Your message dated Thu, 12 Nov 2009 18:48:39 +0000
with message-id <[email protected]>
and subject line Bug#555829: fixed in openssl 0.9.8k-6
has caused the Debian Bug report #555829,
regarding openssl: CVE-2009-3555: SSL/TLS renegotiation MITM vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
555829: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555829
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Subject: CVE-2009-3555: SSL/TLS renegotiation MITM vulnerability
Package: openssl
Version: 0.9.8g-15+lenny5
Severity: grave
*** Please type your report below this line ***
This is a SSL/TLS protocol vulnerability not specific to openssl.
Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and
previous) is subject to a number of serious man-in-the-middle (MITM) attacks
related to renegotiation. In general, these problems allow an MITM to
inject an arbitrary amount of chosen plaintext into the beginning of the
application protocol stream, leading to a variety of abuse possibilities.
In particular, practical attacks exists against HTTPS and could affect other
protocols that use SSL/TLS.
Openssl by default accepts renegotiations and there is no option to disable
this. Mainstream openssl 0.9.8l adds this option.
A new RFC draft has been created to address this problem at protocol level so
it's expected further versions of openssl will adopot it.
Possible solutions:
sid: upgrade to openssl 0.9.8l
stable/oldstable: backport a patch from openssl 0.9.8l to stable/oldstable
versions.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'stable')
Architecture: armel (armv5tejl)
Kernel: Linux 2.6.16.16-arm1
Locale: LANG=es_ES, LC_CTYPE=es_ES (charmap=ISO-8859-1) (ignored: LC_ALL set to
es_ES)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssl depends on:
hi libc6 2.7-18 GNU C Library: Shared libraries
ii libssl0.9.8 0.9.8g-15+lenny5 SSL shared libraries
ii zlib1g 1:1.2.3.3.dfsg-13 compression library - runtime
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20081127 Common CA certificates
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 0.9.8k-6
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:
libcrypto0.9.8-udeb_0.9.8k-6_amd64.udeb
to main/o/openssl/libcrypto0.9.8-udeb_0.9.8k-6_amd64.udeb
libssl-dev_0.9.8k-6_amd64.deb
to main/o/openssl/libssl-dev_0.9.8k-6_amd64.deb
libssl0.9.8-dbg_0.9.8k-6_amd64.deb
to main/o/openssl/libssl0.9.8-dbg_0.9.8k-6_amd64.deb
libssl0.9.8_0.9.8k-6_amd64.deb
to main/o/openssl/libssl0.9.8_0.9.8k-6_amd64.deb
openssl_0.9.8k-6.diff.gz
to main/o/openssl/openssl_0.9.8k-6.diff.gz
openssl_0.9.8k-6.dsc
to main/o/openssl/openssl_0.9.8k-6.dsc
openssl_0.9.8k-6_amd64.deb
to main/o/openssl/openssl_0.9.8k-6_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kurt Roeckx <[email protected]> (supplier of updated openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 12 Nov 2009 18:10:31 +0000
Source: openssl
Binary: openssl libssl0.9.8 libcrypto0.9.8-udeb libssl-dev libssl0.9.8-dbg
Architecture: source amd64
Version: 0.9.8k-6
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Kurt Roeckx <[email protected]>
Description:
libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
libssl-dev - SSL development libraries, header files and documentation
libssl0.9.8 - SSL shared libraries
libssl0.9.8-dbg - Symbol tables for libssl and libcrypto
openssl - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 555829
Changes:
openssl (0.9.8k-6) unstable; urgency=low
.
* Disable SSL/TLS renegotiation (CVE-2009-3555) (Closes: #555829)
Checksums-Sha1:
12c7549726672005d83f3286f1cea4e910db5477 1948 openssl_0.9.8k-6.dsc
2d94920f39ea60d6403fae470d3f9c6aa8ec0a9d 61701 openssl_0.9.8k-6.diff.gz
88c090d8649e90e255de4d84c650d7d51832965a 1049328 openssl_0.9.8k-6_amd64.deb
b4f25df068eea343b787436da1ece2eeefd9e57c 979034 libssl0.9.8_0.9.8k-6_amd64.deb
6b4585556fced8ee2d7e99af4a511428c7093d94 635372
libcrypto0.9.8-udeb_0.9.8k-6_amd64.udeb
f4fcfc37ca9e45b1be8f92f0901002a5c248f95a 2263180 libssl-dev_0.9.8k-6_amd64.deb
67fae81f70fd7a872c5e2f25f5ef306f6b828b47 1646782
libssl0.9.8-dbg_0.9.8k-6_amd64.deb
Checksums-Sha256:
01695f6983f44c4049d9904f1313701dbf274a1803a4307d6ceb0d123925bad2 1948
openssl_0.9.8k-6.dsc
fd098ccb6d31ce5edfa3ba1527b3d22faefc825c448da5183f3a5b1102e4c887 61701
openssl_0.9.8k-6.diff.gz
a55c40b4c5eae921837be80452dd82b854186d0727edb800fb46d55c25682b90 1049328
openssl_0.9.8k-6_amd64.deb
331af1d3128d7ca1bb85edd8063b2eb6098fb1fbcae71891dc4e9dada557f284 979034
libssl0.9.8_0.9.8k-6_amd64.deb
60bd35aa3b5ca388e095659c5aa0cac9c0d6bf26dad0c1098f26e83115e99259 635372
libcrypto0.9.8-udeb_0.9.8k-6_amd64.udeb
a4673ea3720d419ae0caca28214aa1ece52459ef046d0d169632f0ee92ff50a3 2263180
libssl-dev_0.9.8k-6_amd64.deb
929708435aaf9dd390778b67b81c2edc672469193bcba873c06efb0cf1d686cf 1646782
libssl0.9.8-dbg_0.9.8k-6_amd64.deb
Files:
002d4174f620cbcc11b566d02336456a 1948 utils optional openssl_0.9.8k-6.dsc
c62120bc3e84f4a7dfd7d6d66dcedd60 61701 utils optional openssl_0.9.8k-6.diff.gz
fd905c563522ff0b2638686cfefe3e38 1049328 utils optional
openssl_0.9.8k-6_amd64.deb
c6820a643a1f08878b7089bda1aff0c8 979034 libs important
libssl0.9.8_0.9.8k-6_amd64.deb
c393384652a120d757b763aaf8c64730 635372 debian-installer optional
libcrypto0.9.8-udeb_0.9.8k-6_amd64.udeb
2dc4cb253a14763c2ff06b0a9d9af69a 2263180 libdevel optional
libssl-dev_0.9.8k-6_amd64.deb
f713c15f8c321c8dcc130665f96bfd9a 1646782 debug extra
libssl0.9.8-dbg_0.9.8k-6_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCgAGBQJK/FWpAAoJEGpMZM6DE7XwcMkP/RIJ6fQOd9+y9q7RV3PX3TuR
76hHyJ+iqZo1deuBy69/tFp60tBbXZ/LSOYTPOsWLnCWsudCTGH3w/NCoa9dHfq5
sG8OhwiyHy8MjQ5nGa9wX9PEKIF7KYz+w3kN06Em6XC+q0C+5PVZDYwEZCtJw8bx
eHobblyz7qVv4vOVVp/r7digvE6NKFGSY73cu4uvEgyCyOdDzXBscjvflJdVRPX/
2Vs2cuekoVe+ef+11ynyGZSdN2hmzlL4U8pYJLyVeLqSJk2bxfEB9v6ToT5Nk3w/
UF0B4KuXHDBvR2K3oSV/t3iICFU7vs8UuPWsHM1mwot0kd2P00zKThHxkNoULaCw
VpBrkp9NjSEbc7ZX8d3p+VWYEV5fRsRpkwZU5y2flqdgW7TGogZIz4xyNDmasVnd
M52FWs8UL1wo2ymmbkxDxlG1sfgzsvQJeZG8g0fdYMPkMmCkurpNG4nZrQB3XQ+c
25h72vW+IPk1l8rv8EtzSo2bpqdJEwe4EkH1nBZpCDTstGcF6taaTAXpGEy5x0k3
8NZn+9OyE2dOzVXlUb46gkdlSTL8UplJzTXe8QDACEu4yDEE1dk2sN0WRanAikNJ
jpdIVXPpHMZnj9xqakBayvr8VjNxhEJI2DLRU3jyU8s247KbsnPqNzFCuqWq61mt
YQ4VX1j6uaqIH4mB9AvH
=3S4V
-----END PGP SIGNATURE-----
--- End Message ---