Your message dated Wed, 12 Nov 2014 19:18:58 +0000 with message-id <e1xodrs-0008ni...@franck.debian.org> and subject line Bug#769154: fixed in gnutls28 3.3.8-4 has caused the Debian Bug report #769154, regarding gnutls28: CVE-2014-8564: Heap corruption when generating key ID for ECC (GNUTLS-SA-2014-5) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 769154: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769154 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: gnutls28 Version: 3.3.8-3 Severity: grave Tags: security upstream patch fixed-upstream Hi, the following vulnerability was published for gnutls28. CVE-2014-8564[0]: Heap corruption when generating key ID for ECC (GNUTLS-SA-2014-5) | An out-of-bounds memory write flaw was found in the way GnuTLS parsed | certain ECC (Elliptic Curve Cryptography) certificates or certificate | signing requests (CSR). A malicious user could create a specially | crafted ECC certificate or a certificate signing request that, when | processed by an application compiled against GnuTLS (for example, | certtool), could cause that application to crash or execute arbitrary | code with the permissions of the user running the application. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2014-8564 [1] http://www.gnutls.org/security.html#GNUTLS-SA-2014-5 [2] https://gitorious.org/gnutls/gnutls/commit/e821e1908686657a45c1b735f6d077b7a8493e2b (3.3.x branch) Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: gnutls28 Source-Version: 3.3.8-4 We believe that the bug you reported is fixed in the latest version of gnutls28, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 769...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Metzler <ametz...@debian.org> (supplier of updated gnutls28 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 12 Nov 2014 19:31:07 +0100 Source: gnutls28 Binary: libgnutls28-dev libgnutls-deb0-28 libgnutls28-dbg gnutls-bin gnutls-doc guile-gnutls libgnutlsxx28 libgnutls-openssl27 Architecture: source i386 all Version: 3.3.8-4 Distribution: unstable Urgency: high Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-ma...@lists.alioth.debian.org> Changed-By: Andreas Metzler <ametz...@debian.org> Description: gnutls-bin - GNU TLS library - commandline utilities gnutls-doc - GNU TLS library - documentation and examples guile-gnutls - GNU TLS library - GNU Guile bindings libgnutls-deb0-28 - GNU TLS library - main runtime library libgnutls-openssl27 - GNU TLS library - OpenSSL wrapper libgnutls28-dbg - GNU TLS library - debugger symbols libgnutls28-dev - GNU TLS library - development files libgnutlsxx28 - GNU TLS library - C++ runtime library Closes: 768841 769154 Changes: gnutls28 (3.3.8-4) unstable; urgency=high . * Drop 31_fallback_to_RUSAGE_SELF.diff. * 35_recheck_urandom_fd.diff: When gnutls_global_init() is called manually from the application check the urandom fd for validity. Closes: #768841 and takes care of #760476. * 36_less_refresh-rnd-state.diff: do not explicitly refresh rnd state on session deinit. It is already being refreshed during the session lifetime. * 37_X9.63_sanity_check.diff: when exporting curve coordinates to X9.63 format, perform additional sanity checks on input. CVE-2014-8564 / GNUTLS-SA-2014-5. Closes: #769154 * 38_testforsanitycheck.diff adds a test for CVE-2014-8564. (As the test uses a cert in binary der-format which is not representable in a quilt patches and we want to limit debian.tar.xz to modify stuff in debian/ we have some special handling in debian/rules.) Checksums-Sha1: be68ede7e0ade10180bc4b056640f9efcd6c61b4 2913 gnutls28_3.3.8-4.dsc 13a1bc4e52a8655030c97523f2f95db043a68fe0 88156 gnutls28_3.3.8-4.debian.tar.xz bd0c77623db9548f0354ee2fdcbd16867d9699e8 679268 libgnutls28-dev_3.3.8-4_i386.deb f81c43d567aeb01e1f6e64ab001b36510dc08b0d 708914 libgnutls-deb0-28_3.3.8-4_i386.deb 92220ca321e46bb5a307f695c63de7e96fe0cc37 1915472 libgnutls28-dbg_3.3.8-4_i386.deb 4b6ec61a05caff0f01b667251ea30e51fd8f0b8c 309878 gnutls-bin_3.3.8-4_i386.deb 2faec5a12965a13b6a92144034acd476aa266bee 3625982 gnutls-doc_3.3.8-4_all.deb 323557e26210b2296dacdd4ff9983394be232b23 174350 guile-gnutls_3.3.8-4_i386.deb fc8b73609377dfda09627532d2a50ffae2c51521 15432 libgnutlsxx28_3.3.8-4_i386.deb a4f053754b912733f7229c23db7808286dc88ad6 141894 libgnutls-openssl27_3.3.8-4_i386.deb Checksums-Sha256: 1ed6daa569fcb2bc5a794c8024a0b730b26579a4bd6eee8d138a7bb65f6712f1 2913 gnutls28_3.3.8-4.dsc 6ecaee8a683672a2b0e8356c47a968cd837a2da9d0d11b97f225e049bbea2977 88156 gnutls28_3.3.8-4.debian.tar.xz 0dd1b79171b8edac983feac600b9f751e99ba84ff17ed0c52721e5ef23ca17de 679268 libgnutls28-dev_3.3.8-4_i386.deb fd54d8521f834352bb1553b1603a11f6589b3e447d4706dc6ebff881b25f007d 708914 libgnutls-deb0-28_3.3.8-4_i386.deb 91cea76d48904455ed6262cdbfe79799048074156cd6eef0375e5f8a0053cb59 1915472 libgnutls28-dbg_3.3.8-4_i386.deb 3802bf7a1b0dfec78bb7ce0958656915269a57d6496198caa012cca08b9c820a 309878 gnutls-bin_3.3.8-4_i386.deb d07ebbdd4283c0865b8fecb5e4bdeb81ba72b995d615aef35618b55990363bd0 3625982 gnutls-doc_3.3.8-4_all.deb 37c9e445eeb05d342b2a07e81db3472a001605df6cb96912d130eec70f484409 174350 guile-gnutls_3.3.8-4_i386.deb 3f75b7fbcdfd3379cc6d322011cbaf2100e66570e3d7a04f444718e8ab6daadb 15432 libgnutlsxx28_3.3.8-4_i386.deb 08cc170a1ef72a2ebd988051e8e75c8ef5d93851ef07a726c7124bd28d0e7552 141894 libgnutls-openssl27_3.3.8-4_i386.deb Files: 83293811a94214d48fc5cecdc0e4858b 2913 libs optional gnutls28_3.3.8-4.dsc 50534c2c37e8a0a2c3ccadf7c2fe97a6 88156 libs optional gnutls28_3.3.8-4.debian.tar.xz d5ee931afb72cfc18a08782b9ed4f97a 679268 libdevel optional libgnutls28-dev_3.3.8-4_i386.deb 90eb59d1825ec8d089ae438dfa005565 708914 libs standard libgnutls-deb0-28_3.3.8-4_i386.deb ee93f219bd37ed540a907d4451fe4b17 1915472 debug extra libgnutls28-dbg_3.3.8-4_i386.deb 2c7960696ca6eb811bc0ce5cb2e96c36 309878 net optional gnutls-bin_3.3.8-4_i386.deb ed28f6644b31f30396ca34cb6b48590f 3625982 doc optional gnutls-doc_3.3.8-4_all.deb af91c7e1e36595014d3a96b48ec92d58 174350 lisp optional guile-gnutls_3.3.8-4_i386.deb 160035c9a1b25ab69d23f4d4fb5cbc01 15432 libs extra libgnutlsxx28_3.3.8-4_i386.deb 163be982b7c926e962808603ad78fef4 141894 libs standard libgnutls-openssl27_3.3.8-4_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJUY66XAAoJEKVPAYVDghSEXo8P/0cO0TeZEXILwSHWcx24MQlw G6z3GZ++PtRTJ5FsPohwT4X1KfKkpViP5qNbwf/ujp0Zlf/Pu54a4iYqg5ZLu8pw BEvaJhdq4lPac/gMaBT9oPjv4qCtxjF6wzgR5Uj64RnwBSPbeixSp5c5QcV+TRhd 5CjC5+6obZgJJrR1xWIbboWCD/Ne+KbhqJ24zwXv2WYZhDb3MWqTSGtZ4aa0SGBK XNM6v+dpzrt1e2ieYoG2Oz63JFFdHrOtoSD0HcplNKvxy9Wy/9VzyKzC9rEocNWu a/X5A0P7Xs4H7Ns9asLEppui+L+9eJBDmvkk17j0cs8aytt+mDyYIDFpqvvmEZih xZklaIsGM5jCj2JDXLs76+PJjJVTZJNV7EdsiZ8clBQW425aPAt7nUlZmU11xpu1 C37Q1zjLzG7+yyqagJuqSyjUTsKELfVgCLYOvgUkQpSCPFfuDhv4S+zgd19B8/pR YZ4dv+GaxILErhSg3rdFBAqxz/ugr+vI3KszhERuZvNVVxwLZI6K0Pt2WzmztS1G 3KjtrDd/QbDaoZW8ysd8KNR58T85ZUEYObNShpTcagt2KavBF1Tiwiq1MaEh6hGF QX2UhxxSda1rhJDcw3FKaQU59shxr23teOPNi+VFN52J4ErEVojfYbAsOmDOjQR/ 3P5Paj40CXvzGFjL7C42 =TdIx -----END PGP SIGNATURE-----
--- End Message ---
