name field of an X.509 certificate"
       closes: Bug#549293
     - updated config.{guess,sub} closes: Bug#528642
     - remove IPv4 precedence from wget closes: Bug#481064
     - support for IDN/IRI domains closes: Bug#405127
     - fix output of non-verbose spider mode closes: Bug#338326
     - fix --delete-after leaves robots.txt lying around
       closes: Bug#288716
     - fix misleading error message when using -O -
       closes: Bug#250670
   * debian/control updated Standards-Version to 3.8.3, no changes
Checksums-Sha1: 
 79024dce49a36ac37fb173a8a4631602ea059cf1 1021 wget_1.12-1.dsc
 50d4ed2441e67db7aa5061d8a4dde41ee0e94248 2464747 wget_1.12.orig.tar.gz
 e1e120f7c41041904afce19f22dc272387992d2d 37026 wget_1.12-1.diff.gz
 ab3fa69693051a8f901aea91767188104f59e567 761166 wget_1.12-1_amd64.deb
Checksums-Sha256: 
 0db3b186f6bdad355d3a6d2233291ab2b9430925e184736e293ea6966c4649a8 1021 
wget_1.12-1.dsc
 7578ed0974e12caa71120581fa3962ee5a69f7175ddc3d6a6db0ecdcba65b572 2464747 
wget_1.12.orig.tar.gz
 40badc69c7140173b277e439afaabfbfb0e943015f54811bd1449700ba626465 37026 
wget_1.12-1.diff.gz
 d626475983a5e139c1280c3cca18309e9b6de9efa21362ef7c53e7cd37be0c04 761166 
wget_1.12-1_amd64.deb
Files: 
 fab46e94c54fc0cf8c847b4f41f0de3e 1021 web important wget_1.12-1.dsc
 141461b9c04e454dc8933c9d1f2abf83 2464747 web important wget_1.12.orig.tar.gz
 ea67af0a9046ac1470d3d3c7b84bba54 37026 web important wget_1.12-1.diff.gz
 410e3e36d8dbea11a06b1e2d8fe6e214 761166 web important wget_1.12-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrLovoACgkQ9/DnDzB9Vu2MfwCeJyH9YWZwdJCQolBBn9znLrH2
AxgAnROgmypAIZPQELO8ElP0LkgZUdBu
=Gns9
-----END PGP SIGNATURE-----

--- End Message ---