Your message dated Sat, 22 Aug 2009 11:32:30 +0000
with message-id <e1meopi-00033y...@ries.debian.org>
and subject line Bug#542926: fixed in neon27 0.28.6-1
has caused the Debian Bug report #542926,
regarding CVE-2009-2474: Improper verification of x590v3 certificate with NUL
(zero) byte in certain fields
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
542926: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542926
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: neon27,neon26,neon
Severity: grave
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for neon.
CVE-2009-2474[0]:
neon before 0.28.6, when OpenSSL is used, does not properly handle a
'\0' character in a domain name in the subject's Common Name (CN)
field of an X.509 certificate, which allows man-in-the-middle
attackers to spoof arbitrary SSL servers via a crafted certificate
issued by a legitimate Certification Authority, a related issue to
CVE-2009-2408.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2474
http://security-tracker.debian.net/tracker/CVE-2009-2474
http://lists.manyfish.co.uk/pipermail/neon/2009-August/001046.html
http://lists.manyfish.co.uk/pipermail/neon/2009-August/001044.html
Cheers,
Giuseppe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqPu6EACgkQNxpp46476apIvQCgh/SR333ms4qiHyQOSzs4+8A5
i64AoJXZOzUPPtetame4R2EI7j7dYVhO
=vUEk
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: neon27
Source-Version: 0.28.6-1
We believe that the bug you reported is fixed in the latest version of
neon27, which is due to be installed in the Debian FTP archive:
libneon25-dev_0.28.6-1_amd64.deb
to pool/main/n/neon27/libneon25-dev_0.28.6-1_amd64.deb
libneon27-dbg_0.28.6-1_amd64.deb
to pool/main/n/neon27/libneon27-dbg_0.28.6-1_amd64.deb
libneon27-dev_0.28.6-1_amd64.deb
to pool/main/n/neon27/libneon27-dev_0.28.6-1_amd64.deb
libneon27-gnutls-dbg_0.28.6-1_amd64.deb
to pool/main/n/neon27/libneon27-gnutls-dbg_0.28.6-1_amd64.deb
libneon27-gnutls-dev_0.28.6-1_amd64.deb
to pool/main/n/neon27/libneon27-gnutls-dev_0.28.6-1_amd64.deb
libneon27-gnutls_0.28.6-1_amd64.deb
to pool/main/n/neon27/libneon27-gnutls_0.28.6-1_amd64.deb
libneon27_0.28.6-1_amd64.deb
to pool/main/n/neon27/libneon27_0.28.6-1_amd64.deb
neon27_0.28.6-1.diff.gz
to pool/main/n/neon27/neon27_0.28.6-1.diff.gz
neon27_0.28.6-1.dsc
to pool/main/n/neon27/neon27_0.28.6-1.dsc
neon27_0.28.6.orig.tar.gz
to pool/main/n/neon27/neon27_0.28.6.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 542...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <g...@debian.hu> (supplier of updated neon27 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 22 Aug 2009 10:19:54 +0000
Source: neon27
Binary: libneon27 libneon27-dev libneon27-dbg libneon27-gnutls
libneon27-gnutls-dev libneon27-gnutls-dbg libneon25-dev
Architecture: source amd64
Version: 0.28.6-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.hu>
Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.hu>
Description:
libneon25-dev - Header and static library files for libneon25
libneon27 - An HTTP and WebDAV client library
libneon27-dbg - Detached symbols for libneon27
libneon27-dev - Header and static library files for libneon27
libneon27-gnutls - An HTTP and WebDAV client library (GnuTLS enabled)
libneon27-gnutls-dbg - Detached symbols for libneon27 (GnuTLS enabled)
libneon27-gnutls-dev - Header and static library files for libneon27 (GnuTLS
enabled)
Closes: 542926
Changes:
neon27 (0.28.6-1) unstable; urgency=high
.
* New upstream release, fixing CVE-2009-2474 (closes: #542926); for gnutls
version building with gnutls 2.8.2 or later required, updated
build-dependency accordingly.
* CVE-2009-2473 doesn't affect this package as it's compiled with a libxml2
version greater than 2.6.32 .
Checksums-Sha1:
6e3828ea9aeb9ff95288162616c73aceb905de2b 1265 neon27_0.28.6-1.dsc
da7db2e3289cc3dbef7794e8cc3c56978a0d7157 789193 neon27_0.28.6.orig.tar.gz
ed00d48dc0aeeb454fa74094d45c6c90bdb85ba8 8651 neon27_0.28.6-1.diff.gz
c49a5bc7b18a1748f8af4bc821ad07e31f5d99c5 151556 libneon27_0.28.6-1_amd64.deb
5453c4c3b18267321f9e74bd2f4014fb3fc9cb27 431944
libneon27-dev_0.28.6-1_amd64.deb
ca00e48476feba55ab998fb70ff45554fc44ed97 194318
libneon27-dbg_0.28.6-1_amd64.deb
60821f74ed4c0d659087129ca041c06592c3537b 125540
libneon27-gnutls_0.28.6-1_amd64.deb
d971fcd35699a8282b33c002723f663e5751e385 405468
libneon27-gnutls-dev_0.28.6-1_amd64.deb
9605691755c6a2d2e40df1ad9d1c731d0a7cbecd 174984
libneon27-gnutls-dbg_0.28.6-1_amd64.deb
daa8ff644055c8bb38941c173469e1f5b8eee54f 55598 libneon25-dev_0.28.6-1_amd64.deb
Checksums-Sha256:
adfc2699db34a7f076f56d34f1cced1b9a0d9b672c373d336b285f04d8e71afa 1265
neon27_0.28.6-1.dsc
06ee8b1aa37a14a956a1158bf6b5a8c3388976d61c1dc3773a3ffe18ac8ecc0e 789193
neon27_0.28.6.orig.tar.gz
784bbc5c63f585d927895447600705925ffb54571575ab0975d3c507bb226f42 8651
neon27_0.28.6-1.diff.gz
689f28dc7663e7a9ce40954c7c0e240317b2970df5dcd0cf7c0837b7749c929a 151556
libneon27_0.28.6-1_amd64.deb
4acdf19646e02fa1b63d40e70103ec3c9117739db60a4f5acefba289af0316df 431944
libneon27-dev_0.28.6-1_amd64.deb
5731c3252bca3784f96d333fda26213d3f589d197fdea79576c7493bc8916492 194318
libneon27-dbg_0.28.6-1_amd64.deb
22d3bd0ed5239ff7ee09f075fc4cae74941ff3e6b48a56afb84a2a84efe1d34b 125540
libneon27-gnutls_0.28.6-1_amd64.deb
420e038605ea253cb54f4c9096ef269b186fa5aa57fe2dde4bb1f216dce1d202 405468
libneon27-gnutls-dev_0.28.6-1_amd64.deb
a29824a3ee1823abe5c3101db9f4cee759129403183831ef6f232ec1ffb82886 174984
libneon27-gnutls-dbg_0.28.6-1_amd64.deb
28a138c4aae95ce4b20514c77a858b1e0d864a3f0497fb49ba31ebb153a203c5 55598
libneon25-dev_0.28.6-1_amd64.deb
Files:
6608752d74a31274e27aa68f68ee40b8 1265 net optional neon27_0.28.6-1.dsc
252578ed555552b71d15909641484951 789193 net optional neon27_0.28.6.orig.tar.gz
a30b2b4fd3a1a337df514496aba4c28b 8651 net optional neon27_0.28.6-1.diff.gz
3a73c9e8c62aef3ca52d5b6075c3676e 151556 libs optional
libneon27_0.28.6-1_amd64.deb
754582c353b3aa00246ae8822aef4758 431944 libdevel optional
libneon27-dev_0.28.6-1_amd64.deb
6317be5d395e254e7b31c441fa6f0a38 194318 debug extra
libneon27-dbg_0.28.6-1_amd64.deb
164a6a5c7f2ab13331f932eb992ad1a5 125540 libs optional
libneon27-gnutls_0.28.6-1_amd64.deb
3b445fba2e9451deff703a40f881dc65 405468 libdevel optional
libneon27-gnutls-dev_0.28.6-1_amd64.deb
632557911f695cfd7404061d451d97c0 174984 debug extra
libneon27-gnutls-dbg_0.28.6-1_amd64.deb
9070d4644a45be79eed83348fc799d07 55598 libdevel optional
libneon25-dev_0.28.6-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqP03AACgkQMDatjqUaT92hDQCeK0sLRS5n/8LRSCzmrnZZ08LM
zwwAnirkW/SGEPFjYv1Q5dT/b5kqpCZ1
=6CMO
-----END PGP SIGNATURE-----
--- End Message ---