Bug#631283: marked as done (CVE-2011-2483 crypt_blowfish: 8-bit character mishandling allows different password pairs to produce the same hash)

Debian Bug Tracking System Tue, 24 Jan 2012 14:36:24 -0800

Your message dated Tue, 24 Jan 2012 22:34:08 +0000
with message-id <[email protected]>
and subject line Bug#631283: fixed in php-suhosin 0.9.33-1
has caused the Debian Bug report #631283,
regarding CVE-2011-2483 crypt_blowfish: 8-bit character mishandling allows 
different password pairs to produce the same hash
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
631283: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631283
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: php5-suhosin
Severity: serious
Tags: security

Hi,
The CVE (Common Vulnerabilities & Exposures) CVE-2011-2483 was
published for php5-suhosin.

A bug in crypt_blowfish was reported [1,2,3]. The function BF_set_key from 
crypt_blowfish.c:554 looks vulnerable. The RH report may be useful[4] too.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

[1] http://www.openwall.com/lists/oss-security/2011/06/20/2
[2] http://www.openwall.com/lists/john-dev/2011/06/20/3
[3] http://www.openwall.com/lists/john-dev/2011/06/20/5
[4] https://bugzilla.redhat.com/show_bug.cgi?id=715025

-luciano

--- End Message ---

--- Begin Message ---

Source: php-suhosin
Source-Version: 0.9.33-1

We believe that the bug you reported is fixed in the latest version of
php-suhosin, which is due to be installed in the Debian FTP archive:

php-suhosin_0.9.33-1.diff.gz
  to main/p/php-suhosin/php-suhosin_0.9.33-1.diff.gz
php-suhosin_0.9.33-1.dsc
  to main/p/php-suhosin/php-suhosin_0.9.33-1.dsc
php-suhosin_0.9.33.orig.tar.gz
  to main/p/php-suhosin/php-suhosin_0.9.33.orig.tar.gz
php5-suhosin_0.9.33-1_i386.deb
  to main/p/php-suhosin/php5-suhosin_0.9.33-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jan Wagner <[email protected]> (supplier of updated php-suhosin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 24 Jan 2012 23:09:33 +0100
Source: php-suhosin
Binary: php5-suhosin
Architecture: source i386
Version: 0.9.33-1
Distribution: unstable
Urgency: low
Maintainer: php-suhosin maintainers <[email protected]>
Changed-By: Jan Wagner <[email protected]>
Description: 
 php5-suhosin - advanced protection module for php5
Closes: 631283 657190
Changes: 
 php-suhosin (0.9.33-1) unstable; urgency=low
 .
   * New upstream version (Closes: #657190, #631283)
     - Fixed stack based buffer overflow in transparent cookie encryption
     - Fixed environment variables for logging do not go through the filter
       extension anymore
     - Fixed that disabling HTTP response splitting protection also disabled
       NUL byte protection in HTTP headers
     - Removed crypt() support - because not used for PHP >= 5.3.0 anyway
   * Update watch file, upstream changed naming scheme
Checksums-Sha1: 
 ac2ed250f8ba273036d1038d786a8c1071467bda 1360 php-suhosin_0.9.33-1.dsc
 abb30c22e7fe341955b42ec71ed597c43439e2b8 104488 php-suhosin_0.9.33.orig.tar.gz
 1f924e6df42e67cf0c6c9e438571363c51baf8c7 7942 php-suhosin_0.9.33-1.diff.gz
 698b72ffe0879f7059104af871e77f612b4007ef 76602 php5-suhosin_0.9.33-1_i386.deb
Checksums-Sha256: 
 63c56a78500e7f6c7b046dfb7b91a0b622633e0f672c8544db02071b6b4f1948 1360 
php-suhosin_0.9.33-1.dsc
 865b1c72bae9a5a710fe0b07a0635556ce6c838653ec364d2a2a6e6f594529c5 104488 
php-suhosin_0.9.33.orig.tar.gz
 318fc0bf5a26ec7e795c670272515fff6313bab7c17ed52162ae9e40b089aca2 7942 
php-suhosin_0.9.33-1.diff.gz
 51c3382e76e4deabaddfde25a98f88fb260dca14c6ac333bfd342cb5b1c90eb6 76602 
php5-suhosin_0.9.33-1_i386.deb
Files: 
 c32190c0f4d18bc6418e6a89685ce1e3 1360 php optional php-suhosin_0.9.33-1.dsc
 0ce498a02a8281e4274ea8e390c2b487 104488 php optional 
php-suhosin_0.9.33.orig.tar.gz
 3112fd751c7f09e4c397daec3caec657 7942 php optional php-suhosin_0.9.33-1.diff.gz
 e4300b79e2e5be45ac157ae3b71af5f2 76602 php optional 
php5-suhosin_0.9.33-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFPHy2H9u6Dud+QFyQRApY6AJsHJVh6oZ0lyvazQNnVEYO5hepGbQCg99P+
RDr+35O709jbOUonzAIieNA=
=2ciy
-----END PGP SIGNATURE-----

--- End Message ---

Bug#631283: marked as done (CVE-2011-2483 crypt_blowfish: 8-bit character mishandling allows different password pairs to produce the same hash)

Reply via email to