Bug#541439: marked as done (CVE-2009-2730: does not properly handle a '\0' character)

[Debian Bug Tracking System]

Your message dated Fri, 14 Aug 2009 18:17:07 +0000
with message-id <e1mc1kt-0002nd...@ries.debian.org>
and subject line Bug#541439: fixed in gnutls26 2.8.3-1
has caused the Debian Bug report #541439,
regarding CVE-2009-2730: does not properly handle a '\0' character
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
541439: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=541439
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: gnutls26
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gnutls26.

CVE-2009-2730[0]:
| libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0'
| character in a domain name in the subject's (1) Common Name (CN) or
| (2) Subject Alternative Name (SAN) field of an X.509 certificate,
| which allows man-in-the-middle attackers to spoof arbitrary SSL
| servers via a crafted certificate issued by a legitimate Certification
| Authority.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Could you check if gnutls13 is affected please?

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2730
    http://security-tracker.debian.net/tracker/CVE-2009-2730

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqFIqkACgkQNxpp46476aoZcgCfdLyZVjvkaqi7aETk/La0YfwG
yg4Anj98j4y2XQkLkmgD+1kFY1xgyRf9
=+CWA
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: gnutls26
Source-Version: 2.8.3-1

We believe that the bug you reported is fixed in the latest version of
gnutls26, which is due to be installed in the Debian FTP archive:

gnutls-bin_2.8.3-1_i386.deb
  to pool/main/g/gnutls26/gnutls-bin_2.8.3-1_i386.deb
gnutls-doc_2.8.3-1_all.deb
  to pool/main/g/gnutls26/gnutls-doc_2.8.3-1_all.deb
gnutls26_2.8.3-1.diff.gz
  to pool/main/g/gnutls26/gnutls26_2.8.3-1.diff.gz
gnutls26_2.8.3-1.dsc
  to pool/main/g/gnutls26/gnutls26_2.8.3-1.dsc
gnutls26_2.8.3.orig.tar.gz
  to pool/main/g/gnutls26/gnutls26_2.8.3.orig.tar.gz
guile-gnutls_2.8.3-1_i386.deb
  to pool/main/g/gnutls26/guile-gnutls_2.8.3-1_i386.deb
libgnutls-dev_2.8.3-1_i386.deb
  to pool/main/g/gnutls26/libgnutls-dev_2.8.3-1_i386.deb
libgnutls26-dbg_2.8.3-1_i386.deb
  to pool/main/g/gnutls26/libgnutls26-dbg_2.8.3-1_i386.deb
libgnutls26_2.8.3-1_i386.deb
  to pool/main/g/gnutls26/libgnutls26_2.8.3-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 541...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Metzler <ametz...@debian.org> (supplier of updated gnutls26 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Fri, 14 Aug 2009 19:14:29 +0200
Source: gnutls26
Binary: libgnutls-dev libgnutls26 libgnutls26-dbg gnutls-bin gnutls-doc 
guile-gnutls
Architecture: source all i386
Version: 2.8.3-1
Distribution: unstable
Urgency: high
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-ma...@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametz...@debian.org>
Description: 
 gnutls-bin - the GNU TLS library - commandline utilities
 gnutls-doc - the GNU TLS library - documentation and examples
 guile-gnutls - the GNU TLS library - GNU Guile bindings
 libgnutls-dev - the GNU TLS library - development files
 libgnutls26 - the GNU TLS library - runtime library
 libgnutls26-dbg - GNU TLS library - debugger symbols
Closes: 540449 541439
Changes: 
 gnutls26 (2.8.3-1) unstable; urgency=high
 .
   * New upstream version.
     + Stops hardcoding a hard dependency on the versions of gcrypt and tasn it
       was built against. Closes: #540449
     + Fixes CVE-2009-2730, a vulnerability related to NUL bytes in X.509
       certificate name fields. Closes: #541439        GNUTLS-SA-2009-4
       http://lists.gnu.org/archive/html/help-gnutls/2009-08/msg00011.html
   * Drop 15_chainverify_expiredcert.diff, included upstream.
   * Urgency high, since 541439 applies to testing, too.
Checksums-Sha1: 
 3d609cd505a97e38e2de9422caac1625a9ccb75f 1581 gnutls26_2.8.3-1.dsc
 58293f6b7fc36c05a70e0acb9096ce5b37317c31 7630252 gnutls26_2.8.3.orig.tar.gz
 0ecb3388e40bbba06b8afa9fb4aed2b94589cae8 16399 gnutls26_2.8.3-1.diff.gz
 346ba01455cfdc181ca94dd587bbe41204474524 2993732 gnutls-doc_2.8.3-1_all.deb
 b4209270e44f9e141c044cc93040766ad359e668 582750 libgnutls-dev_2.8.3-1_i386.deb
 bad3d21d45d6fed61c90953deaca45d3cd665531 505320 libgnutls26_2.8.3-1_i386.deb
 7ecfed6d230db189f818b97b4ef8d081f149e779 1106210 
libgnutls26-dbg_2.8.3-1_i386.deb
 1841076eef719dce80afeb2b1df9be3e109fa215 312274 gnutls-bin_2.8.3-1_i386.deb
 060d458d35d7c939cba339fb81606513eeb28e1e 247222 guile-gnutls_2.8.3-1_i386.deb
Checksums-Sha256: 
 3c9bd88c8f509539cf8cf26df7f3f72d609318e52794480ed5327e473f52dfa5 1581 
gnutls26_2.8.3-1.dsc
 cae9fa0fbf29592eb2062a9f1005c6651975f3d390ffa4e94a0fc9052bbff0cf 7630252 
gnutls26_2.8.3.orig.tar.gz
 c07df01b4acc2eca50d1b32be987305277f673d7e841ca1ec7980083604d1882 16399 
gnutls26_2.8.3-1.diff.gz
 2b2e5b6baeaf7c76498f2d6406a804cea7c1cce0cfd0faf741ee0ca4e33d4571 2993732 
gnutls-doc_2.8.3-1_all.deb
 4be4734f90cef261fb2dc4cd92b35045810578a4b795a686376aeaaf39d1d8eb 582750 
libgnutls-dev_2.8.3-1_i386.deb
 8b5f967e65352507567f9fc80f87669567a0886a7a93e9cf1b19daaf6fa33309 505320 
libgnutls26_2.8.3-1_i386.deb
 bf90068108cb2dbd972b04edab11eb2c140b84b74f0d17002653f4bca3634365 1106210 
libgnutls26-dbg_2.8.3-1_i386.deb
 936caa7a10f543461d2314d7daff28f64cb1065884cf1603c83f874a37dd0858 312274 
gnutls-bin_2.8.3-1_i386.deb
 f5c43ea522df62454dc39d4e935e51ccc049e39dcbb5550614440ecf30634fd4 247222 
guile-gnutls_2.8.3-1_i386.deb
Files: 
 4db15d56cce332260c8bd1cbfa2a039d 1581 libs optional gnutls26_2.8.3-1.dsc
 779f5c86462a4bcac90762019730b7d4 7630252 libs optional 
gnutls26_2.8.3.orig.tar.gz
 51a107943f62d1c9f00d0103f8bff094 16399 libs optional gnutls26_2.8.3-1.diff.gz
 f34517f78027aaa1962bce78be74c117 2993732 doc optional 
gnutls-doc_2.8.3-1_all.deb
 542932aba2d46f386684456af101ab10 582750 libdevel optional 
libgnutls-dev_2.8.3-1_i386.deb
 3089067c7881ae0242d02af57ff8c3d9 505320 libs important 
libgnutls26_2.8.3-1_i386.deb
 1d089e3dccf93c4a548fdf41e6e04cd3 1106210 debug extra 
libgnutls26-dbg_2.8.3-1_i386.deb
 a0987fea82c86c9e1b470be4ec5e7215 312274 net optional 
gnutls-bin_2.8.3-1_i386.deb
 c95d5d0f6647a52dbfa208ce047b74e8 247222 lisp optional 
guile-gnutls_2.8.3-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEAREDAAYFAkqFpWEACgkQHTOcZYuNdmNILACgq52zqy0k6kDn4LapqWDJXylm
JUsAniwpamvXLBxlxmfZBT6b8RnxBiGu
=+G9b
-----END PGP SIGNATURE-----

--- End Message ---