Bug#553432: marked as done (CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name)

[Debian Bug Tracking System]

Your message dated Fri, 23 Apr 2010 19:32:28 +0000
with message-id <e1o5oc0-0005cs...@ries.debian.org>
and subject line Bug#553432: fixed in openldap 2.4.21-1
has caused the Debian Bug report #553432,
regarding CVE-2009-3767: Doesn't properly handle NULL character in subject 
Common Name
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
553432: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=553432
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: openldap
Severity: grave
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openldap.

CVE-2009-3767[0]:
| libraries/libldap/tls_o.c in OpenLDAP, when OpenSSL is used, does not
| properly handle a '\0' character in a domain name in the subject's
| Common Name (CN) field of an X.509 certificate, which allows
| man-in-the-middle attackers to spoof arbitrary SSL servers via a
| crafted certificate issued by a legitimate Certification Authority, a
| related issue to CVE-2009-2408.


Please coordinate with the security team (t...@security.debian.org) to
prepare packages for the stable and oldstable releases.


If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3767
    http://security-tracker.debian.org/tracker/CVE-2009-3767
    Patch: 
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_o.c.diff?r1=1.8&r2=1.11&f=h

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrsCe4ACgkQNxpp46476aqyOwCfYvjBZj45odwhQLQ7eeFCT9j4
YDcAnjvkFab1GOwO9tv/6iXVVqCW5D/g
=0E+p
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: openldap
Source-Version: 2.4.21-1

We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive:

ldap-utils_2.4.21-1_amd64.deb
  to main/o/openldap/ldap-utils_2.4.21-1_amd64.deb
libldap-2.4-2-dbg_2.4.21-1_amd64.deb
  to main/o/openldap/libldap-2.4-2-dbg_2.4.21-1_amd64.deb
libldap-2.4-2_2.4.21-1_amd64.deb
  to main/o/openldap/libldap-2.4-2_2.4.21-1_amd64.deb
libldap2-dev_2.4.21-1_amd64.deb
  to main/o/openldap/libldap2-dev_2.4.21-1_amd64.deb
openldap_2.4.21-1.diff.gz
  to main/o/openldap/openldap_2.4.21-1.diff.gz
openldap_2.4.21-1.dsc
  to main/o/openldap/openldap_2.4.21-1.dsc
openldap_2.4.21.orig.tar.gz
  to main/o/openldap/openldap_2.4.21.orig.tar.gz
slapd-dbg_2.4.21-1_amd64.deb
  to main/o/openldap/slapd-dbg_2.4.21-1_amd64.deb
slapd-smbk5pwd_2.4.21-1_amd64.deb
  to main/o/openldap/slapd-smbk5pwd_2.4.21-1_amd64.deb
slapd_2.4.21-1_amd64.deb
  to main/o/openldap/slapd_2.4.21-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 553...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthijs Mohlmann <matth...@cacholong.nl> (supplier of updated openldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 22 Apr 2010 23:40:30 +0200
Source: openldap
Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg 
libldap2-dev slapd-dbg
Architecture: source amd64
Version: 2.4.21-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenLDAP Maintainers 
<pkg-openldap-de...@lists.alioth.debian.org>
Changed-By: Matthijs Mohlmann <matth...@cacholong.nl>
Description: 
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
 slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd.
Closes: 226090 231950 385898 443073 452834 465024 490930 502769 504728 510346 
518657 518660 528695 549291 549642 553432 561144 563113 564686 575900
Changes: 
 openldap (2.4.21-1) unstable; urgency=low
 .
   [ Steve Langasek ]
   * New upstream version
     (Closes: #561144, #465024, #502769, #528695, #564686, #504728)
   * Add upstream manpage for ldapexop; thanks to Peter Marschall
     <pe...@adpm.de>.  Closes: #549291.
 .
   [ Matthijs Mohlmann ]
   * Ack NMU (Closes: #553432)
   * Update Standards-Version to 3.8.4
   * Fix NEWS entry to have the correct version number
   * Improve the wording for the slapd/invalid_config question (Closes: #452834)
   * Make lintian a bit more happy (Closes: #518660)
   * Fix bashism (Closes: #518657)
   * Refresh all patches
   * Add patch from upstream (Closes: #549642)
   * Reworked the configure.options a bit to include some more options
   * Enable dynamic acls
   * Use slappasswd to create a secure password (Closes: #490930)
   * Set a rootdn and rootpw if no password is given by debconf (Closes: 
#231950)
   * Better document the TLSCipherSuite in slapd.conf manpage (Closes: #563113)
   * Better document the TLS_CIPHER_SUITE in ldap.conf manpage (Closes: #510346)
   * Add smbk5pwd slapd module, used patch from Mark Hymers (Closes: #443073)
   * Add autogroup slapd module, used patch from Mathieu Parent (Closes: 
#575900)
   * Add lsb logging, used patch from David Härdeman (Closes: #385898)
   * Use dh_lintian to install the lintian-overrides
   * Added critical error report when slapcat fails (Closes: #226090)
Checksums-Sha1: 
 cacc47d1d3e1f497a42c7f2d4a9737d0f3c5726a 1862 openldap_2.4.21-1.dsc
 8ae276ae3df3230106268ad8169a1b0a08bbc545 4714249 openldap_2.4.21.orig.tar.gz
 2f505cdc246e5aa7fe34679d10f2abb569ed6666 150990 openldap_2.4.21-1.diff.gz
 4a585e7d2711cf39670f04e93ade9b755a6a3976 1585160 slapd_2.4.21-1_amd64.deb
 7b2fa9975e01473ca792c60a1042b55d882d3ca2 56116 
slapd-smbk5pwd_2.4.21-1_amd64.deb
 11d80f417d731b738ccfe27e8027745b5a653321 327632 ldap-utils_2.4.21-1_amd64.deb
 b965ff2c1fe23474e045affe31f10a01a765e00f 207368 
libldap-2.4-2_2.4.21-1_amd64.deb
 bbfc56e1411084229b6367f3de3ae5d193a10a69 303498 
libldap-2.4-2-dbg_2.4.21-1_amd64.deb
 88d32d11594c8167b77e47485da907c814b86b4d 908974 libldap2-dev_2.4.21-1_amd64.deb
 b91ed83b500c6b7f24382be1d0cff6e32c83c79e 3963684 slapd-dbg_2.4.21-1_amd64.deb
Checksums-Sha256: 
 56232c0a5f551b5074f16bd8368727e007866069896b1b90433d34a3fe440fd3 1862 
openldap_2.4.21-1.dsc
 86f92f299cec257c6a721e4dd69a8f1c7257caae454c16e807f97a1c2caa029a 4714249 
openldap_2.4.21.orig.tar.gz
 0523bfdb635d140124310b4efc4c50e3a0002ab289f93ee96636fbd8158a4a0d 150990 
openldap_2.4.21-1.diff.gz
 e272f580471a851bcce5d54f01b131b6301fbc9276f92a288028cb3ad5f5ee43 1585160 
slapd_2.4.21-1_amd64.deb
 f49d75ed42b117a7b5d107525bbc68bd58860ed5a50a7c8c403b18581c26fd12 56116 
slapd-smbk5pwd_2.4.21-1_amd64.deb
 8e5dc0fd324389f7a1b51a31ce6b127563797ea9ac13342449e7403d37ea3845 327632 
ldap-utils_2.4.21-1_amd64.deb
 1035872f19e03c1e8c23dc8469e9a62a621bd65e86361d6310f544573c2046e9 207368 
libldap-2.4-2_2.4.21-1_amd64.deb
 97765ca48942b0b5ca82bd7caa09708358d6111bc3212f57ac7af3e728975257 303498 
libldap-2.4-2-dbg_2.4.21-1_amd64.deb
 fb95448d1a4a6e5697c83d3e73c264034d39ee2c9e760188076227948677be9c 908974 
libldap2-dev_2.4.21-1_amd64.deb
 7728a33af98bdca8de42849e97ce7fd2bcf63b9d21bd32b8befd537725ac760f 3963684 
slapd-dbg_2.4.21-1_amd64.deb
Files: 
 2e2436bac8eac1eae8549191951e123f 1862 net optional openldap_2.4.21-1.dsc
 74320e5744d58116a618986be204b1bc 4714249 net optional 
openldap_2.4.21.orig.tar.gz
 eafb9eb02c83688ba5fb97c195f21846 150990 net optional openldap_2.4.21-1.diff.gz
 74856a387aceefac2d87d816ce2d8677 1585160 net optional slapd_2.4.21-1_amd64.deb
 5fde31a7da08b9351432139b7392a431 56116 net extra 
slapd-smbk5pwd_2.4.21-1_amd64.deb
 389285994f60a418a08c215de45e21d6 327632 net optional 
ldap-utils_2.4.21-1_amd64.deb
 e9b831f40bb3bcbb2f2fc258765926ad 207368 libs standard 
libldap-2.4-2_2.4.21-1_amd64.deb
 ca488f5aad11f1c090ed9d51a86ca421 303498 debug extra 
libldap-2.4-2-dbg_2.4.21-1_amd64.deb
 a66ff0d308a9202f00b6657669f3abc4 908974 libdevel extra 
libldap2-dev_2.4.21-1_amd64.deb
 42c8f8bbf7e0f839f1abe8c3c85b8e98 3963684 debug extra 
slapd-dbg_2.4.21-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkvR0A8ACgkQ2n1ROIkXqbD9mwCfVfQZsFs1fD1KT6TNATFYPt0Y
J2AAn3C9sNji1k3++RVWCFvIDxx6czgd
=TThi
-----END PGP SIGNATURE-----

--- End Message ---