Your message dated Sun, 22 Dec 2013 19:49:00 +0000
with message-id <[email protected]>
and subject line Bug#732754: fixed in openssl 1.0.1e-5
has caused the Debian Bug report #732754,
regarding openssl: CVE-2013-6449: crash when using TLS 1.2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
732754: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732754
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssl
Version: 1.0.1e-2
Severity: grave
Tags: security upstream patch
Hi,
the following vulnerability was published for openssl.
CVE-2013-6449[0]:
crash when using TLS 1.2
It was reported in Apache Traffic Server[1] and upstream at [2], see
also [3]. I was not able to reproduce any crash myself, just checking
against the openssl source package to verify upstrem patches apply.
See [4] and [5] for the patches applied.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6449
http://security-tracker.debian.org/tracker/CVE-2013-6449
[1] https://issues.apache.org/jira/browse/TS-2355
[2] http://rt.openssl.org/Ticket/Display.html?id=3200&user=guest&pass=guest
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1045363
[4] http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ca98926
[5] http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0294b2b
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 1.0.1e-5
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kurt Roeckx <[email protected]> (supplier of updated openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 22 Dec 2013 19:25:35 +0100
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc
libssl1.0.0-dbg
Architecture: source all amd64
Version: 1.0.1e-5
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Kurt Roeckx <[email protected]>
Description:
libcrypto1.0.0-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb)
libssl-dev - Secure Sockets Layer toolkit - development files
libssl-doc - Secure Sockets Layer toolkit - development documentation
libssl1.0.0 - Secure Sockets Layer toolkit - shared libraries
libssl1.0.0-dbg - Secure Sockets Layer toolkit - debug information
openssl - Secure Sockets Layer toolkit - cryptographic utility
Closes: 694738 728055 732348 732710 732754
Changes:
openssl (1.0.1e-5) unstable; urgency=low
.
* Change default digest to SHA256 instead of SHA1. (Closes: #694738)
* Drop support for multiple certificates in 1 file. It never worked
properly in the first place, and the only one shipping in
ca-certificates has been split.
* Fix libdoc-manpgs-pod-spell.patch to only fix spalling errors
* Remove make-targets.patch. It prevented the test dir from being cleaned.
* Update to a git snapshot of the OpenSSL_1_0_1-stable branch.
- Fixes CVE-2013-6449 (Closes: #732754)
- Fixes CVE-2013-6450
- Drop patches ssltest_no_sslv2.patch cpuid.patch aesni-mac.patch
dtls_version.patch get_certificate.patch, since they where all
already commited upstream.
- adjust fix-pod-errors.patch for the reordering of items in the
documentation they've done trying to fix those pod errors.
- disable rdrand engine by default (Closes: #732710)
* disable zlib support. Fixes CVE-2012-4929 (Closes: #728055)
* Add arm64 support (Closes: #732348)
* Properly use the default number of bits in req when none are given
Checksums-Sha1:
1015bdeffc5f854fb184d573f94833a7eb4be187 2197 openssl_1.0.1e-5.dsc
94694a8c6f571524b4340a5a187027fbe569bc0d 196978 openssl_1.0.1e-5.debian.tar.gz
17bf4ad750294ef277103f25a9eccd9801e51721 1132258 libssl-doc_1.0.1e-5_all.deb
c4b4b82514fa989834ddfd26693c3a360845a672 662002 openssl_1.0.1e-5_amd64.deb
90ddd72866f6f410daebf1997471ec9a05a9331c 1003238 libssl1.0.0_1.0.1e-5_amd64.deb
f33bfe2ec9891ac3a9a1d24ca1dd490bb803bd47 623904
libcrypto1.0.0-udeb_1.0.1e-5_amd64.udeb
48aaa3fc63dfd07d6c55809d728116234ebc6452 1241958 libssl-dev_1.0.1e-5_amd64.deb
bf57262021d4da0da70f5f6de491e31190da0c58 2826986
libssl1.0.0-dbg_1.0.1e-5_amd64.deb
Checksums-Sha256:
b7bedc00efe2870722adf58e9c1461cf6dbd73e74c9f74c34ac40a515817d137 2197
openssl_1.0.1e-5.dsc
e2fa44b2ba4418840b3ce2fd144cd7a0fce29ce25d90551e492ef19c7c368ea1 196978
openssl_1.0.1e-5.debian.tar.gz
e54f7e533bc33d51f3ee2b773bf4357558f9c74df4ba5ede62b08974c4e4b268 1132258
libssl-doc_1.0.1e-5_all.deb
8923c9df7ab5c2bb8444c4a4e4288571d618fb929a5446d63cb1439038b56eeb 662002
openssl_1.0.1e-5_amd64.deb
25d769b9235b290bedd5f020e87dc78ccaa67adda4997cddcdc1cb09f6d7f764 1003238
libssl1.0.0_1.0.1e-5_amd64.deb
3bf27252bc51cdcf30f45ac690b39b9e5fff1bbc11ca37b544b7d194caf6f953 623904
libcrypto1.0.0-udeb_1.0.1e-5_amd64.udeb
433ddb83f39322aefbbcb6cc36e217f19e2415510046aa274d0396561b5cd5ce 1241958
libssl-dev_1.0.1e-5_amd64.deb
c103856c6ea28429eeb365575394ff5983449b697028569a16829b4f3eafd732 2826986
libssl1.0.0-dbg_1.0.1e-5_amd64.deb
Files:
c73ef6bf0bbf7499c0fcd5e2783341ab 2197 utils optional openssl_1.0.1e-5.dsc
1cea0119b9ed9ed76a7e8538f9ae4545 196978 utils optional
openssl_1.0.1e-5.debian.tar.gz
aec19eec4eec9adf861df8c36dc52079 1132258 doc optional
libssl-doc_1.0.1e-5_all.deb
9e9ea1c07dfa9480a0e89b0c7df4488b 662002 utils optional
openssl_1.0.1e-5_amd64.deb
7549079d3517842ddc4a588d04cc92af 1003238 libs important
libssl1.0.0_1.0.1e-5_amd64.deb
1f28be32a4c76f0c835b693cf9126726 623904 debian-installer optional
libcrypto1.0.0-udeb_1.0.1e-5_amd64.udeb
d569fe1cb27ec9d8c4b5450672b6dc9a 1241958 libdevel optional
libssl-dev_1.0.1e-5_amd64.deb
66871173845c2ce096c8141bb684275e 2826986 debug extra
libssl1.0.0-dbg_1.0.1e-5_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQIcBAEBCgAGBQJSt0EPAAoJEKGfLDAaVSLd/TwP/0LxJgPvFkEkSFnlRaAJv7ru
kva/26a32XNEr61Q655rWaVrqmBggyk8Tpa4Rc1I4Kfk3UMtexrUKtzlhtuf+V9f
nTf98daKR7lo+JfKqcSpNdmULwstK10GItZ/EHXMVAcHpaFZaqvjlCGuSQrfL0pw
+eDLePfrvj+/T4TFp8CLYU+MgqNS1dYNXn38zEwSw5EfjIzycf61i6ETJgfKFb8S
EhDU9exgimShP0o7B95pPYPjuxNH3lxj69J3e5GGQ4gJQENDUYTx7j3BZrw105Co
WNahqgkZXWRv965gdk8DLmwIht0OHjVkrfViXdbeSXygbJ9dBOqLBaivnNKW6jzF
+K4EE0/SwS+MHXmuw7IF0FgDBcZ/xP8IDrDE1nPT6ylX8aoDSkP1ajx62rZAxeRq
o8V4/Mug5QLsPkGUrJ3uEEEYPzt2gL/PV9IT+ITXuZqMbXUAAVTUmgQylx9b+EBb
HMeewrFSwl3XVuQr1c1oqF2lvhSlEOdplsUsvc5YAOwcASfV7QWtUyY0RgsvtGEl
2kTy0Etriuy/zFVw0x+ci/49Nl9d/JifsVawMfbqKcOLNJCoQn2NU82fQ9+yX5U7
jBZbssJZcgW2tQU94m0vf+XJe05p4kxCChC2VkHVUpl0qlQJT7zgk8eslxtK5jy/
0MpQBQSZKBcpEVej+wv3
=yv/Q
-----END PGP SIGNATURE-----
--- End Message ---