Your message dated Thu, 18 Feb 2010 08:02:37 +0000
with message-id <e1ni1lj-0007ac...@ries.debian.org>
and subject line Bug#564581: fixed in sendmail 8.13.8-3+etch1
has caused the Debian Bug report #564581,
regarding CVE-2009-4565: does not properly handle a '\0' character in a Common
Name (CN) field of an X.509 certificate
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
564581: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564581
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: sendmail
Severity: grave
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for sendmail.
CVE-2009-4565[0]:
| sendmail before 8.14.4 does not properly handle a '\0' character in a
| Common Name (CN) field of an X.509 certificate, which (1) allows
| man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers
| via a crafted server certificate issued by a legitimate Certification
| Authority, and (2) allows remote attackers to bypass intended access
| restrictions via a crafted client certificate issued by a legitimate
| Certification Authority, a related issue to CVE-2009-2408.
Please coordinate with the security team (t...@security.debian.org) to
prepare packages for the stable and oldstable releases.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4565
http://security-tracker.debian.org/tracker/CVE-2009-4565
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktJ0v8ACgkQNxpp46476arSPQCggai2b9hxDmyUNjQC57+13y9H
TcgAoIsxCtp300SC4dBed2rvBNziY1sy
=Ob7s
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: sendmail
Source-Version: 8.13.8-3+etch1
We believe that the bug you reported is fixed in the latest version of
sendmail, which is due to be installed in the Debian FTP archive:
libmilter-dev_8.13.8-3+etch1_i386.deb
to main/s/sendmail/libmilter-dev_8.13.8-3+etch1_i386.deb
libmilter0-dbg_8.13.8-3+etch1_i386.deb
to main/s/sendmail/libmilter0-dbg_8.13.8-3+etch1_i386.deb
libmilter0_8.13.8-3+etch1_i386.deb
to main/s/sendmail/libmilter0_8.13.8-3+etch1_i386.deb
rmail_8.13.8-3+etch1_i386.deb
to main/s/sendmail/rmail_8.13.8-3+etch1_i386.deb
sendmail-base_8.13.8-3+etch1_all.deb
to main/s/sendmail/sendmail-base_8.13.8-3+etch1_all.deb
sendmail-bin_8.13.8-3+etch1_i386.deb
to main/s/sendmail/sendmail-bin_8.13.8-3+etch1_i386.deb
sendmail-cf_8.13.8-3+etch1_all.deb
to main/s/sendmail/sendmail-cf_8.13.8-3+etch1_all.deb
sendmail-doc_8.13.8-3+etch1_all.deb
to main/s/sendmail/sendmail-doc_8.13.8-3+etch1_all.deb
sendmail_8.13.8-3+etch1.diff.gz
to main/s/sendmail/sendmail_8.13.8-3+etch1.diff.gz
sendmail_8.13.8-3+etch1.dsc
to main/s/sendmail/sendmail_8.13.8-3+etch1.dsc
sendmail_8.13.8-3+etch1_all.deb
to main/s/sendmail/sendmail_8.13.8-3+etch1_all.deb
sensible-mda_8.13.8-3+etch1_i386.deb
to main/s/sendmail/sensible-mda_8.13.8-3+etch1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 564...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <iucul...@debian.org> (supplier of updated sendmail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 30 Jan 2010 18:10:23 +0100
Source: sendmail
Binary: libmilter-dev rmail sendmail sendmail-doc libmilter0 sendmail-cf
sensible-mda libmilter0-dbg sendmail-base sendmail-bin
Architecture: source all i386
Version: 8.13.8-3+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: Richard A Nelson (Rick) <cow...@debian.org>
Changed-By: Giuseppe Iuculano <iucul...@debian.org>
Description:
libmilter-dev - Sendmail Mail Filter API (Milter)
libmilter0 - Sendmail Mail Filter API (Milter)
libmilter0-dbg - Sendmail Mail Filter API (Milter)
rmail - MTA->UUCP remote mail handler
sendmail - powerful, efficient, and scalable Mail Transport Agent
sendmail-base - powerful, efficient, and scalable Mail Transport Agent
sendmail-bin - powerful, efficient, and scalable Mail Transport Agent
sendmail-cf - powerful, efficient, and scalable Mail Transport Agent
sendmail-doc - powerful, efficient, and scalable Mail Transport Agent
sensible-mda - Mail Delivery Agent wrapper
Closes: 564581
Changes:
sendmail (8.13.8-3+etch1) oldstable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fixed CVE-2009-4565: incorrect verification of SSL certificate with NUL in
name (Closes: #564581)
Files:
5252fa5d6c477d90f9474f999035f959 949 mail extra sendmail_8.13.8-3+etch1.dsc
bcdd005ae02fdb0ecef2d6b21ac44e5d 1995868 mail extra sendmail_8.13.8.orig.tar.gz
db03c2498a360f4da02be0e44facca57 369120 mail extra
sendmail_8.13.8-3+etch1.diff.gz
466aaa8a9cf452943549a3403f869df9 698342 doc extra
sendmail-doc_8.13.8-3+etch1_all.deb
2557652c4c66c3db1f1467272b1c0dfc 196848 mail extra
sendmail_8.13.8-3+etch1_all.deb
8636e42323c07d63fd145cd5329d09b1 345118 mail extra
sendmail-base_8.13.8-3+etch1_all.deb
65ef6467d6c85ef90f8e1bb9a0ce3eef 284068 mail extra
sendmail-cf_8.13.8-3+etch1_all.deb
d0e8b06dbfe54a312dce8c49c35fccbb 830184 mail extra
sendmail-bin_8.13.8-3+etch1_i386.deb
8f497b7372c3d0138326869aac7f6092 227812 mail extra
rmail_8.13.8-3+etch1_i386.deb
3cb4995e95000339fa091cdff80a8571 202390 mail extra
sensible-mda_8.13.8-3+etch1_i386.deb
405f1653150b3779525faaedf5e483c3 258810 libs extra
libmilter0_8.13.8-3+etch1_i386.deb
25962ad5d0475e05ef61daf754c43492 196358 libs extra
libmilter0-dbg_8.13.8-3+etch1_i386.deb
b2304bc7e4180865d044c98e021c055f 292662 libdevel extra
libmilter-dev_8.13.8-3+etch1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktkai8ACgkQNxpp46476arFdQCeKMKeVpZqOktTu8aOQgl1pWyW
GOMAoJEaFdbyMMruXWDz9XTI6nWF7vMs
=7opB
-----END PGP SIGNATURE-----
--- End Message ---
