Your message dated Sat, 20 Sep 2014 13:54:34 +0000 with message-id <e1xvl7s-0004gt...@franck.debian.org> and subject line Bug#761940: fixed in nginx 1.2.1-2.2+wheezy3 has caused the Debian Bug report #761940, regarding nginx:CVE-2014-3616: possible to reuse cached SSL sessions in unrelated contexts to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 761940: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761940 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: nginx Version: 0.7.67-3 Severity: grave Tags: security upstream patch fixed-upstream Hi, the following vulnerability was published for nginx. CVE-2014-3616[0]: reuse cached SSL sessions in unrelated contexts If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2014-3616 [1] http://mailman.nginx.org/pipermail/nginx-announce/2014/000147.html Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: nginx Source-Version: 1.2.1-2.2+wheezy3 We believe that the bug you reported is fixed in the latest version of nginx, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 761...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christos Trochalakis <yati...@ideopolis.gr> (supplier of updated nginx package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 18 Sep 2014 15:25:04 +0300 Source: nginx Binary: nginx nginx-doc nginx-common nginx-full nginx-full-dbg nginx-light nginx-light-dbg nginx-extras nginx-extras-dbg nginx-naxsi nginx-naxsi-dbg nginx-naxsi-ui Architecture: source all amd64 Version: 1.2.1-2.2+wheezy3 Distribution: wheezy-security Urgency: high Maintainer: Kartik Mistry <kar...@debian.org> Changed-By: Christos Trochalakis <yati...@ideopolis.gr> Description: nginx - small, powerful, scalable web/proxy server nginx-common - small, powerful, scalable web/proxy server - common files nginx-doc - small, powerful, scalable web/proxy server - documentation nginx-extras - nginx web/proxy server (extended version) nginx-extras-dbg - nginx web/proxy server (extended version) - debugging symbols nginx-full - nginx web/proxy server (standard version) nginx-full-dbg - nginx web/proxy server (standard version) - debugging symbols nginx-light - nginx web/proxy server (basic version) nginx-light-dbg - nginx web/proxy server (basic version) - debugging symbols nginx-naxsi - nginx web/proxy server (version with naxsi) nginx-naxsi-dbg - nginx web/proxy server (version with naxsi) - debugging symbols nginx-naxsi-ui - nginx web/proxy server - naxsi configuration front-end Closes: 761940 Changes: nginx (1.2.1-2.2+wheezy3) wheezy-security; urgency=high . * debian/patches/fix-CVE-2014-3616.patch: CVE-2014-3616: It was possible to reuse cached SSL sessions in unrelated contexts, allowing virtual host confusion attacks in some configurations by an attacker in a privileged network position. (Closes: #761940) Checksums-Sha1: 5382ab336c2021d61e58a79db6aeb26acfb8cd9d 2800 nginx_1.2.1-2.2+wheezy3.dsc 8132d5799990250726a966bf7bb8a65bc367639b 1357986 nginx_1.2.1-2.2+wheezy3.debian.tar.gz 34d7ff8f24cc47960688ae84d6d98f92275ad453 61374 nginx_1.2.1-2.2+wheezy3_all.deb 31bdd7730d33415e980a32019a70ffc9982c9f8d 74214 nginx-doc_1.2.1-2.2+wheezy3_all.deb ff54c828017f7866cc84cf23eb54e516a07f81a8 72790 nginx-common_1.2.1-2.2+wheezy3_all.deb 46626e63d9abe525e7c3c50b109e7e12158b6582 343250 nginx-naxsi-ui_1.2.1-2.2+wheezy3_all.deb 7649e6e3708c3b54ed36b86790fbedbe447f544a 435520 nginx-full_1.2.1-2.2+wheezy3_amd64.deb 87d9b33584b2446b1d2b70ecf3e56c8bc65e2f59 3070760 nginx-full-dbg_1.2.1-2.2+wheezy3_amd64.deb 942ddbc2c8bfad073283f4ebd563fd8c26c9fbb5 319514 nginx-light_1.2.1-2.2+wheezy3_amd64.deb 61ae251040412149a35575c5c663fa35cd1fa2b4 2128176 nginx-light-dbg_1.2.1-2.2+wheezy3_amd64.deb 3816ccdd0f055b806776db1b8ecf0b6e56826a20 601686 nginx-extras_1.2.1-2.2+wheezy3_amd64.deb ef7e49c8d9b17e8171e6062c3e340bf74352ac2a 4550342 nginx-extras-dbg_1.2.1-2.2+wheezy3_amd64.deb 669ed09ea5d8541883072cdebc45a749f7915225 359014 nginx-naxsi_1.2.1-2.2+wheezy3_amd64.deb d3ab8973284530516c6976f3d31b87ee3961e93d 2256108 nginx-naxsi-dbg_1.2.1-2.2+wheezy3_amd64.deb Checksums-Sha256: f3781e4a57edc48439dcf356efb5a426b37d0c3fe530bb0349f40e50f96f4cf8 2800 nginx_1.2.1-2.2+wheezy3.dsc cef63ba0fd6482da75d81221bc2e451aa42411090b7acf8f56b1a6bc579dd3fb 1357986 nginx_1.2.1-2.2+wheezy3.debian.tar.gz 516d33cf93f20ca070a203bafacc6f7ceb04bd3ae221d5a9a59f90e2ab828245 61374 nginx_1.2.1-2.2+wheezy3_all.deb a7edf3e2d31ef6972259076d3d3c26c458a6c02fd36380823bd3ede7d2c7ff61 74214 nginx-doc_1.2.1-2.2+wheezy3_all.deb 3c87c9377d66c574c45c977a602fa01d26e57b89b7cb1a8751fee4ab8f0e1225 72790 nginx-common_1.2.1-2.2+wheezy3_all.deb d60b77f60f11a35c30ad83a1f486a5b76f32170eb2a5731e2a9eac7e49f26353 343250 nginx-naxsi-ui_1.2.1-2.2+wheezy3_all.deb 2bdbb9c4a2c1067b2e074087f25c7fdd94631b9f4009d7a1c66de3206590c3b1 435520 nginx-full_1.2.1-2.2+wheezy3_amd64.deb 8b20916b87cea1c246249ebf8b574f8f459eba68dd880d7c5d10c505f4564238 3070760 nginx-full-dbg_1.2.1-2.2+wheezy3_amd64.deb 8c1ecf3c6990501aa9b4de455afad41759c8aa70d07f9cbba5c51d0806ae34d0 319514 nginx-light_1.2.1-2.2+wheezy3_amd64.deb e8b2e9d512d2acfb9275c4019acf16912c611d3ff8abe6a4dbade5086572de68 2128176 nginx-light-dbg_1.2.1-2.2+wheezy3_amd64.deb e0b8b02eee426c3f8885a27a319e65210eb59572311fa17a545b94c1c48430b0 601686 nginx-extras_1.2.1-2.2+wheezy3_amd64.deb 8007cb3473288a23c25eb5b85e0765fd3f470b5914e1d294e1ef53203b36d968 4550342 nginx-extras-dbg_1.2.1-2.2+wheezy3_amd64.deb 9a89a3a451e1127f6b8e9c41a0eb58fa47c9f65fd3f974a796ff2726b5dfd00a 359014 nginx-naxsi_1.2.1-2.2+wheezy3_amd64.deb 54d9bf37159a071b4a9e79a3cb62d5cd7eaacfd1153aa8a766c0c9774cc47089 2256108 nginx-naxsi-dbg_1.2.1-2.2+wheezy3_amd64.deb Files: 495ec39c9f83878b66cfba9f54d4ab31 2800 httpd optional nginx_1.2.1-2.2+wheezy3.dsc 66d69da43e5a9490573c494c4f9723de 1357986 httpd optional nginx_1.2.1-2.2+wheezy3.debian.tar.gz 25ae5234388762babbfbe3632dbdcc57 61374 httpd optional nginx_1.2.1-2.2+wheezy3_all.deb 3c9a98c55c59b0efb55628afded48383 74214 doc optional nginx-doc_1.2.1-2.2+wheezy3_all.deb 45164faa28f8937d2864d1ccb5a8787f 72790 httpd optional nginx-common_1.2.1-2.2+wheezy3_all.deb 6cc1a2f067b3eb15e490091f11563d47 343250 httpd extra nginx-naxsi-ui_1.2.1-2.2+wheezy3_all.deb 3cf9502ba3919edd1f0cf7e0e66bbe1b 435520 httpd optional nginx-full_1.2.1-2.2+wheezy3_amd64.deb f0319611f3266dac821466a6ae65eecb 3070760 debug extra nginx-full-dbg_1.2.1-2.2+wheezy3_amd64.deb d93c80c37c85385ecef543c178b0939e 319514 httpd extra nginx-light_1.2.1-2.2+wheezy3_amd64.deb f6a75ebc430de20d4ffaede58b528f71 2128176 debug extra nginx-light-dbg_1.2.1-2.2+wheezy3_amd64.deb 4d1c757c8ff300bfb86f7170c2c5f61e 601686 httpd extra nginx-extras_1.2.1-2.2+wheezy3_amd64.deb 8dd831e007d0cb42d2efadfb07885193 4550342 debug extra nginx-extras-dbg_1.2.1-2.2+wheezy3_amd64.deb 5795dee28c6bab2e33a6840fa9792e1f 359014 httpd extra nginx-naxsi_1.2.1-2.2+wheezy3_amd64.deb 76bf1974875a502628c2bd6fb5ea5e70 2256108 debug extra nginx-naxsi-dbg_1.2.1-2.2+wheezy3_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJUHEPIAAoJEAVMuPMTQ89EiqYQAKKF240XCwHAIoeDMHaotHmY 3kY9ZFYoI8njPkjbl495REsm4VrmurN4THt7w0yiD3jy9lKgNZ4m6gfnQZLlnsQv hzDt5Rz/2tU5Mn6cn7UbWcXty/uPoph3ZfN7/cLXNj9KTLFeNrswDIJYWpUwW5sr Z/o9Rk1oGoInYmmd2mu4dTk/BKuq0BFHo/MSN2a9r+PJFpQVMkbFR+3eHpcUtStW nuEVnjhEseyMEF+2Js5gv3e/PviNUZRS4zcjkLWu1qh9YcckQ5O3dI/m9kqSBUdR jrJsZ4VQhwXeJX/7WvA74Z657uQVYJ3OMn8R/a1Jh7moJpYO6GIjNXqhsSzociEy J7vCz84J0/gShunOMFuyYl0zGxbipur+s1+DSVArE6ztI3tl71sZwsveiw+6hH/L H7X19VSO8xgSKSf4lMy6VZtyGmC1c48lk87v5TkF+D8cgb2IXRYjDOFGe4J8PeFw eRtxRUyULf3jPMCWN33Gi9TZPK4A45gUIsRAEuHiGDaipoi7OH0JLk3vl6WiqUjp hqe4nJrz4ROHyD5trDByxbSIS8SZQs3sFJOj2HK5FASdHo0Ec1i3YZrIasZGtlyR 4k0vULHPwiinN0bRmZyUIRWdqc9pmY3LX0Y0XbMpGiAKCiyPO9NpEeoqhKmSduXY FJlYTyV2IUYZx5JrwRYM =liAs -----END PGP SIGNATURE-----
--- End Message ---
