Bug#553432: marked as done (CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name)

Debian Bug Tracking System Tue, 10 Nov 2009 11:55:49 -0800

Your message dated Tue, 10 Nov 2009 19:47:43 +0000
with message-id <e1n7wgp-0004ob...@ries.debian.org>
and subject line Bug#553432: fixed in openldap 2.4.17-2.1
has caused the Debian Bug report #553432,
regarding CVE-2009-3767: Doesn't properly handle NULL character in subject 
Common Name
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
553432: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=553432
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: openldap
Severity: grave
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openldap.

CVE-2009-3767[0]:
| libraries/libldap/tls_o.c in OpenLDAP, when OpenSSL is used, does not
| properly handle a '\0' character in a domain name in the subject's
| Common Name (CN) field of an X.509 certificate, which allows
| man-in-the-middle attackers to spoof arbitrary SSL servers via a
| crafted certificate issued by a legitimate Certification Authority, a
| related issue to CVE-2009-2408.


Please coordinate with the security team (t...@security.debian.org) to
prepare packages for the stable and oldstable releases.


If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3767
    http://security-tracker.debian.org/tracker/CVE-2009-3767
    Patch: 
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_o.c.diff?r1=1.8&r2=1.11&f=h

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrsCe4ACgkQNxpp46476aqyOwCfYvjBZj45odwhQLQ7eeFCT9j4
YDcAnjvkFab1GOwO9tv/6iXVVqCW5D/g
=0E+p
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: openldap
Source-Version: 2.4.17-2.1

We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive:

ldap-utils_2.4.17-2.1_i386.deb
  to main/o/openldap/ldap-utils_2.4.17-2.1_i386.deb
libldap-2.4-2-dbg_2.4.17-2.1_i386.deb
  to main/o/openldap/libldap-2.4-2-dbg_2.4.17-2.1_i386.deb
libldap-2.4-2_2.4.17-2.1_i386.deb
  to main/o/openldap/libldap-2.4-2_2.4.17-2.1_i386.deb
libldap2-dev_2.4.17-2.1_i386.deb
  to main/o/openldap/libldap2-dev_2.4.17-2.1_i386.deb
openldap_2.4.17-2.1.diff.gz
  to main/o/openldap/openldap_2.4.17-2.1.diff.gz
openldap_2.4.17-2.1.dsc
  to main/o/openldap/openldap_2.4.17-2.1.dsc
slapd-dbg_2.4.17-2.1_i386.deb
  to main/o/openldap/slapd-dbg_2.4.17-2.1_i386.deb
slapd_2.4.17-2.1_i386.deb
  to main/o/openldap/slapd_2.4.17-2.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 553...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iucul...@debian.org> (supplier of updated openldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 10 Nov 2009 19:09:45 +0100
Source: openldap
Binary: slapd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source i386
Version: 2.4.17-2.1
Distribution: unstable
Urgency: high
Maintainer: Debian OpenLDAP Maintainers 
<pkg-openldap-de...@lists.alioth.debian.org>
Changed-By: Giuseppe Iuculano <iucul...@debian.org>
Description: 
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
Closes: 553432
Changes: 
 openldap (2.4.17-2.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-3767: libraries/libldap/tls_o.c doesn't properly handle NULL
     character in subject Common Name (Closes: #553432)
Checksums-Sha1: 
 f2fc0fb1ddcef840c29c3ea684f110ffb1270d94 1825 openldap_2.4.17-2.1.dsc
 c05341105a4e5dc9053498bdb3eda2e834da86e2 149501 openldap_2.4.17-2.1.diff.gz
 9a069769a8435a32d06953ed9949795da766f4cd 1469008 slapd_2.4.17-2.1_i386.deb
 c25da1114aa35e41cbb2872b7ed7c8da2c9a89fd 283890 ldap-utils_2.4.17-2.1_i386.deb
 d0a3a68ed1d4a1f1a33332b1286a23110cfe1420 192256 
libldap-2.4-2_2.4.17-2.1_i386.deb
 9d1102bb40b2ce04b548ddb041d97157fe45dc9c 302532 
libldap-2.4-2-dbg_2.4.17-2.1_i386.deb
 dad482f42f78889bb7cec8361ff96396fa4a3248 928716 
libldap2-dev_2.4.17-2.1_i386.deb
 21658571a6accc73efa86b07cc558cdda22640fd 3821058 slapd-dbg_2.4.17-2.1_i386.deb
Checksums-Sha256: 
 2d7b086496f999d38657d37560a995df6d05e714e433f7d2086595cb8ea80a60 1825 
openldap_2.4.17-2.1.dsc
 52b95b60d4d3daef1eb4b444ba35e095b44f87cac910a52fa657bdb17bcf6cf8 149501 
openldap_2.4.17-2.1.diff.gz
 5dad9b8117fa0105aace96291dcd60ddc072db5d060f8899e55bd99920659d86 1469008 
slapd_2.4.17-2.1_i386.deb
 363b62869fd0ca1fec85d8ae354c7e0026cf935afcd624060a62c5d2a05ed924 283890 
ldap-utils_2.4.17-2.1_i386.deb
 1d2be3ef3ab11816370ac754d81bbfa0fa0957d7a9eeb45ab8122770dee68afc 192256 
libldap-2.4-2_2.4.17-2.1_i386.deb
 a787a7184da6b9e776adfa5875f389356ebe6b8ec0f9d96f48869cd92a5eb56c 302532 
libldap-2.4-2-dbg_2.4.17-2.1_i386.deb
 c02269251a34ec1b6f14dfd7c99e55ae71a6a0249f11d01f2e0a3d5031fb239d 928716 
libldap2-dev_2.4.17-2.1_i386.deb
 416632641c922cc13d3020e8b792ac8a5d309e846e7e3667f70b646396e9c8e6 3821058 
slapd-dbg_2.4.17-2.1_i386.deb
Files: 
 618fe84fd3eb68a6226e2ae3a59aca02 1825 net optional openldap_2.4.17-2.1.dsc
 4e931dc6534daae97ab95802f557eb51 149501 net optional 
openldap_2.4.17-2.1.diff.gz
 da15cb492a4802f46942ea6a38c4f05f 1469008 net optional slapd_2.4.17-2.1_i386.deb
 ff72366b9f51f558fc3792aa8ad6523d 283890 net optional 
ldap-utils_2.4.17-2.1_i386.deb
 675fb04526377484253bc541e21e46ac 192256 libs standard 
libldap-2.4-2_2.4.17-2.1_i386.deb
 d48fc813054024787c14cdc63231c967 302532 debug extra 
libldap-2.4-2-dbg_2.4.17-2.1_i386.deb
 b6853471021f5110c2a34cbe82521ae7 928716 libdevel extra 
libldap2-dev_2.4.17-2.1_i386.deb
 569522f3cf0f9e5bc3b69601f2cd7e82 3821058 debug extra 
slapd-dbg_2.4.17-2.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkr5vloACgkQNxpp46476ao3TQCdFdcKaHdNP8RFXT0glRPO57Fw
TS0An2jMxl1mTQWfRKdKbIimRj7m58Uz
=4Hno
-----END PGP SIGNATURE-----

--- End Message ---

Bug#553432: marked as done (CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name)

Reply via email to