Debian Bug report logs -
#482644
CVE-2008-2420: bypass intended access restrictions
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Sat, 24 May 2008 08:18:23 UTC
Severity: grave
Tags: patch, security
Fixed in versions stunnel4/3:4.22-1.1, stunnel4/3:4.22-2
Done: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>:
Bug#482644; Package stunnel4.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: stunnel4
Severity: important
Tags: security, patch
Hi
The following CVE(0) has been issued against stunnel.
CVE-2008-2420:
The OCSP functionality in stunnel before 4.24 does not properly search
certificate revocation lists (CRL), which allows remote attackers to
bypass intended access restrictions by using revoked certificates.
Please mention the CVE id, when you fix this issue. Extracted upstream
patch is attached.
Cheers
Steffen
(0): http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2420
[security-check_certificate (text/x-c, attachment)]
Severity set to `grave' from `important'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sun, 25 May 2008 17:03:10 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>:
Bug#482644; Package stunnel4.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>.
(full text, mbox, link).
Message #12 received at 482644@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
Attached you'll find a proposed NMU patch including the upstream bug.
Cheers
Steffen
[nmu.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>:
Bug#482644; Package stunnel4.
(full text, mbox, link).
Acknowledgement sent to rgallardo@google.com (Rodrigo Gallardo):
Extra info received and forwarded to list. Copy sent to Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>.
(full text, mbox, link).
Message #17 received at 482644@bugs.debian.org (full text, mbox, reply):
Looks OK, please go ahead with the NMU.
On Tue, May 27, 2008 at 12:31:23AM +1000, Steffen Joeris wrote:
> Hi
>
> Attached you'll find a proposed NMU patch including the upstream bug.
Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #22 received at 482644-close@bugs.debian.org (full text, mbox, reply):
Source: stunnel4
Source-Version: 3:4.22-1.1
We believe that the bug you reported is fixed in the latest version of
stunnel4, which is due to be installed in the Debian FTP archive:
stunnel4_4.22-1.1.diff.gz
to pool/main/s/stunnel4/stunnel4_4.22-1.1.diff.gz
stunnel4_4.22-1.1.dsc
to pool/main/s/stunnel4/stunnel4_4.22-1.1.dsc
stunnel4_4.22-1.1_i386.deb
to pool/main/s/stunnel4/stunnel4_4.22-1.1_i386.deb
stunnel_4.22-1.1_all.deb
to pool/main/s/stunnel4/stunnel_4.22-1.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 482644@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated stunnel4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 27 May 2008 18:28:56 +0200
Source: stunnel4
Binary: stunnel4 stunnel
Architecture: source all i386
Version: 3:4.22-1.1
Distribution: unstable
Urgency: high
Maintainer: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description:
stunnel - dummy upgrade package
stunnel4 - Universal SSL tunnel for network daemons
Closes: 482644
Changes:
stunnel4 (3:4.22-1.1) unstable; urgency=high
.
* Non-maintainer upload by the security team
* Fix security bug in the OCSP functionality that allowed revoked
certificates to authenticate (Closes: #482644)
Fixes: CVE-2008-2420
Checksums-Sha1:
be663293860389bb27e43bf3d846c8afcf247e10 1205 stunnel4_4.22-1.1.dsc
6a2f378bc3e8356a89b40579d83ed0df8bc5cd4e 30952 stunnel4_4.22-1.1.diff.gz
f9b3271905c413176406fef8d30ff111b8b9cc02 10166 stunnel_4.22-1.1_all.deb
e3cae30f9702ec979abea63e19ef2782c03a2ebc 147182 stunnel4_4.22-1.1_i386.deb
Checksums-Sha256:
da01005dfbb530d1581dd270caf02405da586f87f016ecefdc957da3c22ecdd7 1205 stunnel4_4.22-1.1.dsc
ad0640f8392406fd59856ca5ae0881963026f67409505dd472a67c9ee8d03000 30952 stunnel4_4.22-1.1.diff.gz
616d7c80d6269bbfe5530a20ff5214c8df9e92a054f39cfd9e8f815caa77e5d1 10166 stunnel_4.22-1.1_all.deb
a0e0043628570b6c2d974cfabbb246a4a86db861e0eb42d49d098e61af2fffe6 147182 stunnel4_4.22-1.1_i386.deb
Files:
bcfd6e6c2b04262055fed355b3653be0 1205 net optional stunnel4_4.22-1.1.dsc
6c0b1dc48612b08606cef98c39d4d368 30952 net optional stunnel4_4.22-1.1.diff.gz
9d3162fdeb77a7d4b62fddefc62cdf9f 10166 net optional stunnel_4.22-1.1_all.deb
0f90b5f2ba27b4c7481c25ec2520ba1d 147182 net optional stunnel4_4.22-1.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIPDiC62zWxYk/rQcRAjkQAJ92kVThmy+648ClQm7UbH1iJcmClgCgkagp
lpReEuKnXvyLKyzq+aN5d+k=
=QOqe
-----END PGP SIGNATURE-----
Reply sent
to Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>:
You have taken responsibility.
(Tue, 18 Nov 2008 13:57:10 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(Tue, 18 Nov 2008 13:57:11 GMT) (full text, mbox, link).
Message #27 received at 482644-close@bugs.debian.org (full text, mbox, reply):
Source: stunnel4
Source-Version: 3:4.22-2
We believe that the bug you reported is fixed in the latest version of
stunnel4, which is due to be installed in the Debian FTP archive:
stunnel4_4.22-2.diff.gz
to pool/main/s/stunnel4/stunnel4_4.22-2.diff.gz
stunnel4_4.22-2.dsc
to pool/main/s/stunnel4/stunnel4_4.22-2.dsc
stunnel4_4.22-2_amd64.deb
to pool/main/s/stunnel4/stunnel4_4.22-2_amd64.deb
stunnel_4.22-2_all.deb
to pool/main/s/stunnel4/stunnel_4.22-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 482644@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> (supplier of updated stunnel4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 18 Nov 2008 13:52:42 +0100
Source: stunnel4
Binary: stunnel4 stunnel
Architecture: source all amd64
Version: 3:4.22-2
Distribution: unstable
Urgency: high
Maintainer: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
Changed-By: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
Description:
stunnel - dummy upgrade package
stunnel4 - Universal SSL tunnel for network daemons
Closes: 482644 506091
Changes:
stunnel4 (3:4.22-2) unstable; urgency=low
.
* Check if a daemon is already running before trying to start it with the
same configuration file. Thanks Peter Palfrader <weasel@debian.org> for
the report (Closes: #506091).
.
stunnel4 (3:4.22-1.1) unstable; urgency=high
.
* Non-maintainer upload by the security team
* Fix security bug in the OCSP functionality that allowed revoked
certificates to authenticate (Closes: #482644)
Fixes: CVE-2008-2420
Checksums-Sha1:
0ab82cccb89b8ea64debd6307e7427a8838c3a91 1205 stunnel4_4.22-2.dsc
77a17468f5ec0c67571fdfafe394b5c72eba2628 31228 stunnel4_4.22-2.diff.gz
e81227472a550dc54e032d52a3c356e45a046721 10230 stunnel_4.22-2_all.deb
dd3c85881c3934985b80c9e2da6da1ca5b30427a 148464 stunnel4_4.22-2_amd64.deb
Checksums-Sha256:
45aafe7ab487cc26daa5a52ed19a4cd17aee26fa09af952f85ddb9218735b174 1205 stunnel4_4.22-2.dsc
f0238f468687e656d81ec8eda7f4611ccc53e9c09a2c076c03fa36cd44668d48 31228 stunnel4_4.22-2.diff.gz
4271e67aa9202ccec77fd001ba6ca7783b2410f4f743de7f9ab5f671cb20ee9f 10230 stunnel_4.22-2_all.deb
a575483477e8cab5929296a3c2587cd5261834acbb0ecb5d6756f757f774e2b9 148464 stunnel4_4.22-2_amd64.deb
Files:
44cd76525213387421ddff3d220b391a 1205 net optional stunnel4_4.22-2.dsc
5afb4172e1257b48ba89ecf6590ac83c 31228 net optional stunnel4_4.22-2.diff.gz
50541dfca16d50acb66f67aa10153c57 10230 net optional stunnel_4.22-2_all.deb
316316c27b8b3dc1154a81901db9aa8a 148464 net optional stunnel4_4.22-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkixIAACgkQAZmDGK3JvCirTQCfRr6jXavw2xZyTOYsJ+YTnJcU
ugoAmwR8UufltwIFAtptHyn76k6CGtra
=20f9
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 16 Feb 2009 08:10:52 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:43:10 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon