Bug#664032: marked as done ([CVE-2012-1177] libgdata do not verify SSL certs)

[Debian Bug Tracking System]

Your message dated Mon, 04 Jun 2012 20:49:14 +0000
with message-id <e1sbedc-0001hy...@franck.debian.org>
and subject line Bug#664032: fixed in libgdata 0.6.4-2+squeeze1
has caused the Debian Bug report #664032,
regarding [CVE-2012-1177] libgdata do not verify SSL certs
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
664032: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=664032
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libgdata
Severity: grave
Tags: security patch

The following vulnerability had been reported against libgdata: 
http://www.openwall.com/lists/oss-security/2012/03/14/3

The upstream patch:
http://git.gnome.org/browse/libgdata/commit/?id=6799f2c525a584dc998821a6ce897e463dad7840
http://git.gnome.org/browse/libgdata/commit/?h=libgdata-0-10&id=8eff8fa9138859e03e58c2aa76600ab63eb5c29c

Please use CVE-2012-1177 for this issue. Since the bug affects other 
applications (like evolution) and looks quite important, please contact the 
security team if it also affects stable.

Cheers,
luciano

signature.asc
Description: This is a digitally signed message part.

--- End Message ---

--- Begin Message ---

Source: libgdata
Source-Version: 0.6.4-2+squeeze1

We believe that the bug you reported is fixed in the latest version of
libgdata, which is due to be installed in the Debian FTP archive:

gir1.0-gdata-0.0_0.6.4-2+squeeze1_amd64.deb
  to main/libg/libgdata/gir1.0-gdata-0.0_0.6.4-2+squeeze1_amd64.deb
libgdata-common_0.6.4-2+squeeze1_all.deb
  to main/libg/libgdata/libgdata-common_0.6.4-2+squeeze1_all.deb
libgdata-dev_0.6.4-2+squeeze1_amd64.deb
  to main/libg/libgdata/libgdata-dev_0.6.4-2+squeeze1_amd64.deb
libgdata-doc_0.6.4-2+squeeze1_all.deb
  to main/libg/libgdata/libgdata-doc_0.6.4-2+squeeze1_all.deb
libgdata7_0.6.4-2+squeeze1_amd64.deb
  to main/libg/libgdata/libgdata7_0.6.4-2+squeeze1_amd64.deb
libgdata_0.6.4-2+squeeze1.diff.gz
  to main/libg/libgdata/libgdata_0.6.4-2+squeeze1.diff.gz
libgdata_0.6.4-2+squeeze1.dsc
  to main/libg/libgdata/libgdata_0.6.4-2+squeeze1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 664...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <cor...@debian.org> (supplier of updated libgdata package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 30 May 2012 15:57:52 +0200
Source: libgdata
Binary: libgdata7 libgdata-common libgdata-dev libgdata-doc gir1.0-gdata-0.0
Architecture: source all amd64
Version: 0.6.4-2+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian GNOME Maintainers 
<pkg-gnome-maintain...@lists.alioth.debian.org>, Sebastian Dröge 
<sl...@debian.org>
Changed-By: Yves-Alexis Perez <cor...@debian.org>
Description: 
 gir1.0-gdata-0.0 - Description: GObject introspection data for the GData 
webservices
 libgdata-common - Library for accessing GData webservices - common data files
 libgdata-dev - Library for accessing GData webservices - development files
 libgdata-doc - Library for accessing GData webservices - documentation
 libgdata7  - Library for accessing GData webservices - shared libraries
Closes: 664032
Changes: 
 libgdata (0.6.4-2+squeeze1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * debian/patches:
     - 01_validate-ssl-certificates added, backported from upstream.
       Enforce validation of SSL certificates against the system root CAs
       This is CVE-2012-1177.                                    closes: #664032
Checksums-Sha1: 
 707c5b9e28f565e76b177eb97d009b9c41d7d7ef 2345 libgdata_0.6.4-2+squeeze1.dsc
 ddabddaa64cec2e36c2b49ff686295f2f6234a81 1309917 libgdata_0.6.4.orig.tar.gz
 46087b4a5513cb94a0a20696346ec1724610633c 4080 libgdata_0.6.4-2+squeeze1.diff.gz
 094531f068379154131950ea7f796fed2985d00a 100090 
libgdata-common_0.6.4-2+squeeze1_all.deb
 830465c560dc727c8f6cc44fc902ed8e0018f0da 393972 
libgdata-doc_0.6.4-2+squeeze1_all.deb
 7d88b5f7699ae2a98312ad0ccebea6785a8876fd 239456 
libgdata7_0.6.4-2+squeeze1_amd64.deb
 7b14155c5b483374623881dd2db97f2aa47eccdb 372292 
libgdata-dev_0.6.4-2+squeeze1_amd64.deb
 3603b567afbbdea1c0b4d86bf33f6939b11fadd9 86930 
gir1.0-gdata-0.0_0.6.4-2+squeeze1_amd64.deb
Checksums-Sha256: 
 b48d34eb8b7814ff8b4a90f29a7590edc4abe18dc077750857fc6b387bbd56b6 2345 
libgdata_0.6.4-2+squeeze1.dsc
 248c4073e8445f36b2e0d63f89c7817dc31e84ba8cc228986e2ca10416f69c42 1309917 
libgdata_0.6.4.orig.tar.gz
 77bcd4b3d925e765b391bd2641b6eae2a76bd449db569965ecac6ca6b44da557 4080 
libgdata_0.6.4-2+squeeze1.diff.gz
 ee8166f3b9791e253df3da73594d525fea7861623b86465ded4c0e789d279e39 100090 
libgdata-common_0.6.4-2+squeeze1_all.deb
 34765bad8cc544577fc8991b77b9a1a69752301744319b8ecfab0bcd6b7ebb05 393972 
libgdata-doc_0.6.4-2+squeeze1_all.deb
 17b99ea1583d4133dc4302803c90ae7f8494585609cc6a84ee33cfa42cf6aae1 239456 
libgdata7_0.6.4-2+squeeze1_amd64.deb
 d282a559292d9cd9f0616f47bc32c173c2c91d29a6b7fbd525a10abd95d1146c 372292 
libgdata-dev_0.6.4-2+squeeze1_amd64.deb
 774b27db2b22e304b12631f1c8bac4381fe12244fc594ba6d91b479b17b549f1 86930 
gir1.0-gdata-0.0_0.6.4-2+squeeze1_amd64.deb
Files: 
 3b229821fa252a8f99e1673594a0cef4 2345 libs optional 
libgdata_0.6.4-2+squeeze1.dsc
 9636dda6c8839089b18d417b190e3c1c 1309917 libs optional 
libgdata_0.6.4.orig.tar.gz
 58432804910888bb6d24625896b5d36a 4080 libs optional 
libgdata_0.6.4-2+squeeze1.diff.gz
 d5356c8388b00e3e844edfd42e18cc40 100090 libs optional 
libgdata-common_0.6.4-2+squeeze1_all.deb
 bb3f77d64462985d94250c05ea75218b 393972 doc optional 
libgdata-doc_0.6.4-2+squeeze1_all.deb
 5f6fd7a49f8611bdf549cdaa024d5e69 239456 libs optional 
libgdata7_0.6.4-2+squeeze1_amd64.deb
 60d22121a828cd88ee32ed8d2931e6ef 372292 libdevel optional 
libgdata-dev_0.6.4-2+squeeze1_amd64.deb
 f88f346496903249a3ade11c1a1f6edb 86930 libs optional 
gir1.0-gdata-0.0_0.6.4-2+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJPxikUAAoJEDBVD3hx7wuoRkwP/2ofmWta3mqW+l7wyt7lUYF7
Lu5NxkwiwPSB4vJB5UVEQH8CnHmJxx8amBp+MDsiOcuvpVu/24ubaG7UWUZPg0x/
PxgMkvHJQXTs+7Xjf6DdRO07U7pa6cyWtt++QX0k7xPVX1vbFPwafNRGt7ctAjjy
WoHgPDtycYY01T61nKD/5misr2lxmJtlCeGEbzzgsQkaTrw1Qxjz/28WJGM/3/oT
CrUaIT22XcKDWMHb4m3D8Q6IQkecTTvC5IuILY74anlc0f+JV0+kyV+3RPeim0fQ
M6D9gbg3uQDajmIZmfYyPHEBemhaNtEG3XthyOWP7iy4BWLKisu9mFusLGMewaCo
BzxescAfk/bpzz8T8xVKwlSs+gSU3y7qDO9TtGtsHOTHvrABWQzTlopaxvEfekby
HW7rhQGoiC7ymO49E9Lip2d5e73JXIHmDSa3VubTEkVCjhOc5Hc+C+pyJqR7y/5V
KmcfzTwnOd/awQ+sheX+vtyCd38fq5RSgpRrtRbaZjQi0jlt4EmqcfkoFLuGwgKu
O30A+d54NMxKacS3krD/wTj+pCcusc7utV3DM6rs9t/RDn/q6zjeGCOBYGYz5J/D
bS+6H0kSFOBoUjNFDPpIY0GirW+PX6wK0JRqlOs+iPCTWL4nU8vbLFTju263kwDD
6KmIetfUrVD7J1nO7HaQ
=uIA0
-----END PGP SIGNATURE-----

--- End Message ---