Your message dated Tue, 11 Aug 2009 21:49:50 +0000
with message-id <[email protected]>
and subject line Bug#539899: fixed in openssl 0.9.8k-4
has caused the Debian Bug report #539899,
regarding CVE-2009-2409: spoof certificates by using MD2 design flaws
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
539899: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539899
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssl
Severity: important
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openssl.
CVE-2009-2409[0]:
| The NSS library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4
| and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support
| MD2 with X.509 certificates, which might allow remote attackers to
| spoof certificates by using MD2 design flaws to generate a hash
| collision in less than brute-force time. NOTE: the scope of this
| issue is currently limited because the amount of computation required
| is still large.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
http://security-tracker.debian.net/tracker/CVE-2009-2409
Patch: http://cvs.openssl.org/chngview?cn=18381
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkp4Cc0ACgkQNxpp46476ar5xwCcCZpTP5SD4GYle1w/WBBDJ3v1
PSAAmwU4C+BHnO1HbIgK5m3MKm55D8jO
=9WpU
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 0.9.8k-4
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:
libcrypto0.9.8-udeb_0.9.8k-4_amd64.udeb
to pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8k-4_amd64.udeb
libssl-dev_0.9.8k-4_amd64.deb
to pool/main/o/openssl/libssl-dev_0.9.8k-4_amd64.deb
libssl0.9.8-dbg_0.9.8k-4_amd64.deb
to pool/main/o/openssl/libssl0.9.8-dbg_0.9.8k-4_amd64.deb
libssl0.9.8_0.9.8k-4_amd64.deb
to pool/main/o/openssl/libssl0.9.8_0.9.8k-4_amd64.deb
openssl_0.9.8k-4.diff.gz
to pool/main/o/openssl/openssl_0.9.8k-4.diff.gz
openssl_0.9.8k-4.dsc
to pool/main/o/openssl/openssl_0.9.8k-4.dsc
openssl_0.9.8k-4_amd64.deb
to pool/main/o/openssl/openssl_0.9.8k-4_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kurt Roeckx <[email protected]> (supplier of updated openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 11 Aug 2009 21:19:18 +0200
Source: openssl
Binary: openssl libssl0.9.8 libcrypto0.9.8-udeb libssl-dev libssl0.9.8-dbg
Architecture: source amd64
Version: 0.9.8k-4
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Kurt Roeckx <[email protected]>
Description:
libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
libssl-dev - SSL development libraries, header files and documentation
libssl0.9.8 - SSL shared libraries
libssl0.9.8-dbg - Symbol tables for libssl and libcrypto
openssl - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 539899
Changes:
openssl (0.9.8k-4) unstable; urgency=low
.
* Split all the patches into a separate files
* Stop undefinging HZ, the issue on alpha should be fixed.
* Remove MD2 from digest algorithm table. (CVE-2009-2409) (Closes: #539899)
Checksums-Sha1:
8fee3e9400cd8335ed65afc85c13f49a5baaf12e 1947 openssl_0.9.8k-4.dsc
b29cfe6339af886f30174154991f9073cade2f5b 59504 openssl_0.9.8k-4.diff.gz
ff8682f97e5729fa042e3681ab3d24c08cbd3cf1 1049464 openssl_0.9.8k-4_amd64.deb
874a6e8c388fa5cc883ae4b13ba1f6b29f0713ec 979186 libssl0.9.8_0.9.8k-4_amd64.deb
0893132b6ccb7966437326b03a870193b4977098 635658
libcrypto0.9.8-udeb_0.9.8k-4_amd64.udeb
4478c40cd1aa339691962ed1e1c77b5085acaa59 2263272 libssl-dev_0.9.8k-4_amd64.deb
f4b08e78057c2ff250905f516dda6baefbeeebc4 1630958
libssl0.9.8-dbg_0.9.8k-4_amd64.deb
Checksums-Sha256:
9a56c69dd0571bb0d03d8b992205dde4915bd3e762c12b98691ee41ef268a4b6 1947
openssl_0.9.8k-4.dsc
d7a585584e0f541e7c6710c276391dc8fadcde636f4aa2abe0362231a72f6a10 59504
openssl_0.9.8k-4.diff.gz
c5e2f339b10a7344651d89658af67bd523f9bf0b9ddb4873d3fbb6ef06f6b971 1049464
openssl_0.9.8k-4_amd64.deb
7285d9cb9d45449fc36121b265e8d6a96826581b20da70ef24f7f5cc56aeab06 979186
libssl0.9.8_0.9.8k-4_amd64.deb
f33d3be118a39695c337a1ad12978b40817d8f7678252556e9c835fefb6210ef 635658
libcrypto0.9.8-udeb_0.9.8k-4_amd64.udeb
b349a0bce82b46f4c669037b12dd36790f6b54411c024464f4c01bf4170671cb 2263272
libssl-dev_0.9.8k-4_amd64.deb
0fb2c4d690f6e18cdd2f9f8aded7ccc18a075ae76ef46b0b448351c59be10bd2 1630958
libssl0.9.8-dbg_0.9.8k-4_amd64.deb
Files:
ed97c54241e1a9a3f170deaf1ec62d58 1947 utils optional openssl_0.9.8k-4.dsc
071da1dcb038adfdd1bd28fcbc4183dc 59504 utils optional openssl_0.9.8k-4.diff.gz
e07da31c929f0a499d1ff732ec07d3d4 1049464 utils optional
openssl_0.9.8k-4_amd64.deb
d8b3111d1af5a32fd6a97995fef68b73 979186 libs important
libssl0.9.8_0.9.8k-4_amd64.deb
b6baa83191e06a85b82ab4aa9d393349 635658 debian-installer optional
libcrypto0.9.8-udeb_0.9.8k-4_amd64.udeb
fcfff916aec778316a7cf3f0dd973438 2263272 libdevel optional
libssl-dev_0.9.8k-4_amd64.deb
047f42de7c09809e0f13941913605e28 1630958 debug extra
libssl0.9.8-dbg_0.9.8k-4_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQIcBAEBCgAGBQJKgdhMAAoJEGpMZM6DE7XwYmQP/0/kBYzTvRdHFvE6WMp81ZZf
1JRup4MZ3w1hp2XDR9iKcNS7HKsdgH4lpyOzgM/89n3QqGY1bvdHOA9KMWDWz2dv
6HG8onmW3jwEzNhZV2y7Ev94FBJ5qOAS8LCZ+15GEdJeaInJT0WroXSLTvLxOnA5
BsYkCx2ZYd2frbxiqwNS2PxX06n3iKnoVK3tcfpSZ9OFP/Zx+eWU5KwD7g7nlAPw
uuGxRu7vuobn4+TTT+4LQwu3kMugzHt5Iw/OJU8O1EhKaSaTyOOaBcnIpzKfWYNZ
UFffzdsO8my4CY/BDObg7G35xVHwl4zmkIfVvJrJuR5OtdzF5YNA/A5Qd1BHBq6F
tuXlGEtySGJMFhmDBjvosW4sJEZKmgJq5T7hUCNaM4DhoYiEgrqnghBwxOV6cruV
b0Jebf6fhU+7nyMsnEU/I5pL6Qp0vD7sbc1ebL2g7K/bX0Sp21lg55kbG+vATA/d
Of9fcsL0sF0armdeUpArYs4khfPBNWScw3ZxFWF9EQPXgU5+cKQcB4uFyh4hcV85
70xP+HE8LgmB0zoCDMZmQBposAEcXz3i8UR5jyHlkFmYpLELgiMhsAaqM4Hnn2YU
3l2z9+r1TnYCTuo54HGdcTP0oHZ5SlnRqmekNcriAcCmzYKesNLB+nqhvJUyYLuV
4MUF4ljhGLE2rSPYAmDC
=8s89
-----END PGP SIGNATURE-----
--- End Message ---
