Your message dated Sun, 20 Mar 2016 10:44:09 +0200
with message-id <20160320084409.GA10111@tunkki>
and subject line closing
has caused the Debian Bug report #675436,
regarding openssl: Buffer overflow vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
675436: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675436
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssl
Version: 0.9.8o-4squeeze13
Severity: important
Tags: security
Description from email: http://seclists.org/bugtraq/2012/May/155
A buffer overflow vulnerability has been discovered within the OpenSSL command
line utility. The vulnerability is revealed within the signing of a
certificate. When issuing a sample command ?openssl ca -config /path/to/cnf -in
/path/to/csr -extensions v3_ca -out /path/to/crt? the user is prompted for the
password of the signing certificate. This input data is improperly handled
which results in a buffer overflow when the user enters a large amount of data.
The password prompt requests 4 - 8191 characters however with large data input,
stack smashing is detected. Our testing showed this to work on Ubuntu 12.04 and
Suse Linux Enterprise Server 10. Our testing also found the OpenSSL binary
found on Backtrack 5 R2 was presumably compiled without buffer overflow
countermeasures.
Discoverer did report this to OpenSSL-people after I emailed to him. No reply
yet. I haven't verified this. Please check if this is valid. Probably doesn't
affect squeeze, but let's verify.
-- System Information:
Debian Release: 6.0.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssl depends on:
ii libc6 2.11.3-3 Embedded GNU C Library: Shared lib
ii libssl0.9.8 0.9.8o-4squeeze13 SSL shared libraries
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20090814+nmu3squeeze1 Common CA certificates
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: openssl/1.0.2g-1
--- End Message ---
