Bug#664032: marked as done ([CVE-2012-1177] libgdata do not verify SSL certs)

[Debian Bug Tracking System]

Your message dated Thu, 15 Mar 2012 00:19:45 +0000
with message-id <e1s7ypx-0006cm...@franck.debian.org>
and subject line Bug#664032: fixed in libgdata 0.10.2-1
has caused the Debian Bug report #664032,
regarding [CVE-2012-1177] libgdata do not verify SSL certs
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
664032: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=664032
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libgdata
Severity: grave
Tags: security patch

The following vulnerability had been reported against libgdata: 
http://www.openwall.com/lists/oss-security/2012/03/14/3

The upstream patch:
http://git.gnome.org/browse/libgdata/commit/?id=6799f2c525a584dc998821a6ce897e463dad7840
http://git.gnome.org/browse/libgdata/commit/?h=libgdata-0-10&id=8eff8fa9138859e03e58c2aa76600ab63eb5c29c

Please use CVE-2012-1177 for this issue. Since the bug affects other 
applications (like evolution) and looks quite important, please contact the 
security team if it also affects stable.

Cheers,
luciano

signature.asc
Description: This is a digitally signed message part.

--- End Message ---

--- Begin Message ---

Source: libgdata
Source-Version: 0.10.2-1

We believe that the bug you reported is fixed in the latest version of
libgdata, which is due to be installed in the Debian FTP archive:

gir1.2-gdata-0.0_0.10.2-1_amd64.deb
  to main/libg/libgdata/gir1.2-gdata-0.0_0.10.2-1_amd64.deb
libgdata-common_0.10.2-1_all.deb
  to main/libg/libgdata/libgdata-common_0.10.2-1_all.deb
libgdata-dev_0.10.2-1_amd64.deb
  to main/libg/libgdata/libgdata-dev_0.10.2-1_amd64.deb
libgdata-doc_0.10.2-1_all.deb
  to main/libg/libgdata/libgdata-doc_0.10.2-1_all.deb
libgdata13_0.10.2-1_amd64.deb
  to main/libg/libgdata/libgdata13_0.10.2-1_amd64.deb
libgdata_0.10.2-1.debian.tar.gz
  to main/libg/libgdata/libgdata_0.10.2-1.debian.tar.gz
libgdata_0.10.2-1.dsc
  to main/libg/libgdata/libgdata_0.10.2-1.dsc
libgdata_0.10.2.orig.tar.xz
  to main/libg/libgdata/libgdata_0.10.2.orig.tar.xz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 664...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <bi...@debian.org> (supplier of updated libgdata package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 15 Mar 2012 00:51:18 +0100
Source: libgdata
Binary: libgdata13 libgdata-common libgdata-dev libgdata-doc gir1.2-gdata-0.0
Architecture: source all amd64
Version: 0.10.2-1
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers 
<pkg-gnome-maintain...@lists.alioth.debian.org>
Changed-By: Michael Biebl <bi...@debian.org>
Description: 
 gir1.2-gdata-0.0 - GObject introspection data for the GData webservices library
 libgdata-common - Library for accessing GData webservices - common data files
 libgdata-dev - Library for accessing GData webservices - development files
 libgdata-doc - Library for accessing GData webservices - documentation
 libgdata13 - Library for accessing GData webservices - shared libraries
Closes: 664032
Changes: 
 libgdata (0.10.2-1) unstable; urgency=high
 .
   * New upstream release.
     - Correctly validate SSL certificates for all connections to prevent MitM
       attacks which use spoofed SSL certificates. Closes: #664032
       CVE-2012-1177
   * Urgency high for the security fix.
Checksums-Sha1: 
 c86d69a357fc678865bbf1684a9bd5edc5999e30 2747 libgdata_0.10.2-1.dsc
 07b8236cb86abe62146b590133b084ee161a46a2 1129804 libgdata_0.10.2.orig.tar.xz
 60015325b07a0d3418ca0da6f88658e70b1b73ef 9927 libgdata_0.10.2-1.debian.tar.gz
 14ca6a88c3684c3f903a8ee31572bc61a1dec535 249012 
libgdata-common_0.10.2-1_all.deb
 da6af8343876edce63e9a343a5a944e2a81ce4b0 653876 libgdata-doc_0.10.2-1_all.deb
 ca7ae5b64455071f7a7ff54218a8642eeaa9bfce 401436 libgdata13_0.10.2-1_amd64.deb
 e822db1e6ad095beb7370e6a93d0a303a09533aa 662470 libgdata-dev_0.10.2-1_amd64.deb
 36676cfec628a371130f078c2e902ed690c6fce9 187902 
gir1.2-gdata-0.0_0.10.2-1_amd64.deb
Checksums-Sha256: 
 323a0033e91fcbdda218814a86f6b852828008f4a57b2c36b7fcd50e5f7d107b 2747 
libgdata_0.10.2-1.dsc
 c028f3f39796fe6cc4841413b95a6c470350166ec8b520d17e6f4ff666f32c4e 1129804 
libgdata_0.10.2.orig.tar.xz
 b3e7f2a5b52bc353031be4a711970608bf09a4f0e23e259b1f695d3424abdb43 9927 
libgdata_0.10.2-1.debian.tar.gz
 8bd5a121608028dfa0fd4752a25f4503f97a5f603d88c9fc561a63d7772c3c96 249012 
libgdata-common_0.10.2-1_all.deb
 9127bc539677d86af3ec85c1927cb3a3901708fb10bd45e9fbd35b45aa4c060d 653876 
libgdata-doc_0.10.2-1_all.deb
 924ef70fe7d395efb10e6720cbbb95f1bb0c783c7893ab3f8370949a856052d9 401436 
libgdata13_0.10.2-1_amd64.deb
 6c872d05e66ceb7acfd3d518865bd716542441fe0dfc21aa68f779649a948edb 662470 
libgdata-dev_0.10.2-1_amd64.deb
 f44d9cac45c5fe33b4bf18c4fec771c5d5a6ea59489a0e971f84bd2d438babaf 187902 
gir1.2-gdata-0.0_0.10.2-1_amd64.deb
Files: 
 68d62840b39c3561d580d762fc829157 2747 libs optional libgdata_0.10.2-1.dsc
 6df3ee0e50c36e918b11d835ec17d4f6 1129804 libs optional 
libgdata_0.10.2.orig.tar.xz
 5d42e50942dddb912fa74c45ac3f7d01 9927 libs optional 
libgdata_0.10.2-1.debian.tar.gz
 7f99c8bb343ec1ad12d3db4b72b65b34 249012 libs optional 
libgdata-common_0.10.2-1_all.deb
 f1ac8100897782f9e2aa64b694f9dee1 653876 doc optional 
libgdata-doc_0.10.2-1_all.deb
 aec5f032474208c8c0aa3aa80b69cd95 401436 libs optional 
libgdata13_0.10.2-1_amd64.deb
 9a63538520240d84348ab9175cf95744 662470 libdevel optional 
libgdata-dev_0.10.2-1_amd64.deb
 9089100784cebaa50713023ce777e9fd 187902 introspection optional 
gir1.2-gdata-0.0_0.10.2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPYTDvAAoJEGrh3w1gjyLcmRoP/2/+zn/qOO528cMfKivlgAnN
V07C2aLoS31b+iTUC62zpqxDcmHhtJ9TMDFddRAPTalfxf7Z6MEEiioQHRxY6LDB
epmkTKypEj6VRP9hd4pAOAZioIhteU2mUlNFVNqcy2qANd9okzDanmgQN0mW7/rs
ERTbeNg9JchrCjUS/gOc1OhnWH+yE2CLl5311lVt4CVLWtyPHer+zfcIATDaIZK6
xy4Ca+dRk3RRuY/UkCKUBNrJ8yvWc+tVDDmSWV6+eFfAz9V4OeEMmbpI3PS6fUiy
PpTIUh+en0ZikQkeEnlJiN+ueqsloCZpdABVTplrgzifjPSQI2Xl3dB/asQcSp9d
5Aonjc3ONKafW4llotDiaQB8HsrXiAlEe1R674zMYwZlKyuOv10ghXAk45ijea/q
X1k8b4dBXNLF+E8VPplApk3lqPe8z3VsvjYAGlhwE3tNE3sNEIplEk177lgWIdKT
A4JIeOnD63Kt+pzQRyXOE8XDsqCgAW8FODRjE1vQzHrWXxucCmKH01o9z2wi9KWh
ixfrE9MCJli1gOBMOc3ms27y6A6c+h/DByCWpU31YUaiHj4FHzcuFGrt4vVm0CXo
G42kgyBjS3kCDPWhmVvLji26VHNLRM74AdYVGOxkdewZmYYvhhTrLWauWPOvOkjD
iTzd9h0ITq6sltgAQL6S
=xUpt
-----END PGP SIGNATURE-----

--- End Message ---