Your message dated Mon, 02 Nov 2015 17:00:30 +0000
with message-id <[email protected]>
and subject line Bug#801413: fixed in polarssl 1.3.14-0.1
has caused the Debian Bug report #801413,
regarding polarssl: CVE-2015-5291: Remote attack on clients using session
tickets or SNI
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
801413: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801413
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: polarssl
Version: 1.2.8-2
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for polarssl.
CVE-2015-5291[0]:
Remote attack on clients using session tickets or SNI
It has been fixed in PolarSSL 1.2.17 branch, then the rebranded mbed
TLS 1.3.14 (and mbed TLS 2.1.2).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-5291
[1]
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: polarssl
Source-Version: 1.3.14-0.1
We believe that the bug you reported is fixed in the latest version of
polarssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Cowgill <[email protected]> (supplier of updated polarssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 23 Oct 2015 21:49:24 +0100
Source: polarssl
Binary: libpolarssl-dev libpolarssl-runtime libmbedtls9
Architecture: source amd64
Version: 1.3.14-0.1
Distribution: experimental
Urgency: high
Maintainer: Roland Stigge <[email protected]>
Changed-By: James Cowgill <[email protected]>
Description:
libmbedtls9 - lightweight crypto and SSL/TLS library
libpolarssl-dev - lightweight crypto and SSL/TLS library
libpolarssl-runtime - lightweight crypto and SSL/TLS library
Closes: 773306 781840 787324 801413
Changes:
polarssl (1.3.14-0.1) experimental; urgency=high
.
* Non-maintainer upload.
* New upstream release. (Closes: #787324)
- The upstream project has been renamed to "mbed TLS", but for
compatibility the binaries supplied by this package will still
be called "polarssl" for the 1.3 series.
- Fixes CVE-2015-5291: Remote attack on clients using session tickets or
SNI. (Closes: #801413)
- Fixes mips64el bignum implementation. (Closes: #773306)
- Fixes parsing of certain PCKS#3 files. (Closes: #781840)
.
* Rename libpolarssl7 package to libmbedtls9 due to SONAME bump.
* Drop CVE-2015-1182.patch - applied upstream.
Checksums-Sha1:
e5fa935fb1ed693b916f0803a762c1c00db6e0fb 1838 polarssl_1.3.14-0.1.dsc
690ae3cc3da82cfc5530f5cb1f82bec0c778b5dc 1744343 polarssl_1.3.14.orig.tar.gz
cd0ff4fcdb714e3da60eb1cc74d780774839efeb 5492 polarssl_1.3.14-0.1.debian.tar.xz
687295501f474cac75771b14c8b4a54c5ff00aa4 236712
libmbedtls9_1.3.14-0.1_amd64.deb
34426148892053406e4f8b60f305e2249e12d1b6 340076
libpolarssl-dev_1.3.14-0.1_amd64.deb
bdbe508e23917568cea6b6ee977badd8f72907a2 774126
libpolarssl-runtime_1.3.14-0.1_amd64.deb
Checksums-Sha256:
2d86fcf2f9faf244351b312acdc39f408a393bb006a78139a77fdad5ca355090 1838
polarssl_1.3.14-0.1.dsc
be76915bc406b4c4109629624baa5bf610a805d9976404e4086d44e5e6c86ff8 1744343
polarssl_1.3.14.orig.tar.gz
202a2137465235cfe7a58d629bbc515a7c0d61ae8cd8fe3af64080ccccd58d3a 5492
polarssl_1.3.14-0.1.debian.tar.xz
4d2ee23ce37598cdd3ff153968047fe7df2f7c1c4de72f015598ee3d41dc007a 236712
libmbedtls9_1.3.14-0.1_amd64.deb
7488c51172117c3fecee56ce5569cc781eab1823455de3087d3d69766ea96ecd 340076
libpolarssl-dev_1.3.14-0.1_amd64.deb
afe591665f62f08e4b38e2d02544f0c3b5c6bbe03a6663095eaf25f630d1596e 774126
libpolarssl-runtime_1.3.14-0.1_amd64.deb
Files:
ec5428ad14d5e8f75546dd86ac321882 1838 libs optional polarssl_1.3.14-0.1.dsc
869c7b5798b8769902880c7cf0212fed 1744343 libs optional
polarssl_1.3.14.orig.tar.gz
13af8f001c366b9f6d971dde6bf3332d 5492 libs optional
polarssl_1.3.14-0.1.debian.tar.xz
1e3c51b425e5aa2247a6bb1fb55898c9 236712 libs optional
libmbedtls9_1.3.14-0.1_amd64.deb
6b91e2000781063dc571e810595cfeb6 340076 libdevel optional
libpolarssl-dev_1.3.14-0.1_amd64.deb
9e85991737cb05bb1a907304c0244478 774126 libdevel optional
libpolarssl-runtime_1.3.14-0.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWN03MAAoJEHxWrP6UeJfYvgQP/ikHaVVZJ3eEDBJz0EhrlDpI
J/cGgeE2o5A6bJRMmZy54e7swL2BGvtluSglsh+cr4kZjwoMuMZPvJvVjfqvP3l2
SZTKi3Z+qRcUGSmKt+088SPOFcsvY6joD/dxEx5ld3o8JrqgPVWe11BZgExt1cEB
zTi7DyAtP5GhUNHhbVpd+WXgK53hxjTyrhkHo5dHgneCk157Gc6wURZdCKQhM3iB
BMOQP3586N2UpgjTWN/wqQigJDAX/51XO3XmvHcBh4yORPNl9zfivRcYjkabutOj
hZxuM+0JSmR9e1eQ5iqmHP8ZyY6p9L+5yVWbNUGlXs1DkMGx+t//MSlWQ+2fwEjG
88pt81oMXq2lM4jlQQg8nCvnemQZbYLNvrsvYbWt2FrUNMlz6GgXwTyGLltY3wUf
P9RZG/3UqUzzimGq7UsYB8f6ZIHB5ZTOL6c7NaSEiF6pVa04psqWZ/vBM11PZmsF
RJRl3Xl81xOgDWqdoFsoifFd/ob8LT26glD2ZQzcDD3pMtmbfRnmq07jJO6nSSth
PKoADdNXYP1UiFLcCdSqknqIGDiboRltSdWpQugo8JVHBKt1UNv6r3ylepqei0Wg
mieDMJoYhprWwbu21QB5Avwkw4U3PzYF2SGlrbrvK8uVpCKo5GU8wFwY6mxh6S2f
jRPKWLWzEKDa/Q6curjX
=bJjM
-----END PGP SIGNATURE-----
--- End Message ---
