Your message dated Sun, 12 Aug 2012 12:54:20 +0200
with message-id <[email protected]>
and subject line Re: [Pkg-openssl-devel] Bug#684527: Bug#684527: openssl:
CVE-2011-5095 - The remote SSL/TLS server accepts a weak Diffie-Hellman public
value
has caused the Debian Bug report #684527,
regarding openssl: CVE-2011-5095 - The remote SSL/TLS server accepts a weak
Diffie-Hellman public value
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
684527: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684527
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssl
Version: 0.9.8o-4squeeze13
Severity: grave
Tags: security
Justification: user security hole
openssl in squeeze (at least up to 0.9.8o-4squeeze13) is vulnerable to
CVE-2011-5095 [1]. For reference you might have a look at [2] - the problem
seems to be that fips/dh/fips_dh_key.c does not incorporate a fix in
crypto/dh/dh_key.c, namely calling DH_check_pub_key, like in [3].
As far as I can see the problem is gone in 1.0.1c - but I leave this bug
open for unstable/testing so that it can be doublechecked by someone more
versed in openssl.
[1] http://security-tracker.debian.org/tracker/CVE-2011-5095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5095
[2] http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-5095.html
[3] http://cvs.openssl.org/chngview?cn=14375
cu
AW
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.23 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssl depends on:
ii libc6 2.13-33
ii libssl1.0.0 1.0.1c-3
ii zlib1g 1:1.2.7.dfsg-13
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20120623
-- no debconf information
--- End Message ---
--- Begin Message ---
On Fri, Aug 10, 2012 at 10:24:54PM +0200, Kurt Roeckx wrote:
> On Fri, Aug 10, 2012 at 09:12:14PM +0200, Arne Wichmann wrote:
> > Package: openssl
> > Version: 0.9.8o-4squeeze13
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > openssl in squeeze (at least up to 0.9.8o-4squeeze13) is vulnerable to
> > CVE-2011-5095 [1]. For reference you might have a look at [2] - the problem
> > seems to be that fips/dh/fips_dh_key.c does not incorporate a fix in
> > crypto/dh/dh_key.c, namely calling DH_check_pub_key, like in [3].
>
> This doesn't make any sense at all. This is a bug fixed in 0.9.8a
> in 2005.
>
> It only seem to be relavant for the fips version, which we never
> had. Unless someone can tell me why you think this affects
> anything in Debian, I'm just going to close it.
So closing it.
Kurt
--- End Message ---
