Your message dated Thu, 18 Nov 2010 01:58:37 +0000
with message-id <e1pitll-00087y...@franck.debian.org>
and subject line Bug#553432: fixed in openldap 2.4.11-1+lenny1
has caused the Debian Bug report #553432,
regarding CVE-2009-3767: Doesn't properly handle NULL character in subject
Common Name
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
553432: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=553432
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: openldap
Severity: grave
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openldap.
CVE-2009-3767[0]:
| libraries/libldap/tls_o.c in OpenLDAP, when OpenSSL is used, does not
| properly handle a '\0' character in a domain name in the subject's
| Common Name (CN) field of an X.509 certificate, which allows
| man-in-the-middle attackers to spoof arbitrary SSL servers via a
| crafted certificate issued by a legitimate Certification Authority, a
| related issue to CVE-2009-2408.
Please coordinate with the security team (t...@security.debian.org) to
prepare packages for the stable and oldstable releases.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3767
http://security-tracker.debian.org/tracker/CVE-2009-3767
Patch:
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_o.c.diff?r1=1.8&r2=1.11&f=h
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrsCe4ACgkQNxpp46476aqyOwCfYvjBZj45odwhQLQ7eeFCT9j4
YDcAnjvkFab1GOwO9tv/6iXVVqCW5D/g
=0E+p
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: openldap
Source-Version: 2.4.11-1+lenny1
We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive:
ldap-utils_2.4.11-1+lenny1_i386.deb
to main/o/openldap/ldap-utils_2.4.11-1+lenny1_i386.deb
libldap-2.4-2-dbg_2.4.11-1+lenny1_i386.deb
to main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_i386.deb
libldap-2.4-2_2.4.11-1+lenny1_i386.deb
to main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_i386.deb
libldap2-dev_2.4.11-1+lenny1_i386.deb
to main/o/openldap/libldap2-dev_2.4.11-1+lenny1_i386.deb
openldap_2.4.11-1+lenny1.diff.gz
to main/o/openldap/openldap_2.4.11-1+lenny1.diff.gz
openldap_2.4.11-1+lenny1.dsc
to main/o/openldap/openldap_2.4.11-1+lenny1.dsc
slapd-dbg_2.4.11-1+lenny1_i386.deb
to main/o/openldap/slapd-dbg_2.4.11-1+lenny1_i386.deb
slapd_2.4.11-1+lenny1_i386.deb
to main/o/openldap/slapd_2.4.11-1+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 553...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <iucul...@debian.org> (supplier of updated openldap package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 16 Nov 2009 17:37:17 +0100
Source: openldap
Binary: slapd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source i386
Version: 2.4.11-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Debian OpenLDAP Maintainers
<pkg-openldap-de...@lists.alioth.debian.org>
Changed-By: Giuseppe Iuculano <iucul...@debian.org>
Description:
ldap-utils - OpenLDAP utilities
libldap-2.4-2 - OpenLDAP libraries
libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
libldap2-dev - OpenLDAP development libraries
slapd - OpenLDAP server (slapd)
slapd-dbg - Debugging information for the OpenLDAP server (slapd)
Closes: 553432
Changes:
openldap (2.4.11-1+lenny1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fixed CVE-2009-3767: libraries/libldap/tls_o.c doesn't properly handle NULL
character in subject Common Name (Closes: #553432)
Checksums-Sha1:
a19367278d150c9638d15ca38debea28422d36be 1831 openldap_2.4.11-1+lenny1.dsc
bad27f34061482ba559609fadfad28976c4ca3ba 4193523 openldap_2.4.11.orig.tar.gz
5a18ad3994400eb9073b571794e8ef18bafc373d 148075
openldap_2.4.11-1+lenny1.diff.gz
da911938cf9194b47f0927804c57c792a8742cec 1404266 slapd_2.4.11-1+lenny1_i386.deb
8ba3ee67202970a7d9acbd78b3e056f3561efc7c 244952
ldap-utils_2.4.11-1+lenny1_i386.deb
d1ca32ce203911b7cf1fd61b6e8875261ff49531 189442
libldap-2.4-2_2.4.11-1+lenny1_i386.deb
2b0f5be4bfc4423253b8d75b57cd9a0ab40acf9e 286808
libldap-2.4-2-dbg_2.4.11-1+lenny1_i386.deb
d3ff60f034d00cbe058f6438d08c31033c49fbad 892068
libldap2-dev_2.4.11-1+lenny1_i386.deb
abb4d38acac751ab54c7862e19c49a8ba7bca72e 3560322
slapd-dbg_2.4.11-1+lenny1_i386.deb
Checksums-Sha256:
ca7f1123040576e3ffce1179f358182978c5802e0b7f0c3f5b89da8999df2066 1831
openldap_2.4.11-1+lenny1.dsc
8d5645e05f63555fd9dd4ec2a01ea9a3d7c4ac1e6b2e52d3b151ca9877eacd18 4193523
openldap_2.4.11.orig.tar.gz
7cb6a4ae6d81aa8ba5e98edb485ae5546a66c0182bd0218c6785772ec6571201 148075
openldap_2.4.11-1+lenny1.diff.gz
20aebfd73d02d3cf81ca9bfb964978cb79fd9fd5d0efb541e8e088073aaa9007 1404266
slapd_2.4.11-1+lenny1_i386.deb
80078c43a99feeacc6c758780f485a516d94bf1e3422caa29191947c436f86cc 244952
ldap-utils_2.4.11-1+lenny1_i386.deb
c7a6413f77b28b9eb702f5d13debb069b4fbda19a53ad6f0e7ca09927cdef5cf 189442
libldap-2.4-2_2.4.11-1+lenny1_i386.deb
edc5a82e9621219eb66e3ab8c6b7e7f2b07257246e15bdb963769affaee3a856 286808
libldap-2.4-2-dbg_2.4.11-1+lenny1_i386.deb
34009e2cbf50789e8910f0d0263ec6be037a5ed2c371ee1d489c353a626d5151 892068
libldap2-dev_2.4.11-1+lenny1_i386.deb
9c91b0c2bad3fb0b6f638f454ce158f0e9fb30028c84ba0fb10f970960b7ddc0 3560322
slapd-dbg_2.4.11-1+lenny1_i386.deb
Files:
ca4cb86b4847a59f95275ff2f4d0e173 1831 net optional openldap_2.4.11-1+lenny1.dsc
d4e8669e2c9b8d981e371e97e3cf92d9 4193523 net optional
openldap_2.4.11.orig.tar.gz
024b717169f42734ee5650ebe2978631 148075 net optional
openldap_2.4.11-1+lenny1.diff.gz
a3bffb93ec3b0d0d130a6a7e29091a9b 1404266 net optional
slapd_2.4.11-1+lenny1_i386.deb
5a5b31ebb9098059e62eb57d209a6846 244952 net optional
ldap-utils_2.4.11-1+lenny1_i386.deb
879dac84b581979646c49bde9743c630 189442 libs optional
libldap-2.4-2_2.4.11-1+lenny1_i386.deb
2dcb4f8e5514d9e4d9072b4853da322d 286808 libdevel extra
libldap-2.4-2-dbg_2.4.11-1+lenny1_i386.deb
449ba5d6037617e4e93dfd6bcb093549 892068 libdevel extra
libldap2-dev_2.4.11-1+lenny1_i386.deb
c6a6fbc66944bd05585c1065ab012c93 3560322 net extra
slapd-dbg_2.4.11-1+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAksOVnEACgkQNxpp46476arvjwCfbyyzwx+dNopAmNC6RQ2jhpjk
rvwAniRAFnwpaSG5qWJjl6Yzn/mDRnOG
=GPrp
-----END PGP SIGNATURE-----
--- End Message ---