Bug#549293: marked as done (CVE-2009-3490: does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate)

[Debian Bug Tracking System]

Your message dated Sat, 10 Oct 2009 13:58:25 +0000
with message-id <e1mwcsn-0005zt...@ries.debian.org>
and subject line Bug#549293: fixed in wget 1.11.4-2+lenny1
has caused the Debian Bug report #549293,
regarding CVE-2009-3490: does not properly handle a '\0' character in a domain 
name in the Common Name field of an X.509 certificate
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
549293: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=549293
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: wget
Version: 1.11.4-4
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for wget.

CVE-2009-3490[0]:
| GNU Wget before 1.12 does not properly handle a '\0' character in a
| domain name in the Common Name field of an X.509 certificate, which
| allows man-in-the-middle remote attackers to spoof arbitrary SSL
| servers via a crafted certificate issued by a legitimate Certification
| Authority, a related issue to CVE-2009-2408.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3490
    http://security-tracker.debian.net/tracker/CVE-2009-3490


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrFrkwACgkQNxpp46476aqi+gCePfmrLdxhk/yebah+M5rMO0uC
P3oAn3EA9CZ+IdC2g0Da3eIlIKLEtT8Q
=346W
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: wget
Source-Version: 1.11.4-2+lenny1

We believe that the bug you reported is fixed in the latest version of
wget, which is due to be installed in the Debian FTP archive:

wget_1.11.4-2+lenny1.diff.gz
  to pool/main/w/wget/wget_1.11.4-2+lenny1.diff.gz
wget_1.11.4-2+lenny1.dsc
  to pool/main/w/wget/wget_1.11.4-2+lenny1.dsc
wget_1.11.4-2+lenny1_i386.deb
  to pool/main/w/wget/wget_1.11.4-2+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 549...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iucul...@debian.org> (supplier of updated wget package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 08 Oct 2009 14:33:55 +0200
Source: wget
Binary: wget
Architecture: source i386
Version: 1.11.4-2+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Noèl Köthe <n...@debian.org>
Changed-By: Giuseppe Iuculano <iucul...@debian.org>
Description: 
 wget       - retrieves files from the web
Closes: 549293
Changes: 
 wget (1.11.4-2+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2009-3490: Fixed incorrect verification of SSL certificate with NUL in
     name (Closes: #549293)
Checksums-Sha1: 
 68a435009266d45c63616fa21ad8b269553f2861 1060 wget_1.11.4-2+lenny1.dsc
 a78a3b71fd59504df3ff3dbc0a2195a1410e9eac 1475149 wget_1.11.4.orig.tar.gz
 09a7219220058da94d05b1be677688441409ab72 17216 wget_1.11.4-2+lenny1.diff.gz
 efb63cd2cb8f0dd96d6b84dce616efacf2606033 608204 wget_1.11.4-2+lenny1_i386.deb
Checksums-Sha256: 
 b9e72374132e8cbd963f39e60ca772d77dfc0c535fee7f7ffdec815f653f8097 1060 
wget_1.11.4-2+lenny1.dsc
 7315963b6eefb7530b4a4f63a5d5ccdab30078784cf41ccb5297873f9adea2f3 1475149 
wget_1.11.4.orig.tar.gz
 ea8c2c46070bbf120274c4b9bfadbf982702eaacde314f03102feeb9ce77cb51 17216 
wget_1.11.4-2+lenny1.diff.gz
 d88f10c351243752f0185f1a60893d200bb46edd1321a7bc8a82fbcba8f5e6a7 608204 
wget_1.11.4-2+lenny1_i386.deb
Files: 
 ae958363f4aca0f82943525780a37f92 1060 web important wget_1.11.4-2+lenny1.dsc
 69e8a7296c0e12c53bd9ffd786462e87 1475149 web important wget_1.11.4.orig.tar.gz
 0052572de990c970b9514069710d9110 17216 web important 
wget_1.11.4-2+lenny1.diff.gz
 496dee8ea297c44aebddb3d06edb523f 608204 web important 
wget_1.11.4-2+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrN4yEACgkQNxpp46476ar4qwCgkjjtU08RuHIRa8kDwSznygyR
IbUAoIixahEgLUe/PZt7txmkm2F1m54r
=AP9Q
-----END PGP SIGNATURE-----

--- End Message ---