Bug#564581: marked as done (CVE-2009-4565: does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate)

Debian Bug Tracking System Sun, 31 Jan 2010 12:02:10 -0800

Your message dated Sun, 31 Jan 2010 19:59:20 +0000
with message-id <[email protected]>
and subject line Bug#564581: fixed in sendmail 8.14.3-5+lenny1
has caused the Debian Bug report #564581,
regarding CVE-2009-4565: does not properly handle a '\0' character in a Common 
Name (CN) field of an X.509 certificate
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
564581: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564581
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: sendmail
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for sendmail.

CVE-2009-4565[0]:
| sendmail before 8.14.4 does not properly handle a '\0' character in a
| Common Name (CN) field of an X.509 certificate, which (1) allows
| man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers
| via a crafted server certificate issued by a legitimate Certification
| Authority, and (2) allows remote attackers to bypass intended access
| restrictions via a crafted client certificate issued by a legitimate
| Certification Authority, a related issue to CVE-2009-2408.

Please coordinate with the security team ([email protected]) to
prepare packages for the stable and oldstable releases.


If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4565
    http://security-tracker.debian.org/tracker/CVE-2009-4565


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktJ0v8ACgkQNxpp46476arSPQCggai2b9hxDmyUNjQC57+13y9H
TcgAoIsxCtp300SC4dBed2rvBNziY1sy
=Ob7s
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: sendmail
Source-Version: 8.14.3-5+lenny1

We believe that the bug you reported is fixed in the latest version of
sendmail, which is due to be installed in the Debian FTP archive:

libmilter-dev_8.14.3-5+lenny1_i386.deb
  to main/s/sendmail/libmilter-dev_8.14.3-5+lenny1_i386.deb
libmilter1.0.1-dbg_8.14.3-5+lenny1_i386.deb
  to main/s/sendmail/libmilter1.0.1-dbg_8.14.3-5+lenny1_i386.deb
libmilter1.0.1_8.14.3-5+lenny1_i386.deb
  to main/s/sendmail/libmilter1.0.1_8.14.3-5+lenny1_i386.deb
rmail_8.14.3-5+lenny1_i386.deb
  to main/s/sendmail/rmail_8.14.3-5+lenny1_i386.deb
sendmail-base_8.14.3-5+lenny1_all.deb
  to main/s/sendmail/sendmail-base_8.14.3-5+lenny1_all.deb
sendmail-bin_8.14.3-5+lenny1_i386.deb
  to main/s/sendmail/sendmail-bin_8.14.3-5+lenny1_i386.deb
sendmail-cf_8.14.3-5+lenny1_all.deb
  to main/s/sendmail/sendmail-cf_8.14.3-5+lenny1_all.deb
sendmail-doc_8.14.3-5+lenny1_all.deb
  to main/s/sendmail/sendmail-doc_8.14.3-5+lenny1_all.deb
sendmail_8.14.3-5+lenny1.diff.gz
  to main/s/sendmail/sendmail_8.14.3-5+lenny1.diff.gz
sendmail_8.14.3-5+lenny1.dsc
  to main/s/sendmail/sendmail_8.14.3-5+lenny1.dsc
sendmail_8.14.3-5+lenny1_all.deb
  to main/s/sendmail/sendmail_8.14.3-5+lenny1_all.deb
sensible-mda_8.14.3-5+lenny1_i386.deb
  to main/s/sendmail/sensible-mda_8.14.3-5+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <[email protected]> (supplier of updated sendmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 29 Jan 2010 14:52:12 +0100
Source: sendmail
Binary: sendmail-bin rmail sensible-mda libmilter1.0.1 libmilter1.0.1-dbg 
libmilter-dev sendmail-doc sendmail sendmail-base sendmail-cf
Architecture: source all i386
Version: 8.14.3-5+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Richard A Nelson (Rick) <[email protected]>
Changed-By: Giuseppe Iuculano <[email protected]>
Description: 
 libmilter-dev - Sendmail Mail Filter API (Milter)
 libmilter1.0.1 - Sendmail Mail Filter API (Milter)
 libmilter1.0.1-dbg - Sendmail Mail Filter API (Milter)
 rmail      - MTA->UUCP remote mail handler
 sendmail   - powerful, efficient, and scalable Mail Transport Agent
 sendmail-base - powerful, efficient, and scalable Mail Transport Agent
 sendmail-bin - powerful, efficient, and scalable Mail Transport Agent
 sendmail-cf - powerful, efficient, and scalable Mail Transport Agent
 sendmail-doc - powerful, efficient, and scalable Mail Transport Agent
 sensible-mda - Mail Delivery Agent wrapper
Closes: 564581
Changes: 
 sendmail (8.14.3-5+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-4565: incorrect verification of SSL certificate with NUL in
     name (Closes: #564581)
Checksums-Sha1: 
 37d78e26be850e8be6c60804b0ad207edaf92a64 1504 sendmail_8.14.3-5+lenny1.dsc
 89baf7d1512ee9e8d60d69f19501c23b46711f98 2060171 sendmail_8.14.3.orig.tar.gz
 71fe99cbc21385348afaf46ab62ceb7eb3e34062 362573 
sendmail_8.14.3-5+lenny1.diff.gz
 1309f96608d6bcbf014f9c928e032a94b2be19d4 833618 
sendmail-doc_8.14.3-5+lenny1_all.deb
 d0e61b0c5a0162429d5d37a011d5c6aa1cf396c3 206546 
sendmail_8.14.3-5+lenny1_all.deb
 2e2cab94f727e81fef7d7f53334f6a7dbbdfbec4 358922 
sendmail-base_8.14.3-5+lenny1_all.deb
 1f3ca25b9f2a289b7ce9a73fb8193422beb7e4d1 295472 
sendmail-cf_8.14.3-5+lenny1_all.deb
 402c91361df6d8b3e227b81a0d9d236e78437eac 927790 
sendmail-bin_8.14.3-5+lenny1_i386.deb
 a1f7eb266a7fe4038790590d8c15657b4bea4f4e 243262 rmail_8.14.3-5+lenny1_i386.deb
 01e1eead19a35b35fd41b27ecb7a9bfd59e5aae3 214498 
sensible-mda_8.14.3-5+lenny1_i386.deb
 4ca15d2812826667ceb7314ea960c40889cf053e 235632 
libmilter1.0.1_8.14.3-5+lenny1_i386.deb
 e5dbe96ed12398b49b4b04ab47a3561a830790aa 253198 
libmilter1.0.1-dbg_8.14.3-5+lenny1_i386.deb
 0830c2675e2bb569dedd1035b9d45d1c4ac396d4 318478 
libmilter-dev_8.14.3-5+lenny1_i386.deb
Checksums-Sha256: 
 87a50d10ebe1b991f7b9df348612b9b18a0755c40ea3ee01a3f7389db77b60e9 1504 
sendmail_8.14.3-5+lenny1.dsc
 c3f4110a647186e74243c9ca390b11d323aecaa21b8cde642e3c965c31db80c5 2060171 
sendmail_8.14.3.orig.tar.gz
 d6cf8a1d1fb3149f52b5778d547e4c5c5d78c4d0529e157da5a95d94d3b9b460 362573 
sendmail_8.14.3-5+lenny1.diff.gz
 543cfe09ebe72cea64190a7900f53219805d8dc4f7d6c06234475e1e6527ecc7 833618 
sendmail-doc_8.14.3-5+lenny1_all.deb
 fd7cda3ebf7380ff35f6b5d89c32afe425439d480880f79439fda298cfcaded3 206546 
sendmail_8.14.3-5+lenny1_all.deb
 f7a748a12a0d49fe3fc644797e61670e70656fcab520f002d2ea397c8e53531a 358922 
sendmail-base_8.14.3-5+lenny1_all.deb
 25505dedcb89fd6addab87c7529abcfe82a8b557f374b1dd549a91f14d65cb38 295472 
sendmail-cf_8.14.3-5+lenny1_all.deb
 dee26aa66a4f9d053697208d918d1ee2c3f51488a8ae2a835ed2cf55bdf3fd4d 927790 
sendmail-bin_8.14.3-5+lenny1_i386.deb
 867992920d6387598c56b43c5d2fda75accb9e06c96e70a6ca2e39a5fcb26b9e 243262 
rmail_8.14.3-5+lenny1_i386.deb
 5d706cc3d6b0a7061bbb0219e20c31ce343d97080c69c6d85c6bdd17c6a7a80a 214498 
sensible-mda_8.14.3-5+lenny1_i386.deb
 ec4f7793bb40a8bf8ee9c050af96838c137dd68bd5b38f0f68e5c090c68ef01c 235632 
libmilter1.0.1_8.14.3-5+lenny1_i386.deb
 351e436ad85040e22c0d1b288b436533891bc460e75ee22373f6341b1566bee6 253198 
libmilter1.0.1-dbg_8.14.3-5+lenny1_i386.deb
 d809441ab5fbee971e04fbb7d92dfd1ebc8a90c609663741d94ca741f1fd366d 318478 
libmilter-dev_8.14.3-5+lenny1_i386.deb
Files: 
 39619f499cdbace73edd78894b931e43 1504 mail extra sendmail_8.14.3-5+lenny1.dsc
 3476e9655ba95842bee96753c992b99b 2060171 mail extra sendmail_8.14.3.orig.tar.gz
 483a8842d3d1f16362dc88f46316ae06 362573 mail extra 
sendmail_8.14.3-5+lenny1.diff.gz
 1e86303b48590dfbc200e4ccfc9a1dc9 833618 doc extra 
sendmail-doc_8.14.3-5+lenny1_all.deb
 d40fde3590704b097ca683e70ec3227f 206546 mail extra 
sendmail_8.14.3-5+lenny1_all.deb
 b444f7633b213d8cbbb68d6f88bb116c 358922 mail extra 
sendmail-base_8.14.3-5+lenny1_all.deb
 a881efa0de975702900734bceab7ffb6 295472 mail extra 
sendmail-cf_8.14.3-5+lenny1_all.deb
 e673ebdb9bb42f7af22eabd26cd47314 927790 mail extra 
sendmail-bin_8.14.3-5+lenny1_i386.deb
 39e5329ec1fc4e0daabbf06c6934c038 243262 mail extra 
rmail_8.14.3-5+lenny1_i386.deb
 35567466e98b5cd66540915448e11cf3 214498 mail extra 
sensible-mda_8.14.3-5+lenny1_i386.deb
 f7facff44a046aca0fda6b71634af2c1 235632 libs extra 
libmilter1.0.1_8.14.3-5+lenny1_i386.deb
 62916ef56fb537fe01a74549dccce69f 253198 libs extra 
libmilter1.0.1-dbg_8.14.3-5+lenny1_i386.deb
 4d8db5fbb1babd56b13773d657aeecdb 318478 libdevel extra 
libmilter-dev_8.14.3-5+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkti608ACgkQNxpp46476aoVawCaAjusCeDYhbTGt38YaVpiZJLW
/okAnRFI02X2dkUkCs5euV7IVCU9D3Rj
=vjML
-----END PGP SIGNATURE-----

--- End Message ---

Bug#564581: marked as done (CVE-2009-4565: does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate)

Reply via email to