Your message dated Wed, 03 Oct 2007 19:56:19 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#444435: fixed in openssl 0.9.8c-4etch1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: openssl
Version: 0.9.8c-4, 0.9.7e-3sarge4
Severity: critical
Tags: sarge, etch, security
According to http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5135
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135 is not
yet available):
Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL
0.9.7l and 0.9.8d might allow remote attackers to execute arbitrary
code via a crafted packet that triggers a one-byte buffer underflow.
According to the German IT news magazin "Heise Online", 0.9.7m and
0.9.8e are also affected:
http://www.heise.de/security/news/meldung/96710
Original source seems to be this Bugtraq posting:
http://www.securityfocus.com/archive/1/archive/1/480855/100/0/threaded
According to this posting, all lower versions are affected, too.
The release dates of 0.9.8e and 0.9.7m and the time line in the above
mentioned Bugtraq posting suggest that not only 0.9.7l and 0.9.8d but
also 0.9.7m and 0.9.8e are affected -- as Heise wrote.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.22.3-amd64-1
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages openssl depends on:
ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii libssl0.9.8 0.9.8c-4 SSL shared libraries
ii zlib1g 1:1.2.3-13 compression library - runtime
openssl recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 0.9.8c-4etch1
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:
libcrypto0.9.8-udeb_0.9.8c-4etch1_amd64.udeb
to pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_amd64.udeb
libssl-dev_0.9.8c-4etch1_amd64.deb
to pool/main/o/openssl/libssl-dev_0.9.8c-4etch1_amd64.deb
libssl0.9.8-dbg_0.9.8c-4etch1_amd64.deb
to pool/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_amd64.deb
libssl0.9.8_0.9.8c-4etch1_amd64.deb
to pool/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_amd64.deb
openssl_0.9.8c-4etch1.diff.gz
to pool/main/o/openssl/openssl_0.9.8c-4etch1.diff.gz
openssl_0.9.8c-4etch1.dsc
to pool/main/o/openssl/openssl_0.9.8c-4etch1.dsc
openssl_0.9.8c-4etch1_amd64.deb
to pool/main/o/openssl/openssl_0.9.8c-4etch1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kurt Roeckx <[EMAIL PROTECTED]> (supplier of updated openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 28 Sep 2007 19:57:00 +0200
Source: openssl
Binary: libssl-dev openssl libssl0.9.8-dbg libcrypto0.9.8-udeb libssl0.9.8
Architecture: source amd64
Version: 0.9.8c-4etch1
Distribution: stable-security
Urgency: low
Maintainer: [EMAIL PROTECTED]
Changed-By: Kurt Roeckx <[EMAIL PROTECTED]>
Description:
libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
libssl-dev - SSL development libraries, header files and documentation
libssl0.9.8 - SSL shared libraries
libssl0.9.8-dbg - Symbol tables for libssl and libcrypt
openssl - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 444435
Changes:
openssl (0.9.8c-4etch1) stable-security; urgency=low
.
* CVE-2007-5135: Fix off by one error in SSL_get_shared_ciphers().
(Closes: #444435)
* Add nagios-nrpe-server, clamav-freshclam and clamav-daemon
to the list of services to check for restart.
Files:
c7cee551a6affbac043c05484b6f2e8e 807 utils optional openssl_0.9.8c-4etch1.dsc
78454bec556bcb4c45129428a766c886 3313857 utils optional
openssl_0.9.8c.orig.tar.gz
1057ca0c69dedda8cec94a820da1d99a 44257 utils optional
openssl_0.9.8c-4etch1.diff.gz
288b472372e826628fbbc45fc8cc285a 1004882 utils optional
openssl_0.9.8c-4etch1_amd64.deb
b2e5ba39115b67c6e1cf7b466bef723f 890368 libs important
libssl0.9.8_0.9.8c-4etch1_amd64.deb
7af4acf0ea362be607fe43de6436f2ef 580040 debian-installer optional
libcrypto0.9.8-udeb_0.9.8c-4etch1_amd64.udeb
54509d057a7351147f0ed2790b5ef103 2179570 libdevel optional
libssl-dev_0.9.8c-4etch1_amd64.deb
ee8129fe12623d4cb2d0fb8736f7bda2 1653348 libdevel extra
libssl0.9.8-dbg_0.9.8c-4etch1_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG/WO4YrVLjBFATsMRAsQQAJ9fGy3MhXYHh83BjoxJ7c/N036uEACbBzcq
dYJbedxTYo8CWn5IxZktnb8=
=KxXB
-----END PGP SIGNATURE-----
--- End Message ---
