Your message dated Sat, 24 Oct 2009 19:58:35 +0000
with message-id <e1n1ml1-0005tr...@ries.debian.org>
and subject line Bug#546212: fixed in kdelibs 4:3.5.5a.dfsg.1-8etch3
has caused the Debian Bug report #546212,
regarding CVE-2009-2702: KDE KSSL NULL Character Certificate Spoofing
Vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
546212: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546212
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: kdelibs,kde4libs
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for kdelibs and kde4libs.
CVE-2009-2702[0]:
| KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a
| '\0' character in a domain name in the Subject Alternative Name field
| of an X.509 certificate, which allows man-in-the-middle attackers to
| spoof arbitrary SSL servers via a crafted certificate issued by a
| legitimate Certification Authority, a related issue to CVE-2009-2408.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2702
http://security-tracker.debian.net/tracker/CVE-2009-2702
Cheers,
Giuseppe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqqhtMACgkQNxpp46476ao+jQCgjGZaW64GZRrVZpcGFAxW4+Ap
FpMAn2EWIhIe+Qgd0RBvO3abWnsLtRF2
=LoWY
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: kdelibs
Source-Version: 4:3.5.5a.dfsg.1-8etch3
We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:
kdelibs-data_3.5.5a.dfsg.1-8etch3_all.deb
to pool/main/k/kdelibs/kdelibs-data_3.5.5a.dfsg.1-8etch3_all.deb
kdelibs-dbg_3.5.5a.dfsg.1-8etch3_i386.deb
to pool/main/k/kdelibs/kdelibs-dbg_3.5.5a.dfsg.1-8etch3_i386.deb
kdelibs4-dev_3.5.5a.dfsg.1-8etch3_i386.deb
to pool/main/k/kdelibs/kdelibs4-dev_3.5.5a.dfsg.1-8etch3_i386.deb
kdelibs4-doc_3.5.5a.dfsg.1-8etch3_all.deb
to pool/main/k/kdelibs/kdelibs4-doc_3.5.5a.dfsg.1-8etch3_all.deb
kdelibs4c2a_3.5.5a.dfsg.1-8etch3_i386.deb
to pool/main/k/kdelibs/kdelibs4c2a_3.5.5a.dfsg.1-8etch3_i386.deb
kdelibs_3.5.5a.dfsg.1-8etch3.diff.gz
to pool/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-8etch3.diff.gz
kdelibs_3.5.5a.dfsg.1-8etch3.dsc
to pool/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-8etch3.dsc
kdelibs_3.5.5a.dfsg.1-8etch3_all.deb
to pool/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-8etch3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 546...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <iucul...@debian.org> (supplier of updated kdelibs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 16 Oct 2009 08:57:21 +0200
Source: kdelibs
Binary: kdelibs4c2a kdelibs kdelibs4-doc kdelibs-dbg kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.5.5a.dfsg.1-8etch3
Distribution: oldstable-security
Urgency: high
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Giuseppe Iuculano <iucul...@debian.org>
Description:
kdelibs - core libraries from the official KDE release
kdelibs-data - core shared data for all KDE applications
kdelibs-dbg - debugging symbols for kdelibs
kdelibs4-dev - development files for the KDE core libraries
kdelibs4-doc - developer documentation for the KDE core libraries
kdelibs4c2a - core libraries and binaries for all KDE applications
Closes: 546212
Changes:
kdelibs (4:3.5.5a.dfsg.1-8etch3) oldstable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fixed CVE-2009-2702: KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not
properly handle a '\0' character in a domain name in the Subject
Alternative Name field of an X.509 certificate, which allows
man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted
certificate issued by a legitimate Certification Authority (Closes:
#546212)
Files:
430e1a184def8c61269ebd4236ecf902 1636 libs optional
kdelibs_3.5.5a.dfsg.1-8etch3.dsc
616c29ec7f685e9b10c802eb6879d912 601207 libs optional
kdelibs_3.5.5a.dfsg.1-8etch3.diff.gz
f4697ef70a2bc020b1c633c92981e81f 34648 libs optional
kdelibs_3.5.5a.dfsg.1-8etch3_all.deb
a1326c3e10f4a1696b9d73115b417061 8607892 libs optional
kdelibs-data_3.5.5a.dfsg.1-8etch3_all.deb
83be81e20b84b786c47a3351a3600c77 40162414 doc optional
kdelibs4-doc_3.5.5a.dfsg.1-8etch3_all.deb
3bd6b5136465fbc6eb18f1112cbd3b58 9738260 libs optional
kdelibs4c2a_3.5.5a.dfsg.1-8etch3_i386.deb
7ecda9b7973b7122035828d49c26864a 1380274 libdevel optional
kdelibs4-dev_3.5.5a.dfsg.1-8etch3_i386.deb
63b27cabf41954b3b7d1f3a247d16573 26272380 libdevel extra
kdelibs-dbg_3.5.5a.dfsg.1-8etch3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrYR44ACgkQNxpp46476aodxwCdEP49HQ+d6vdkWe4g0IutBTh7
sIsAn22CMGXCFaaYA6K4aei6Zh2lMPMU
=irNr
-----END PGP SIGNATURE-----
--- End Message ---
