Your message dated Mon, 07 Nov 2005 02:02:09 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#336751: fixed in openvpn 2.0.5-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 1 Nov 2005 09:09:32 +0000
>From [EMAIL PROTECTED] Tue Nov 01 01:09:30 2005
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org (vserver151.vserver151.serverflex.de)
[193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EWs94-0005TB-00; Tue, 01 Nov 2005 01:09:30 -0800
Received: from wlan-client-003.informatik.uni-bremen.de ([134.102.116.4]
helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa
(TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1EWs91-0001G5-Jm
for [EMAIL PROTECTED]; Tue, 01 Nov 2005 10:09:27 +0100
Received: from jmm by localhost.localdomain with local (Exim 4.54)
id 1EWs8y-0001VU-2J; Tue, 01 Nov 2005 10:09:24 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: openvpn: Format string vulnerability in config parsing code
X-Mailer: reportbug 3.17
Date: Tue, 01 Nov 2005 10:09:23 +0100
X-Debbugs-Cc: Debian Security Team <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 134.102.116.4
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
Package: openvpn
Severity: grave
Tags: security
Justification: user security hole
A format string vulnerability has been found in openvpn's option parsing
code, which indirectly may be exploited remotely as well. Please see
http://cert.uni-stuttgart.de/archive/bugtraq/2005/10/msg00393.html
for more information.
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-1-686
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
---------------------------------------
Received: (at 336751-close) by bugs.debian.org; 7 Nov 2005 10:07:02 +0000
>From [EMAIL PROTECTED] Mon Nov 07 02:07:02 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EZ3pJ-0007U7-00; Mon, 07 Nov 2005 02:02:09 -0800
From: Alberto Gonzalez Iniesta <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#336751: fixed in openvpn 2.0.5-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 07 Nov 2005 02:02:09 -0800
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: openvpn
Source-Version: 2.0.5-1
We believe that the bug you reported is fixed in the latest version of
openvpn, which is due to be installed in the Debian FTP archive:
openvpn_2.0.5-1.diff.gz
to pool/main/o/openvpn/openvpn_2.0.5-1.diff.gz
openvpn_2.0.5-1.dsc
to pool/main/o/openvpn/openvpn_2.0.5-1.dsc
openvpn_2.0.5-1_i386.deb
to pool/main/o/openvpn/openvpn_2.0.5-1_i386.deb
openvpn_2.0.5.orig.tar.gz
to pool/main/o/openvpn/openvpn_2.0.5.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <[EMAIL PROTECTED]> (supplier of updated openvpn
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 7 Nov 2005 10:13:55 +0100
Source: openvpn
Binary: openvpn
Architecture: source i386
Version: 2.0.5-1
Distribution: unstable
Urgency: high
Maintainer: Alberto Gonzalez Iniesta <[EMAIL PROTECTED]>
Changed-By: Alberto Gonzalez Iniesta <[EMAIL PROTECTED]>
Description:
openvpn - Virtual Private Network daemon
Closes: 336751 337334
Changes:
openvpn (2.0.5-1) unstable; urgency=high
.
* New upstream release. Urgency high due to security issues.
- DoS vulnerability on the server in TCP mode.
(CVE-2005-3409) (Closes: #337334)
- Format string vulnerability in the foreign_option
function in options.c could potentially allow a malicious
or compromised server to execute arbitrary code on the
client. (CVE-2005-3393) (Closes: #336751)
Files:
04f23b07dcce1188a10c0232746f7ec4 623 net optional openvpn_2.0.5-1.dsc
4bd7a42991c93db23842a0992debe53b 662647 net optional openvpn_2.0.5.orig.tar.gz
3e0467bc6ce587a7a69000b97e418fb9 58027 net optional openvpn_2.0.5-1.diff.gz
2503099ce556ad0be7eb17cfdd580c35 320368 net optional openvpn_2.0.5-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDbyFCxRSvjkukAcMRAp+4AKC2Y1ozf7jzCiUrTHB+myyssklN+ACgqdw9
+e7R2/9Ib7HDIW8MCQQgIto=
=lLRy
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
