Your message dated Mon, 19 Oct 2009 01:58:06 +0000
with message-id <e1mzhve-0007v7...@ries.debian.org>
and subject line Bug#549293: fixed in wget 1.10.2-2+etch1
has caused the Debian Bug report #549293,
regarding CVE-2009-3490: does not properly handle a '\0' character in a domain
name in the Common Name field of an X.509 certificate
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
549293: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=549293
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: wget
Version: 1.11.4-4
Severity: grave
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for wget.
CVE-2009-3490[0]:
| GNU Wget before 1.12 does not properly handle a '\0' character in a
| domain name in the Common Name field of an X.509 certificate, which
| allows man-in-the-middle remote attackers to spoof arbitrary SSL
| servers via a crafted certificate issued by a legitimate Certification
| Authority, a related issue to CVE-2009-2408.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3490
http://security-tracker.debian.net/tracker/CVE-2009-3490
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrFrkwACgkQNxpp46476aqi+gCePfmrLdxhk/yebah+M5rMO0uC
P3oAn3EA9CZ+IdC2g0Da3eIlIKLEtT8Q
=346W
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: wget
Source-Version: 1.10.2-2+etch1
We believe that the bug you reported is fixed in the latest version of
wget, which is due to be installed in the Debian FTP archive:
wget_1.10.2-2+etch1.diff.gz
to pool/main/w/wget/wget_1.10.2-2+etch1.diff.gz
wget_1.10.2-2+etch1.dsc
to pool/main/w/wget/wget_1.10.2-2+etch1.dsc
wget_1.10.2-2+etch1_i386.deb
to pool/main/w/wget/wget_1.10.2-2+etch1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 549...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <iucul...@debian.org> (supplier of updated wget package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 08 Oct 2009 13:44:36 +0200
Source: wget
Binary: wget
Architecture: source i386
Version: 1.10.2-2+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: Noèl Köthe <n...@debian.org>
Changed-By: Giuseppe Iuculano <iucul...@debian.org>
Description:
wget - retrieves files from the web
Closes: 549293
Changes:
wget (1.10.2-2+etch1) oldstable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2009-3490: Fixed incorrect verification of SSL certificate with NUL in
name (Closes: #549293)
Files:
8e9e518014d108e22e446d575e9e1168 630 web important wget_1.10.2-2+etch1.dsc
795fefbb7099f93e2d346b026785c4b8 1213056 web important wget_1.10.2.orig.tar.gz
116250977db43cb1981600c9722b7faa 17947 web important
wget_1.10.2-2+etch1.diff.gz
3dc181c1b15d6ed6bdbd7444eb6881fe 612200 web important
wget_1.10.2-2+etch1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrN0kQACgkQNxpp46476ar7DACfZRXw4IuNh3jDGcqTcUgVS8PH
KEIAn0TWjr1z///p39tK0hTdMNNvk20S
=14d2
-----END PGP SIGNATURE-----
--- End Message ---
