Bug#564581: marked as done (CVE-2009-4565: does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate)

[Debian Bug Tracking System]

Your message dated Fri, 29 Jan 2010 13:48:22 +0000
with message-id <e1narcw-00036o...@ries.debian.org>
and subject line Bug#564581: fixed in sendmail 8.14.3-9.1
has caused the Debian Bug report #564581,
regarding CVE-2009-4565: does not properly handle a '\0' character in a Common 
Name (CN) field of an X.509 certificate
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
564581: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564581
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: sendmail
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for sendmail.

CVE-2009-4565[0]:
| sendmail before 8.14.4 does not properly handle a '\0' character in a
| Common Name (CN) field of an X.509 certificate, which (1) allows
| man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers
| via a crafted server certificate issued by a legitimate Certification
| Authority, and (2) allows remote attackers to bypass intended access
| restrictions via a crafted client certificate issued by a legitimate
| Certification Authority, a related issue to CVE-2009-2408.

Please coordinate with the security team (t...@security.debian.org) to
prepare packages for the stable and oldstable releases.


If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4565
    http://security-tracker.debian.org/tracker/CVE-2009-4565


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktJ0v8ACgkQNxpp46476arSPQCggai2b9hxDmyUNjQC57+13y9H
TcgAoIsxCtp300SC4dBed2rvBNziY1sy
=Ob7s
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: sendmail
Source-Version: 8.14.3-9.1

We believe that the bug you reported is fixed in the latest version of
sendmail, which is due to be installed in the Debian FTP archive:

libmilter-dev_8.14.3-9.1_i386.deb
  to main/s/sendmail/libmilter-dev_8.14.3-9.1_i386.deb
libmilter1.0.1-dbg_8.14.3-9.1_i386.deb
  to main/s/sendmail/libmilter1.0.1-dbg_8.14.3-9.1_i386.deb
libmilter1.0.1_8.14.3-9.1_i386.deb
  to main/s/sendmail/libmilter1.0.1_8.14.3-9.1_i386.deb
rmail_8.14.3-9.1_i386.deb
  to main/s/sendmail/rmail_8.14.3-9.1_i386.deb
sendmail-base_8.14.3-9.1_all.deb
  to main/s/sendmail/sendmail-base_8.14.3-9.1_all.deb
sendmail-bin_8.14.3-9.1_i386.deb
  to main/s/sendmail/sendmail-bin_8.14.3-9.1_i386.deb
sendmail-cf_8.14.3-9.1_all.deb
  to main/s/sendmail/sendmail-cf_8.14.3-9.1_all.deb
sendmail-doc_8.14.3-9.1_all.deb
  to main/s/sendmail/sendmail-doc_8.14.3-9.1_all.deb
sendmail_8.14.3-9.1.diff.gz
  to main/s/sendmail/sendmail_8.14.3-9.1.diff.gz
sendmail_8.14.3-9.1.dsc
  to main/s/sendmail/sendmail_8.14.3-9.1.dsc
sendmail_8.14.3-9.1_all.deb
  to main/s/sendmail/sendmail_8.14.3-9.1_all.deb
sensible-mda_8.14.3-9.1_i386.deb
  to main/s/sendmail/sensible-mda_8.14.3-9.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 564...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iucul...@debian.org> (supplier of updated sendmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 29 Jan 2010 14:16:07 +0100
Source: sendmail
Binary: sendmail-bin rmail sensible-mda libmilter1.0.1 libmilter1.0.1-dbg 
libmilter-dev sendmail-doc sendmail sendmail-base sendmail-cf
Architecture: source all i386
Version: 8.14.3-9.1
Distribution: unstable
Urgency: high
Maintainer: Richard A Nelson (Rick) <cow...@debian.org>
Changed-By: Giuseppe Iuculano <iucul...@debian.org>
Description: 
 libmilter-dev - Sendmail Mail Filter API (Milter)
 libmilter1.0.1 - Sendmail Mail Filter API (Milter)
 libmilter1.0.1-dbg - Sendmail Mail Filter API (Milter)
 rmail      - MTA->UUCP remote mail handler
 sendmail   - powerful, efficient, and scalable Mail Transport Agent
 sendmail-base - powerful, efficient, and scalable Mail Transport Agent
 sendmail-bin - powerful, efficient, and scalable Mail Transport Agent
 sendmail-cf - powerful, efficient, and scalable Mail Transport Agent
 sendmail-doc - powerful, efficient, and scalable Mail Transport Agent
 sensible-mda - Mail Delivery Agent wrapper
Closes: 564581
Changes: 
 sendmail (8.14.3-9.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-4565: incorrect verification of SSL certificate with NUL in
     name (Closes: #564581)
Checksums-Sha1: 
 d44676a5a7c561d6f8c45e64affa7b607c986517 1491 sendmail_8.14.3-9.1.dsc
 aec5e725c856e1dc0056d59756b23bd893d862b4 470567 sendmail_8.14.3-9.1.diff.gz
 2d3541e0a39190cd07c3d0583120948f601bdf99 834020 sendmail-doc_8.14.3-9.1_all.deb
 e7d4d6638e375bb3634fcab7eb9e09c5ba72a422 206780 sendmail_8.14.3-9.1_all.deb
 f637ef289c81d22854de9c0641fcdb18799c2722 359116 
sendmail-base_8.14.3-9.1_all.deb
 de36515cc94c5047dcd22879135c2f5cbbba7748 295718 sendmail-cf_8.14.3-9.1_all.deb
 cbfb02fa1914cba963f2b56af2f595d3521692cb 928230 
sendmail-bin_8.14.3-9.1_i386.deb
 7a7dc682dae60ca490b90ac9176e327d7d5e7f72 243756 rmail_8.14.3-9.1_i386.deb
 1bc9750b403b00a217fd6c484b914727c665ff10 214914 
sensible-mda_8.14.3-9.1_i386.deb
 ce1e3ad64eb5b7477d8aef3d4ddcea6eb115e794 236018 
libmilter1.0.1_8.14.3-9.1_i386.deb
 3cd016cc8f32bcf6a1b63acc6d5331ec11f0b247 253254 
libmilter1.0.1-dbg_8.14.3-9.1_i386.deb
 29087b4012a7c4df38c63e15ceaa862b933649be 319152 
libmilter-dev_8.14.3-9.1_i386.deb
Checksums-Sha256: 
 f838ede91cc09ea58b92756964b9eae302be4d869bc94ee916f7beb506bc8685 1491 
sendmail_8.14.3-9.1.dsc
 fc2cce31b481175d458e461d189a51227b4f39c0b1830f8959fbda30114ec5cc 470567 
sendmail_8.14.3-9.1.diff.gz
 e9c104c19db05642fe7e41882b882b2b8bc218e43badf2e813dbf0ffa48ba45b 834020 
sendmail-doc_8.14.3-9.1_all.deb
 2b1f866d2d37b49239bccfbdd12b57f7be0203a75ba6642a6642faa0a0035b51 206780 
sendmail_8.14.3-9.1_all.deb
 8e9ac2fc81616d68030482c917d7f2b78fb8daa763be1cec274b7a23af3b2c90 359116 
sendmail-base_8.14.3-9.1_all.deb
 f4b3b04f69622e7346386c063288e13d4c6b3db3ed1dd065e445978cf8c04390 295718 
sendmail-cf_8.14.3-9.1_all.deb
 7c9785d98b7f05534e736fa56f9286ef533102b0c83e741589edebd125e787e5 928230 
sendmail-bin_8.14.3-9.1_i386.deb
 b62036aa259285a462817365b3a0c3cda37bea856f469ce033f6d4c392f536d9 243756 
rmail_8.14.3-9.1_i386.deb
 407a8c70059a632981c9d6d0cf949310262b9dc8287ff3ee6f4afe5d6a51081b 214914 
sensible-mda_8.14.3-9.1_i386.deb
 1dcb654ea320ff513194867b7a466c63293d57afdcbe8c44bed1d4b883e31405 236018 
libmilter1.0.1_8.14.3-9.1_i386.deb
 cde83067d9f6f326bc4432d7d2f17cd491e455c6f73f17cfefb02e1d9209886b 253254 
libmilter1.0.1-dbg_8.14.3-9.1_i386.deb
 f0e4f9b754c8fb21e785a0dab623867c646059fcd4b581b14d673d9f84792a24 319152 
libmilter-dev_8.14.3-9.1_i386.deb
Files: 
 152f8d906528afa27654ced49ec3fef1 1491 mail extra sendmail_8.14.3-9.1.dsc
 4ac32b7b84963e9ce376df496f3ecf3c 470567 mail extra sendmail_8.14.3-9.1.diff.gz
 de42f34e0e0558fe8219dee5373fa8c0 834020 doc extra 
sendmail-doc_8.14.3-9.1_all.deb
 ee8b98d9e459a56e740123a2fcb45737 206780 mail extra sendmail_8.14.3-9.1_all.deb
 90d7ded128227fd847bbff43d1419a6d 359116 mail extra 
sendmail-base_8.14.3-9.1_all.deb
 474cfe95387b6a79fadae50e50ffe65c 295718 mail extra 
sendmail-cf_8.14.3-9.1_all.deb
 121d8080b9205cc5ed4dcf612b97f2a7 928230 mail extra 
sendmail-bin_8.14.3-9.1_i386.deb
 2fc1b40c43d0100889c91ec2caf201c3 243756 mail extra rmail_8.14.3-9.1_i386.deb
 223b2a571c373fe8e618462e8d9caf4d 214914 mail extra 
sensible-mda_8.14.3-9.1_i386.deb
 2023bcaab629adefcdad1cb5993e6029 236018 libs extra 
libmilter1.0.1_8.14.3-9.1_i386.deb
 d441835273160200070b0d29a50e37b3 253254 libs extra 
libmilter1.0.1-dbg_8.14.3-9.1_i386.deb
 125df087a17596ee8c905a0240157f5f 319152 libdevel extra 
libmilter-dev_8.14.3-9.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkti4oYACgkQNxpp46476apRnwCfSsR+9cqyEHZJotKH995ya/MJ
loQAnRzGpU0gNX8jA/RBvjaIkU0emSL2
=LYJ7
-----END PGP SIGNATURE-----

--- End Message ---