Your message dated Sat, 24 Dec 2011 19:56:18 +0000
with message-id <[email protected]>
and subject line Bug#648441: fixed in gnutls26 2.8.6-1+squeeze1
has caused the Debian Bug report #648441,
regarding CVE-2011-4128: GNUTLS-SA-2011-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
648441: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648441
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gnutls26
Severity: important
Tags: security
Please see http://www.gnu.org/s/gnutls/security.html for details.
Fixes:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=7fc8fa6464d305440fddab423079c76a915decc3
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=588708465992e1d9fc09cf4e3a39caef878428d9
Given the following inline documentation I would assume that this
could be triggered by a malicious server providing a service over
TLS to crash the client, but not the other way 'round. Is that correct?
/**
* gnutls_session_get_data - Returns all session
parameters.
* @session: is a
#gnutls_session_t structure.
* @session_data: is a pointer to space to hold the session.
* @session_data_size: is the session_data's size, or it
will be set by the function.
*
* Returns all session parameters, in order to support resuming. The
* client should call this, and keep the returned session,
if he
* wants to resume that current version
later by calling
*
gnutls_session_set_data() This function must be called after a
* successful handshake.
*
* Resuming sessions is really useful and speedups
connections after
* a succesful one.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
* an error code is returned.
**/
Cheers,
Moritz
--- End Message ---
--- Begin Message ---
Source: gnutls26
Source-Version: 2.8.6-1+squeeze1
We believe that the bug you reported is fixed in the latest version of
gnutls26, which is due to be installed in the Debian FTP archive:
gnutls-bin_2.8.6-1+squeeze1_i386.deb
to main/g/gnutls26/gnutls-bin_2.8.6-1+squeeze1_i386.deb
gnutls-doc_2.8.6-1+squeeze1_all.deb
to main/g/gnutls26/gnutls-doc_2.8.6-1+squeeze1_all.deb
gnutls26_2.8.6-1+squeeze1.debian.tar.gz
to main/g/gnutls26/gnutls26_2.8.6-1+squeeze1.debian.tar.gz
gnutls26_2.8.6-1+squeeze1.dsc
to main/g/gnutls26/gnutls26_2.8.6-1+squeeze1.dsc
guile-gnutls_2.8.6-1+squeeze1_i386.deb
to main/g/gnutls26/guile-gnutls_2.8.6-1+squeeze1_i386.deb
libgnutls-dev_2.8.6-1+squeeze1_i386.deb
to main/g/gnutls26/libgnutls-dev_2.8.6-1+squeeze1_i386.deb
libgnutls26-dbg_2.8.6-1+squeeze1_i386.deb
to main/g/gnutls26/libgnutls26-dbg_2.8.6-1+squeeze1_i386.deb
libgnutls26_2.8.6-1+squeeze1_i386.deb
to main/g/gnutls26/libgnutls26_2.8.6-1+squeeze1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <[email protected]> (supplier of updated gnutls26 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Format: 1.8
Date: Thu, 22 Dec 2011 18:07:26 +0100
Source: gnutls26
Binary: libgnutls-dev libgnutls26 libgnutls26-dbg gnutls-bin gnutls-doc
guile-gnutls
Architecture: source all i386
Version: 2.8.6-1+squeeze1
Distribution: stable
Urgency: low
Maintainer: Debian GnuTLS Maintainers <[email protected]>
Changed-By: Andreas Metzler <[email protected]>
Description:
gnutls-bin - the GNU TLS library - commandline utilities
gnutls-doc - the GNU TLS library - documentation and examples
guile-gnutls - the GNU TLS library - GNU Guile bindings
libgnutls-dev - the GNU TLS library - development files
libgnutls26 - the GNU TLS library - runtime library
libgnutls26-dbg - GNU TLS library - debugger symbols
Closes: 648441
Changes:
gnutls26 (2.8.6-1+squeeze1) stable; urgency=low
.
* Pull fixes for buffer overflow in gnutls_session_get_data() from upstream
git. (CVE-2011-4128: GNUTLS-SA-2011-2) Closes: #648441
20_CVE-2011-4128.part1.diff 20_CVE-2011-4128.part2.diff
Checksums-Sha1:
0eb560484c2e6074f27d76d763d070818c9de81d 1658 gnutls26_2.8.6-1+squeeze1.dsc
1e17366ae0d1d3207bee189c0f28f79425fd0f81 19785
gnutls26_2.8.6-1+squeeze1.debian.tar.gz
e7987b37b59e1bac7dc360ca950a2eeb05d2f82f 3062878
gnutls-doc_2.8.6-1+squeeze1_all.deb
50e2eeab1e386708e8c5359e06077f6b1939f4b4 591940
libgnutls-dev_2.8.6-1+squeeze1_i386.deb
d293ed4287c2ca5c10c63937000c119dbec4be5a 528304
libgnutls26_2.8.6-1+squeeze1_i386.deb
9e8ab3c3fa1a515931985cb1dc365277e057637b 1101420
libgnutls26-dbg_2.8.6-1+squeeze1_i386.deb
cdf6d8aa52e605e99ab8904f51a23a577ad3ec95 317984
gnutls-bin_2.8.6-1+squeeze1_i386.deb
3271f752dbf9506a0ca44d9ebed7d9b95f2740f9 252122
guile-gnutls_2.8.6-1+squeeze1_i386.deb
Checksums-Sha256:
9d579990f1e47f3bc00867538402050c8ac8609a05b48dd975789b6470f11fcb 1658
gnutls26_2.8.6-1+squeeze1.dsc
e49474bd8a836eadd227369b8939574ce0bf2df5e48ad83098ca7afad53930fc 19785
gnutls26_2.8.6-1+squeeze1.debian.tar.gz
962cdf05600e21b0eed63dbf20f7e79ac752731dceb5563eb7994f015515ca30 3062878
gnutls-doc_2.8.6-1+squeeze1_all.deb
a2f0d4fb8f19a5f4799abcace2d2817b2a64aa69e4c1b29a96e39cc38b51fb2f 591940
libgnutls-dev_2.8.6-1+squeeze1_i386.deb
a3cb3ba386c0c062eec52a64b7156f1f23a66ae8dd060fda6a24d137fe6c59d3 528304
libgnutls26_2.8.6-1+squeeze1_i386.deb
2641f55857cc8f48b23deab94e48fec8a7d5c9aa57c11fcf3740ec1381f24507 1101420
libgnutls26-dbg_2.8.6-1+squeeze1_i386.deb
c24328c8cdb0bc97cccdd17979bb3e67861a7e76eb0890c0cb83aba9368f2619 317984
gnutls-bin_2.8.6-1+squeeze1_i386.deb
a4615dd888a21c3ea2ba361bf16f60a800029c6c0200ed4d7deb897a01c765f0 252122
guile-gnutls_2.8.6-1+squeeze1_i386.deb
Files:
fc1f2efc7a559b8812cc69804ff78e5c 1658 libs optional
gnutls26_2.8.6-1+squeeze1.dsc
b3e6d35dec3fa02bbb2c81acbd233304 19785 libs optional
gnutls26_2.8.6-1+squeeze1.debian.tar.gz
fe83917babf9e2a6a0e32b3e45480e63 3062878 doc optional
gnutls-doc_2.8.6-1+squeeze1_all.deb
3b7aaf179cb578bfe30abfaddb2277af 591940 libdevel optional
libgnutls-dev_2.8.6-1+squeeze1_i386.deb
985807d49cbcd7557acb0fb1d897a1af 528304 libs standard
libgnutls26_2.8.6-1+squeeze1_i386.deb
c31dced61bd8ecf10f81ae62ba931635 1101420 debug extra
libgnutls26-dbg_2.8.6-1+squeeze1_i386.deb
2543c6b3e0beb8ac1040a0d4e55e2bcf 317984 net optional
gnutls-bin_2.8.6-1+squeeze1_i386.deb
c8790d82cef527e678e18d21749bcb84 252122 lisp optional
guile-gnutls_2.8.6-1+squeeze1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEAREDAAYFAk70IhcACgkQHTOcZYuNdmOVmgCgoVgPiZlTwA7aYnFf/cbqvM4u
wP8An0mx+8/bi/d5QI31yntsMg/0yp2c
=meFe
-----END PGP SIGNATURE-----
--- End Message ---
