Your message dated Mon, 23 Apr 2012 09:15:34 +0200
with message-id <[email protected]>
and subject line Re: [Pkg-openssl-devel] Bug#670121: OpenSSL ASN1 BIO
vulnerability (CVE-2012-2110)
has caused the Debian Bug report #670121,
regarding OpenSSL ASN1 BIO vulnerability (CVE-2012-2110)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
670121: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670121
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libssl0.9.8
Version: 0.9.8o-4squeeze7
OpenSSL Security Advisory [19 Apr 2012]
=======================================
ASN1 BIO vulnerability (CVE-2012-2110)
=======================================
A potentially exploitable vulnerability has been discovered in the OpenSSL
function asn1_d2i_read_bio.
Any application which uses BIO or FILE based functions to read untrusted DER
format data is vulnerable. Affected functions are of the form d2i_*_bio or
d2i_*_fp, for example d2i_X509_bio or d2i_PKCS12_fp.
Applications using the memory based ASN1 functions (d2i_X509, d2i_PKCS12 etc)
are not affected. In particular the SSL/TLS code of OpenSSL is *not* affected.
Applications only using the PEM routines are not affected.
S/MIME or CMS applications using the built in MIME parser SMIME_read_PKCS7 or
SMIME_read_CMS *are* affected.
The OpenSSL command line utility is also affected if used to process untrusted
data in DER format.
Note: although an application using the SSL/TLS portions of OpenSSL is not
automatically affected it might still call a function such as d2i_X509_bio on
untrusted data and be vulnerable.
Thanks to Tavis Ormandy, Google Security Team, for discovering this issue and
to Adam Langley <[email protected]> for fixing it.
Affected users should upgrade to OpenSSL 1.0.1a, 1.0.0i or 0.9.8v.
References
==========
URL for this Security Advisory:
http://www.openssl.org/news/secadv_20120419.txt
Aki Tuomi
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Version: 0.9.8o-4squeeze11
On Thu, Apr 19, 2012 at 09:40:07PM +0300, Aki Tuomi wrote:
> Package: libssl0.9.8
> Version: 0.9.8o-4squeeze7
>
> ASN1 BIO vulnerability (CVE-2012-2110)
This has already been fixed.
Kurt
--- End Message ---
