Debian Bug report logs -
#770229
cyassl: CVE-2014-2901 CVE-2014-2902 CVE-2014-2903 CVE-2014-2904 CVE-2014-6491 CVE-2014-6494 CVE-2014-6495 CVE-2014-6496 CVE-2014-6500
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 19 Nov 2014 22:21:01 UTC
Severity: grave
Tags: security
Found in version cyassl/2.9.4+dfsg-3
Fixed in version 2.9.4+dfsg-3+rm
Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Felix Lechner <felix.lechner@gmail.com>:
Bug#770229; Package src:cyassl.
(Wed, 19 Nov 2014 22:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Felix Lechner <felix.lechner@gmail.com>.
(Wed, 19 Nov 2014 22:21:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cyassl
Severity: grave
Tags: security
Please see https://marc.info/?l=oss-security&m=139779940032403&w=2
On a related note:
I noticed that mysql/mariadb hasn't switched to using cyassl. Without
any rev deps we should rather avoid including it in jessie IMO and
base on cyassl for jessie+1.
Cheers,
Moritz
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Information forwarded
to debian-bugs-dist@lists.debian.org, Felix Lechner <felix.lechner@gmail.com>:
Bug#770229; Package src:cyassl.
(Tue, 20 Jan 2015 16:33:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Felix Lechner <felix.lechner@gmail.com>.
(Tue, 20 Jan 2015 16:33:09 GMT) (full text, mbox, link).
Message #10 received at 770229@bugs.debian.org (full text, mbox, reply):
On Wed, Nov 19, 2014 at 11:17:43PM +0100, Moritz Muehlenhoff wrote:
> Source: cyassl
> Severity: grave
> Tags: security
>
> Please see https://marc.info/?l=oss-security&m=139779940032403&w=2
In addition there are five issues fixed in the local copy in MySQL.
Please check with upstream, in which cyassl version they are fixed:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6491
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6494
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6495
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6496
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6500
Cheers,
Moritz
Reply sent
to Felix Lechner <felix.lechner@gmail.com>:
You have taken responsibility.
(Thu, 16 Jul 2015 11:03:34 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Thu, 16 Jul 2015 11:03:34 GMT) (full text, mbox, link).
Message #15 received at 770229-close@bugs.debian.org (full text, mbox, reply):
Source: wolfssl
Source-Version: 3.4.8+dfsg-1
We believe that the bug you reported is fixed in the latest version of
wolfssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 770229@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Felix Lechner <felix.lechner@gmail.com> (supplier of updated wolfssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 26 Apr 2015 08:23:52 -0700
Source: wolfssl
Binary: libcyassl5 libwolfssl0 libwolfssl-dev libwolfssl0-dbg
Architecture: source amd64
Version: 3.4.8+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Felix Lechner <felix.lechner@gmail.com>
Changed-By: Felix Lechner <felix.lechner@gmail.com>
Description:
libcyassl5 - transitional dummy package with compatibility links
libwolfssl-dev - Development files for the WolfSSL encryption library
libwolfssl0 - WolfSSL encryption library
libwolfssl0-dbg - Debug symbols for the WolfSSL encryption library
Closes: 769905 770229
Changes:
wolfssl (3.4.8+dfsg-1) unstable; urgency=medium
.
* Name of package changed from 'cyassl' to 'wolfssl'
* New upstream release
* Disabled automatic downgrade to SSLv3 in release 3.2.0 (Closes: #769905)
* Fixed CVE-2014-2901, CVE-2014-2902, CVE-2014-2903 and CVE-2014-2904
in release 3.2.0 (Closes: #770229)
* Fixed TEMP-0000000-2D36D7 in release 3.2.0
* Added build option '--enable-chacha'
* Added build option '--enable-poly1305'
* Added build option '--enable-hashdrbg'
* Added build option '--use-fastmath'
* Added build option '--enable-ecc25519'
* Added build flag TFM_TIMING_RESISTANT
* Added build flag TFM_NO_ASM
* Added Build-Depends: libpcap0.8-dev for sniffer testing
* Removed obsolete build option '--enable-gcc-hardening'
* Removed LT_LIB_M in configure.ac to avoid linking uselessly with libm
* Enabled tests
* Added Exclude-Files: in 'copyright' for automatic repackaging
* Added repacksuffix=+dfsg in 'watch'
* Updated to Standards-Version: 3.9.6
* Added dummy package for 'libcyassl5'
* Replaces: libcyassl5 (<< 3.4.2-1~)
* Breaks: libcyassl5 (<< 3.4.2-1~)
* Provides: libcyassl5
* Created compatibility symlinks for libcyassl.so.5.0.0
Checksums-Sha1:
9e0f3d2d4256a143406c54b6b7a14454879fb98d 1646 wolfssl_3.4.8+dfsg-1.dsc
8f00d26ca0355f21d2490776ea71b797332b4f1a 954905 wolfssl_3.4.8+dfsg.orig.tar.gz
dce7e7021dfccf739f4bf05cfda26effed3294a1 9944 wolfssl_3.4.8+dfsg-1.debian.tar.xz
c89b87fb49ce12251053cda7004189a7fbec48c7 3726 libcyassl5_3.4.8+dfsg-1_amd64.deb
b3a185fb45dac0cb1c2666be7845217ce42b8e9c 951792 libwolfssl-dev_3.4.8+dfsg-1_amd64.deb
f56210bc559dc2bba2cf6c663ee2e56110af1488 655158 libwolfssl0-dbg_3.4.8+dfsg-1_amd64.deb
43fccdc810a9f2cb72d032498118e2da40909f4b 216062 libwolfssl0_3.4.8+dfsg-1_amd64.deb
Checksums-Sha256:
7ce5b446167a2171f940a7d94b6c96fb876d11b7d6d5995c3bebf2f20b553b76 1646 wolfssl_3.4.8+dfsg-1.dsc
a9bc053a44e7ac93e783ee41ce7d63b26c9e4783c71c842659902fee1113c1fb 954905 wolfssl_3.4.8+dfsg.orig.tar.gz
d2d726ce3c4e1d30974f0473b9571b516f0a715681a36425bf4629a6531b05fc 9944 wolfssl_3.4.8+dfsg-1.debian.tar.xz
208713b5bcae18785c869feaa082bae38e0fde82a3d0325be5c10072df4f09de 3726 libcyassl5_3.4.8+dfsg-1_amd64.deb
a5b6b11b17210fac922d30d7a1636a18b2bc92fe86c592df5581ab4336b3eeec 951792 libwolfssl-dev_3.4.8+dfsg-1_amd64.deb
7611ba8926213177762ef071023a40f61ad08d1ca08ead7ac0277f9adcdd7b4f 655158 libwolfssl0-dbg_3.4.8+dfsg-1_amd64.deb
fa36b0ef15c6bcb4177fdc07cc3aeaf7837aef1f82d5a0d6ae85a6856513610c 216062 libwolfssl0_3.4.8+dfsg-1_amd64.deb
Files:
61caff4001af3c12d00637f4897b4fe3 1646 libs optional wolfssl_3.4.8+dfsg-1.dsc
890a10bb5b9fbfd6b2f0bf6fd0f94819 954905 libs optional wolfssl_3.4.8+dfsg.orig.tar.gz
30790aad3e71f080a2ae98f6d75c75ca 9944 libs optional wolfssl_3.4.8+dfsg-1.debian.tar.xz
99adcfa0547b560b3dcf221d65981b04 3726 oldlibs extra libcyassl5_3.4.8+dfsg-1_amd64.deb
9d5ca2339e80d711c4561bff45f1004e 951792 libdevel optional libwolfssl-dev_3.4.8+dfsg-1_amd64.deb
88730669f2ebfa3e03f2de4d55e619ad 655158 debug extra libwolfssl0-dbg_3.4.8+dfsg-1_amd64.deb
8e7d79ea0531e7cdfe7f9d926e28ff8a 216062 libs optional libwolfssl0_3.4.8+dfsg-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVhuPtAAoJEFOMB2b0vLOO748H/2cxLr+wsVq2qGxuTBkw9Tlx
ZnN/ku0l1Pjzq9i76jHquSv0goXab2u4P3SGangaTXHDZOEOAlYnF4guFI8bOidT
HPRzTWsiZ17uqa+wk8GCqmusIwYgr4ldBVUMHG/qVQkP7WXjW50dIrCKk2R4Dp5m
/O0+mpNzAuBj2cq+45MpFO3/oeupbEPz0cv4whiyHMx4VaZcYpnF8cmosFFBsGtb
yzvaMsJksp758N6SN8jF0AGtniNPyRIwY8Ewq6M6Ip5EyKmhaEGM4S/N+bd/N2vx
YidAUODr47fBvudsrw0O31UyNU/4AuDV53tVbGbm7uvNTb0Xj2PMDIu5GSH70VY=
=Zaqn
-----END PGP SIGNATURE-----
Bug reassigned from package 'src:cyassl' to 'wolfssl'.
Request was from Felix Lechner <felix.lechner@gmail.com>
to control@bugs.debian.org.
(Thu, 16 Jul 2015 23:12:03 GMT) (full text, mbox, link).
No longer marked as fixed in versions wolfssl/3.4.8+dfsg-1.
Request was from Felix Lechner <felix.lechner@gmail.com>
to control@bugs.debian.org.
(Thu, 16 Jul 2015 23:12:04 GMT) (full text, mbox, link).
Bug reassigned from package 'wolfssl' to 'src:wolfssl'.
Request was from Felix Lechner <felix.lechner@gmail.com>
to control@bugs.debian.org.
(Thu, 16 Jul 2015 23:21:07 GMT) (full text, mbox, link).
Bug reassigned from package 'src:wolfssl' to 'wolfssl'.
Request was from Felix Lechner <felix.lechner@gmail.com>
to control@bugs.debian.org.
(Thu, 16 Jul 2015 23:45:05 GMT) (full text, mbox, link).
Bug reassigned from package 'wolfssl' to 'src:cyassl'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 17 Jul 2015 04:51:05 GMT) (full text, mbox, link).
Marked as found in versions cyassl/2.9.4+dfsg-3 and reopened.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 17 Jul 2015 04:51:06 GMT) (full text, mbox, link).
Changed Bug title to 'cyassl: CVE-2014-2901 CVE-2014-2902 CVE-2014-2903 CVE-2014-2904 CVE-2014-6491 CVE-2014-6494 CVE-2014-6495 CVE-2014-6496 CVE-2014-6500' from 'CVE-2014-2901 CVE-2014-2902 CVE-2014-2903 CVE-2014-2904'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 17 Jul 2015 04:51:07 GMT) (full text, mbox, link).
Bug 770229 cloned as bug 792646
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 17 Jul 2015 04:51:08 GMT) (full text, mbox, link).
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility.
(Sun, 16 Aug 2015 21:51:15 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sun, 16 Aug 2015 21:51:15 GMT) (full text, mbox, link).
Message #36 received at 770229-done@bugs.debian.org (full text, mbox, reply):
Version: 2.9.4+dfsg-3+rm
Dear submitter,
as the package cyassl has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/795723
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 14 Sep 2015 07:30:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:26:42 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon