Bug#732754: marked as done (openssl: CVE-2013-6449: crash when using TLS 1.2)
Your message dated Mon, 06 Jan 2014 22:47:45 + with message-id e1w0ixv-0002by...@franck.debian.org and subject line Bug#732754: fixed in openssl 1.0.1e-2+deb7u1 has caused the Debian Bug report #732754, regarding openssl: CVE-2013-6449: crash when using TLS 1.2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 732754: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732754 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: openssl Version: 1.0.1e-2 Severity: grave Tags: security upstream patch Hi, the following vulnerability was published for openssl. CVE-2013-6449[0]: crash when using TLS 1.2 It was reported in Apache Traffic Server[1] and upstream at [2], see also [3]. I was not able to reproduce any crash myself, just checking against the openssl source package to verify upstrem patches apply. See [4] and [5] for the patches applied. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6449 http://security-tracker.debian.org/tracker/CVE-2013-6449 [1] https://issues.apache.org/jira/browse/TS-2355 [2] http://rt.openssl.org/Ticket/Display.html?id=3200user=guestpass=guest [3] https://bugzilla.redhat.com/show_bug.cgi?id=1045363 [4] http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ca98926 [5] http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0294b2b Regards, Salvatore ---End Message--- ---BeginMessage--- Source: openssl Source-Version: 1.0.1e-2+deb7u1 We believe that the bug you reported is fixed in the latest version of openssl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 732...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Kurt Roeckx k...@roeckx.be (supplier of updated openssl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 23 Dec 2013 17:47:19 +0100 Source: openssl Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc libssl1.0.0-dbg Architecture: source all amd64 Version: 1.0.1e-2+deb7u1 Distribution: stable-security Urgency: medium Maintainer: Debian OpenSSL Team pkg-openssl-de...@lists.alioth.debian.org Changed-By: Kurt Roeckx k...@roeckx.be Description: libcrypto1.0.0-udeb - crypto shared library - udeb (udeb) libssl-dev - SSL development libraries, header files and documentation libssl-doc - SSL development documentation documentation libssl1.0.0 - SSL shared libraries libssl1.0.0-dbg - Symbol tables for libssl and libcrypto openssl- Secure Socket Layer (SSL) binary and related cryptographic tools Closes: 732710 732754 Changes: openssl (1.0.1e-2+deb7u1) stable-security; urgency=medium . * Fix CVE-2013-6449 (Closes: #732754) * Fix CVE-2013-6450 * disable rdrand by default. It was used as only source of entropy when available. (Closes: #732710) * Disable Dual EC DRBG. Checksums-Sha1: df07fffd312e26f10a9d937aea135f94abae2d1b 2228 openssl_1.0.1e-2+deb7u1.dsc 3f1b1223c9e8189bfe4e186d86449775bd903460 4459777 openssl_1.0.1e.orig.tar.gz 99bd93a87a9c55fa19385c02a0cfa4d2e3610f90 95169 openssl_1.0.1e-2+deb7u1.debian.tar.gz 66bf040c8ac7be5d4f2f9942249400a4ab1e69bc 1197168 libssl-doc_1.0.1e-2+deb7u1_all.deb a9ce52aaf530bbcea63936fa1b597d6bb1482ad3 699348 openssl_1.0.1e-2+deb7u1_amd64.deb 40451425e3ff2d71872e601283181360cb3d49bf 1224380 libssl1.0.0_1.0.1e-2+deb7u1_amd64.deb b424473f0171644e10ca4e852b4938552661a4e5 604560 libcrypto1.0.0-udeb_1.0.1e-2+deb7u1_amd64.udeb b15315f13cb1ca52d36cfe8ca63b780434587adf 1706732 libssl-dev_1.0.1e-2+deb7u1_amd64.deb ec35f89f4db0b37b03545c49825336fa2ac9e867 3016388 libssl1.0.0-dbg_1.0.1e-2+deb7u1_amd64.deb Checksums-Sha256: 2118c53bc0172a06b09af316faba4851905eaeb8bddfcf0c5946742810a23814 2228 openssl_1.0.1e-2+deb7u1.dsc f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3 4459777 openssl_1.0.1e.orig.tar.gz d67d7b56c95c683f56a9eebeb87324442adae69175fe6f7f4664ddf06ece3f53 95169 openssl_1.0.1e-2+deb7u1.debian.tar.gz
Bug#732754: marked as done (openssl: CVE-2013-6449: crash when using TLS 1.2)
Your message dated Sun, 22 Dec 2013 19:49:00 + with message-id e1vup1i-0007pz...@franck.debian.org and subject line Bug#732754: fixed in openssl 1.0.1e-5 has caused the Debian Bug report #732754, regarding openssl: CVE-2013-6449: crash when using TLS 1.2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 732754: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732754 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: openssl Version: 1.0.1e-2 Severity: grave Tags: security upstream patch Hi, the following vulnerability was published for openssl. CVE-2013-6449[0]: crash when using TLS 1.2 It was reported in Apache Traffic Server[1] and upstream at [2], see also [3]. I was not able to reproduce any crash myself, just checking against the openssl source package to verify upstrem patches apply. See [4] and [5] for the patches applied. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6449 http://security-tracker.debian.org/tracker/CVE-2013-6449 [1] https://issues.apache.org/jira/browse/TS-2355 [2] http://rt.openssl.org/Ticket/Display.html?id=3200user=guestpass=guest [3] https://bugzilla.redhat.com/show_bug.cgi?id=1045363 [4] http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ca98926 [5] http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0294b2b Regards, Salvatore ---End Message--- ---BeginMessage--- Source: openssl Source-Version: 1.0.1e-5 We believe that the bug you reported is fixed in the latest version of openssl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 732...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Kurt Roeckx k...@roeckx.be (supplier of updated openssl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 22 Dec 2013 19:25:35 +0100 Source: openssl Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc libssl1.0.0-dbg Architecture: source all amd64 Version: 1.0.1e-5 Distribution: unstable Urgency: low Maintainer: Debian OpenSSL Team pkg-openssl-de...@lists.alioth.debian.org Changed-By: Kurt Roeckx k...@roeckx.be Description: libcrypto1.0.0-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb) libssl-dev - Secure Sockets Layer toolkit - development files libssl-doc - Secure Sockets Layer toolkit - development documentation libssl1.0.0 - Secure Sockets Layer toolkit - shared libraries libssl1.0.0-dbg - Secure Sockets Layer toolkit - debug information openssl- Secure Sockets Layer toolkit - cryptographic utility Closes: 694738 728055 732348 732710 732754 Changes: openssl (1.0.1e-5) unstable; urgency=low . * Change default digest to SHA256 instead of SHA1. (Closes: #694738) * Drop support for multiple certificates in 1 file. It never worked properly in the first place, and the only one shipping in ca-certificates has been split. * Fix libdoc-manpgs-pod-spell.patch to only fix spalling errors * Remove make-targets.patch. It prevented the test dir from being cleaned. * Update to a git snapshot of the OpenSSL_1_0_1-stable branch. - Fixes CVE-2013-6449 (Closes: #732754) - Fixes CVE-2013-6450 - Drop patches ssltest_no_sslv2.patch cpuid.patch aesni-mac.patch dtls_version.patch get_certificate.patch, since they where all already commited upstream. - adjust fix-pod-errors.patch for the reordering of items in the documentation they've done trying to fix those pod errors. - disable rdrand engine by default (Closes: #732710) * disable zlib support. Fixes CVE-2012-4929 (Closes: #728055) * Add arm64 support (Closes: #732348) * Properly use the default number of bits in req when none are given Checksums-Sha1: 1015bdeffc5f854fb184d573f94833a7eb4be187 2197 openssl_1.0.1e-5.dsc 94694a8c6f571524b4340a5a187027fbe569bc0d 196978 openssl_1.0.1e-5.debian.tar.gz 17bf4ad750294ef277103f25a9eccd9801e51721 1132258 libssl-doc_1.0.1e-5_all.deb c4b4b82514fa989834ddfd26693c3a360845a672