Your message dated Tue, 21 Aug 2012 14:47:43 +0000 with message-id <e1t3pk7-0004gu...@franck.debian.org> and subject line Bug#683927: fixed in libcloud 0.5.0-1.1 has caused the Debian Bug report #683927, regarding CVE-2012-3446: MITM vulnerability in TLS/SSL certificates verification to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 683927: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683927 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libcloud Severity: grave Tags: security Justification: user security hole Hi, a new libcloud was released, fixing a MITM vulnerability in the TLS/SSL certificates verification. Basically the hostname/CN check is done using a wrong regular expression which will match even superset of the hostname. See http://libcloud.apache.org/security.html and https://github.com/apache/libcloud/commit/f2af5502dae3ac63e656dd1b7d5f29cc82ded401 and please upload an isolated fix to unstable, since we're in freeze. Regards, -- Yves-Alexis -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-grsec-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---Source: libcloud Source-Version: 0.5.0-1.1 We believe that the bug you reported is fixed in the latest version of libcloud, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 683...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. gregor herrmann <gre...@debian.org> (supplier of updated libcloud package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 19 Aug 2012 16:24:16 +0200 Source: libcloud Binary: python-libcloud Architecture: source all Version: 0.5.0-1.1 Distribution: unstable Urgency: low Maintainer: Debian Python Modules Team <python-modules-t...@lists.alioth.debian.org> Changed-By: gregor herrmann <gre...@debian.org> Description: python-libcloud - unified Python interface into the cloud Closes: 683927 Changes: libcloud (0.5.0-1.1) unstable; urgency=low . * Non-maintainer upload. * [SECURITY] Fix "CVE-2012-3446: MITM vulnerability in TLS/SSL certificates verification": add patch 0001-Fix-hostname-validation-in-the-SSL-verification-code.patch taken from upstream git. (Closes: #683927) Checksums-Sha1: 99cbb37c71184c36f9583d30b3dd9a3fe62b5713 1850 libcloud_0.5.0-1.1.dsc 63a3ccd273dc831a70191b7c9c09b1407c2a30ae 3906 libcloud_0.5.0-1.1.debian.tar.gz 235929ff1db6eaea941fc8059030561f5520743d 115100 python-libcloud_0.5.0-1.1_all.deb Checksums-Sha256: d72e1d5570a2e28b64441045476dcf3c94c1e74a6b2dbed5893b62d8f5b16fa2 1850 libcloud_0.5.0-1.1.dsc cc43a96f96258c34b73cb72f15ccdf7a3115fe7c131051e30bf401638d45b3f1 3906 libcloud_0.5.0-1.1.debian.tar.gz f554f5abc6e782da7132cfcfb2f42af7de9b4ee699cebeabdb4e4fa28058ef2d 115100 python-libcloud_0.5.0-1.1_all.deb Files: 6ad72a4b7e72e985d16ebfc6d9db8bb8 1850 python optional libcloud_0.5.0-1.1.dsc 987b0da6cba7428855f07f34581e7339 3906 python optional libcloud_0.5.0-1.1.debian.tar.gz 59296c9f49a50dc95e598e1e10c295f4 115100 python optional python-libcloud_0.5.0-1.1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJQMPd6AAoJELs6aAGGSaoG4NQP/1CCP5Cs62fbSH41QgKApeLF ysfhBs0ao+mgnWLx4GJ3mOtYd4cleKyeHjxObadkWjk2XbN1RYGZpjKzgVSAW8uA EZqZuM4dgZGu9J9vVHUq877OnO0upMjmDxSZSkqFTCOsCSUJNOpGaLG1+606hL1l /Boe8fAjCOBWKTRsjx++GPDgEss9drG9HrKk7sVmq+TiRVXNfCi6xj7eeaZ+XiAD 0o59hB80xT0JYdfPH45Hv5DZRocWBxgHaeOPomwublCSAe9lCxlb4bJ8bC5f8Scb 5hDyzIMVlcpcRkxn+1Z07K6dg5YRqZUzEojwls2CyDuO+Ux/rj3GuXdC8JQO6bOU oI2/gxRuhZzgKTobntwBGbZ7wXtWMvMmWkD9IHyeutJzQutY8DS2SgSLtosGhCtc orVoOpfSRlvIoODrhswjpsBfg0zgTXyl/cix9kblNDJSQ20PbSWOrHfqpN2sBhXW 887LFJ9eqW4JBNxTagYWSc+aCdDWYwYK3nP/57o6/bwzA+/9ZiCFiFQG/8Sx//eS uY5LIEgsRHZdCB0/ra1oPIespyog7q1jilZNQIwUTeHb05BoAGzB4Mt1jkYfBcxK 2r4Xb+aMOkvXqkwBoi7CYtOmjRzdonMMUH3tU3+fSJBhCPRK/0Q2pdCnZk+bznyS TqJTCFsAoX6XaiQ/gNSy =jf8O -----END PGP SIGNATURE-----
--- End Message ---
