Your message dated Sat, 04 Jul 2015 18:17:14 +0000 with message-id <e1zbs02-000244...@franck.debian.org> and subject line Bug#785352: fixed in stunnel4 3:5.06-2+deb8u1 has caused the Debian Bug report #785352, regarding stunnel4: CVE-2015-3644 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 785352: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785352 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: stunnel4 Version: 3:5.06-2 Severity: grave Tags: security upstream fixed-upstream Hi, the following vulnerability was published for stunnel4. Could you please have a look at it. I was not able to isolate a fix yet, so just reporting to the BTS. CVE-2015-3644[0]: | Stunnel 5.00 through 5.13, when using the redirect option, does not | redirect client connections to the expected server after the initial | connection, which allows remote attackers to bypass authentication. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-3644 [1] https://www.stunnel.org/CVE-2015-3644.html Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: stunnel4 Source-Version: 3:5.06-2+deb8u1 We believe that the bug you reported is fixed in the latest version of stunnel4, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 785...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated stunnel4 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 28 Jun 2015 06:57:25 +0200 Source: stunnel4 Binary: stunnel4 Architecture: source Version: 3:5.06-2+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Peter Pentchev <r...@ringlet.net> Changed-By: Salvatore Bonaccorso <car...@debian.org> Description: stunnel4 - Universal SSL tunnel for network daemons Closes: 785352 Changes: stunnel4 (3:5.06-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 17-CVE-2015-3644.patch patch. CVE-2015-3644: authentication bypass with the "redirect" option. (Closes: #785352) Checksums-Sha1: 71e8d9108b2addfe142f52996c555d6a5a8d5a27 1971 stunnel4_5.06-2+deb8u1.dsc 315c5414562c39f39a58f1952cdcd7a2e343b175 595550 stunnel4_5.06.orig.tar.gz df20353dba7017176feddf1d6bb15cdd7fed3a1d 39648 stunnel4_5.06-2+deb8u1.debian.tar.xz Checksums-Sha256: cc7f6951ade80d34835dbb22d6cd4eec76b692b2c04cf4bde7fc809d66baeab1 1971 stunnel4_5.06-2+deb8u1.dsc 098c2b6db0793ea4fa5b6767ce6ef1853e9f6cc2f32133024be55f6a460b1a40 595550 stunnel4_5.06.orig.tar.gz d91d6b714b2c632ba3057070c2efebdc9fcf8d32a7aaff646327a88c6044fdf4 39648 stunnel4_5.06-2+deb8u1.debian.tar.xz Files: 05baa85c3e085bface0859fe26fc7f66 1971 net optional stunnel4_5.06-2+deb8u1.dsc 827901cd4690796eadf17f792b658573 595550 net optional stunnel4_5.06.orig.tar.gz 733b28398a65075a0267c04239bfa832 39648 net optional stunnel4_5.06-2+deb8u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVj4ctAAoJEAVMuPMTQ89E8QEP/1y0K94i/1lpGciGB5LLXKFU KDt7Dk+LgnYgDNK0xxz9I6xa0tXbw/dP1Mg3mQugbqs/FLA9WmFLqYrzILyph+6g xFp+qEsPjANXv4zwxlyLNfQ6/F+RmHtHbzuNrRYZjdMGISD7u+QOCuf7vXt+k1XH UgAdqLHt0AbOi5vuOROfWbn8YX2yhzF6htWmaadCWcyNRjFwGu9r00RqHeuXxzTR vbl5fiqO5ri5P6hCNuwM1u7xHhWib/GPFjx1tKUMSxyER1vZKM7LOOo/TblIrZeY LvUSmvocReSmMavoyxmmHqV5jKDuVK15lhqBsDLWijlWy3dS/ixK2n8GpA2dDdp6 jlpQ2wC8CHHgrMWZ4zgzloPNnI7+IKq4yCZZ+BiDjzwkSyFSufYIINrNa/mh0X/A J8ksvZOBjZvty5Mgef0CxRnLjUw8wG26P+9plKOX/s75OQlE7b2JFo1SFBXiydYN ETs/ffFBFA6eTWB02I/EENg26ryKU8KP0wyLkDG8FCnkNO24nlRZ9QtA60wsJRuw tjsmBAbQ03hVwIqjdRUJcTj0bSWmCX5IKFbxS0FWeX6z9IorxpOW0RE2UuGAvoa5 a6zX6Zg5K/S1bUc8PMx/oxdp5hCNJkK8j9vHCvQaMcG++RxUR0210ofWe5HDwpPK xL1ASXyjRdtezdi5qknb =wYN6 -----END PGP SIGNATURE-----
--- End Message ---
