Your message dated Sun, 22 Dec 2013 19:49:00 +0000
with message-id <[email protected]>
and subject line Bug#732754: fixed in openssl 1.0.1e-5
has caused the Debian Bug report #732754,
regarding openssl: CVE-2013-6449: crash when using TLS 1.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
732754: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732754
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssl
Version: 1.0.1e-2
Severity: grave
Tags: security upstream patch

Hi,

the following vulnerability was published for openssl.

CVE-2013-6449[0]:
crash when using TLS 1.2

It was reported in Apache Traffic Server[1] and upstream at [2], see
also [3]. I was not able to reproduce any crash myself, just checking
against the openssl source package to verify upstrem patches apply.
See [4] and [5] for the patches applied.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6449
    http://security-tracker.debian.org/tracker/CVE-2013-6449
[1] https://issues.apache.org/jira/browse/TS-2355
[2] http://rt.openssl.org/Ticket/Display.html?id=3200&user=guest&pass=guest
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1045363
[4] http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ca98926
[5] http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0294b2b

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 1.0.1e-5

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <[email protected]> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 22 Dec 2013 19:25:35 +0100
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc 
libssl1.0.0-dbg
Architecture: source all amd64
Version: 1.0.1e-5
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Kurt Roeckx <[email protected]>
Description: 
 libcrypto1.0.0-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb)
 libssl-dev - Secure Sockets Layer toolkit - development files
 libssl-doc - Secure Sockets Layer toolkit - development documentation
 libssl1.0.0 - Secure Sockets Layer toolkit - shared libraries
 libssl1.0.0-dbg - Secure Sockets Layer toolkit - debug information
 openssl    - Secure Sockets Layer toolkit - cryptographic utility
Closes: 694738 728055 732348 732710 732754
Changes: 
 openssl (1.0.1e-5) unstable; urgency=low
 .
   * Change default digest to SHA256 instead of SHA1.  (Closes: #694738)
   * Drop support for multiple certificates in 1 file.  It never worked
     properly in the first place, and the only one shipping in
     ca-certificates has been split.
   * Fix libdoc-manpgs-pod-spell.patch to only fix spalling errors
   * Remove make-targets.patch.  It prevented the test dir from being cleaned.
   * Update to a git snapshot of the OpenSSL_1_0_1-stable branch.
     - Fixes CVE-2013-6449 (Closes: #732754)
     - Fixes CVE-2013-6450
     - Drop patches ssltest_no_sslv2.patch cpuid.patch aesni-mac.patch
       dtls_version.patch get_certificate.patch, since they where all
       already commited upstream.
     - adjust fix-pod-errors.patch for the reordering of items in the
       documentation they've done trying to fix those pod errors.
     - disable rdrand engine by default (Closes: #732710)
   * disable zlib support.  Fixes CVE-2012-4929 (Closes: #728055)
   * Add arm64 support (Closes: #732348)
   * Properly use the default number of bits in req when none are given
Checksums-Sha1: 
 1015bdeffc5f854fb184d573f94833a7eb4be187 2197 openssl_1.0.1e-5.dsc
 94694a8c6f571524b4340a5a187027fbe569bc0d 196978 openssl_1.0.1e-5.debian.tar.gz
 17bf4ad750294ef277103f25a9eccd9801e51721 1132258 libssl-doc_1.0.1e-5_all.deb
 c4b4b82514fa989834ddfd26693c3a360845a672 662002 openssl_1.0.1e-5_amd64.deb
 90ddd72866f6f410daebf1997471ec9a05a9331c 1003238 libssl1.0.0_1.0.1e-5_amd64.deb
 f33bfe2ec9891ac3a9a1d24ca1dd490bb803bd47 623904 
libcrypto1.0.0-udeb_1.0.1e-5_amd64.udeb
 48aaa3fc63dfd07d6c55809d728116234ebc6452 1241958 libssl-dev_1.0.1e-5_amd64.deb
 bf57262021d4da0da70f5f6de491e31190da0c58 2826986 
libssl1.0.0-dbg_1.0.1e-5_amd64.deb
Checksums-Sha256: 
 b7bedc00efe2870722adf58e9c1461cf6dbd73e74c9f74c34ac40a515817d137 2197 
openssl_1.0.1e-5.dsc
 e2fa44b2ba4418840b3ce2fd144cd7a0fce29ce25d90551e492ef19c7c368ea1 196978 
openssl_1.0.1e-5.debian.tar.gz
 e54f7e533bc33d51f3ee2b773bf4357558f9c74df4ba5ede62b08974c4e4b268 1132258 
libssl-doc_1.0.1e-5_all.deb
 8923c9df7ab5c2bb8444c4a4e4288571d618fb929a5446d63cb1439038b56eeb 662002 
openssl_1.0.1e-5_amd64.deb
 25d769b9235b290bedd5f020e87dc78ccaa67adda4997cddcdc1cb09f6d7f764 1003238 
libssl1.0.0_1.0.1e-5_amd64.deb
 3bf27252bc51cdcf30f45ac690b39b9e5fff1bbc11ca37b544b7d194caf6f953 623904 
libcrypto1.0.0-udeb_1.0.1e-5_amd64.udeb
 433ddb83f39322aefbbcb6cc36e217f19e2415510046aa274d0396561b5cd5ce 1241958 
libssl-dev_1.0.1e-5_amd64.deb
 c103856c6ea28429eeb365575394ff5983449b697028569a16829b4f3eafd732 2826986 
libssl1.0.0-dbg_1.0.1e-5_amd64.deb
Files: 
 c73ef6bf0bbf7499c0fcd5e2783341ab 2197 utils optional openssl_1.0.1e-5.dsc
 1cea0119b9ed9ed76a7e8538f9ae4545 196978 utils optional 
openssl_1.0.1e-5.debian.tar.gz
 aec19eec4eec9adf861df8c36dc52079 1132258 doc optional 
libssl-doc_1.0.1e-5_all.deb
 9e9ea1c07dfa9480a0e89b0c7df4488b 662002 utils optional 
openssl_1.0.1e-5_amd64.deb
 7549079d3517842ddc4a588d04cc92af 1003238 libs important 
libssl1.0.0_1.0.1e-5_amd64.deb
 1f28be32a4c76f0c835b693cf9126726 623904 debian-installer optional 
libcrypto1.0.0-udeb_1.0.1e-5_amd64.udeb
 d569fe1cb27ec9d8c4b5450672b6dc9a 1241958 libdevel optional 
libssl-dev_1.0.1e-5_amd64.deb
 66871173845c2ce096c8141bb684275e 2826986 debug extra 
libssl1.0.0-dbg_1.0.1e-5_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSt0EPAAoJEKGfLDAaVSLd/TwP/0LxJgPvFkEkSFnlRaAJv7ru
kva/26a32XNEr61Q655rWaVrqmBggyk8Tpa4Rc1I4Kfk3UMtexrUKtzlhtuf+V9f
nTf98daKR7lo+JfKqcSpNdmULwstK10GItZ/EHXMVAcHpaFZaqvjlCGuSQrfL0pw
+eDLePfrvj+/T4TFp8CLYU+MgqNS1dYNXn38zEwSw5EfjIzycf61i6ETJgfKFb8S
EhDU9exgimShP0o7B95pPYPjuxNH3lxj69J3e5GGQ4gJQENDUYTx7j3BZrw105Co
WNahqgkZXWRv965gdk8DLmwIht0OHjVkrfViXdbeSXygbJ9dBOqLBaivnNKW6jzF
+K4EE0/SwS+MHXmuw7IF0FgDBcZ/xP8IDrDE1nPT6ylX8aoDSkP1ajx62rZAxeRq
o8V4/Mug5QLsPkGUrJ3uEEEYPzt2gL/PV9IT+ITXuZqMbXUAAVTUmgQylx9b+EBb
HMeewrFSwl3XVuQr1c1oqF2lvhSlEOdplsUsvc5YAOwcASfV7QWtUyY0RgsvtGEl
2kTy0Etriuy/zFVw0x+ci/49Nl9d/JifsVawMfbqKcOLNJCoQn2NU82fQ9+yX5U7
jBZbssJZcgW2tQU94m0vf+XJe05p4kxCChC2VkHVUpl0qlQJT7zgk8eslxtK5jy/
0MpQBQSZKBcpEVej+wv3
=yv/Q
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to