Your message dated Sun, 28 Feb 2010 16:17:08 -0800
with message-id <[email protected]>
and subject line Re: [Pkg-openldap-devel] Bug#572005: Bug#572005: openldap:
CVE-2009-2408 certificate spoofing via null characters
has caused the Debian Bug report #572005,
regarding openldap: CVE-2009-2408 certificate spoofing via null characters
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
572005: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572005
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openldap
Version: 2.4.17-2.1
Severity: important
Tags: security
Hi, the following CVE (Common Vulnerabilities & Exposures) id was
published for openldap.
CVE-2009-2408[0]:
| Mozilla Network Security Services (NSS) before 3.12.3, Firefox before
| 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do
| not properly handle a '\0' character in a domain name in the subject's
| Common Name (CN) field of an X.509 certificate, which allows
| man-in-the-middle attackers to spoof arbitrary SSL servers via a
| crafted certificate issued by a legitimate Certification
| Authority. NOTE: this was originally reported for Firefox before 3.5.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
I've checked that the patch [1] is not applied in the latest version in
unstable; however, there is a note that isn't very clear about whether
this is actually needed [2], but perhaps to err on the side of caution,
it should be applied regardless.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408
http://security-tracker.debian.org/tracker/CVE-2009-2408
[1]
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_m.c.diff?r1=1.8&r2=1.11&f=h
[2] http://marc.info/?l=oss-security&m=125198917018936&w=2
--- End Message ---
--- Begin Message ---
On Sun, Feb 28, 2010 at 04:01:21PM -0800, Quanah Gibson-Mount wrote:
> >Package: openldap
> >Version: 2.4.17-2.1
> >Severity: important
> >Tags: security
> >Hi, the following CVE (Common Vulnerabilities & Exposures) id was
> >published for openldap.
> The Debian build links against GnuTLS, not MozNSS, so it isn't
> vulnerable to this issue.
Thought so, thanks for confirming. Closing the bug.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
[email protected] [email protected]
signature.asc
Description: Digital signature
--- End Message ---
