Debian Bug report logs -
#725359
polarssl: CVE-2013-5914 CVE-2013-5915
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 4 Oct 2013 14:15:10 UTC
Severity: grave
Tags: pending, security
Found in version 1.2.8-2
Fixed in versions polarssl/1.2.9-1~deb7u1, polarssl/1.3.1-1
Done: Roland Stigge <stigge@antcom.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#725359; Package polarssl.
(Fri, 04 Oct 2013 14:15:14 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Roland Stigge <stigge@antcom.de>.
(Fri, 04 Oct 2013 14:15:14 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: polarssl
Severity: grave
Tags: security
Justification: user security hole
https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-04
https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05
CVE-2013-5915 doesn't sound backportable. Since polarssl has no reverse deps in Wheezy
I suggest we update stable to 1.2.9. What do you think?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#725359; Package polarssl.
(Wed, 16 Oct 2013 08:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Roland Stigge <stigge@antcom.de>:
Extra info received and forwarded to list.
(Wed, 16 Oct 2013 08:54:04 GMT) (full text, mbox, link).
Message #10 received at 725359@bugs.debian.org (full text, mbox, reply):
Hi,
yes, preparing a new 1.2.9 for stable. This also fixes the other
outstanding issues with polarssl.
Should I upload it to the security queue?
Roland
Information forwarded
to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#725359; Package polarssl.
(Wed, 16 Oct 2013 15:30:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>.
(Wed, 16 Oct 2013 15:30:05 GMT) (full text, mbox, link).
Message #15 received at 725359@bugs.debian.org (full text, mbox, reply):
On Wed, Oct 16, 2013 at 10:51:12AM +0200, Roland Stigge wrote:
> Hi,
>
> yes, preparing a new 1.2.9 for stable. This also fixes the other
> outstanding issues with polarssl.
>
> Should I upload it to the security queue?
Yes, but please send a debdiff to team@security.debian.org first
Please use 1.2.9-1~deb7u1 for stable-security.
Due to a bug in dak on security-master we cannot release a package
with the same tarball in oldstable-securit and stable-security.
As such, we first need to release 1.2.9-1~deb7u1 for stable-security
and 1.2.9-1~deb6u1 for oldstable-security can follow later.
Since the 1.2.9 tarball is new in the security archive, the updates
need to be built with "-sa".
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#725359; Package polarssl.
(Wed, 16 Oct 2013 18:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Roland Stigge <stigge@antcom.de>:
Extra info received and forwarded to list.
(Wed, 16 Oct 2013 18:24:05 GMT) (full text, mbox, link).
Message #20 received at 725359@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On 16/10/13 17:20, Moritz Muehlenhoff wrote:
>> yes, preparing a new 1.2.9 for stable. This also fixes the other
>> outstanding issues with polarssl.
>>
>> Should I upload it to the security queue?
>
> Yes, but please send a debdiff to team@security.debian.org first
See attached polarssl.debdiff: Only debian/changes is changed since all
changes are in the upstream tarball only. Please tell if you need a diff
of the latter one also.
> Please use 1.2.9-1~deb7u1 for stable-security.
>
> Due to a bug in dak on security-master we cannot release a package
> with the same tarball in oldstable-securit and stable-security.
>
> As such, we first need to release 1.2.9-1~deb7u1 for stable-security
> and 1.2.9-1~deb6u1 for oldstable-security can follow later.
>
> Since the 1.2.9 tarball is new in the security archive, the updates
> need to be built with "-sa".
OK, please tell when I should upload.
Thanks in advance,
Roland
[polarssl.debdiff (text/plain, attachment)]
Reply sent
to Roland Stigge <stigge@antcom.de>:
You have taken responsibility.
(Wed, 16 Oct 2013 18:36:12 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Wed, 16 Oct 2013 18:36:12 GMT) (full text, mbox, link).
Message #25 received at 725359-close@bugs.debian.org (full text, mbox, reply):
Source: polarssl
Source-Version: 1.3.1-1
We believe that the bug you reported is fixed in the latest version of
polarssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 725359@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roland Stigge <stigge@antcom.de> (supplier of updated polarssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 16 Oct 2013 19:35:28 +0200
Source: polarssl
Binary: libpolarssl-dev libpolarssl-runtime libpolarssl0
Architecture: source amd64
Version: 1.3.1-1
Distribution: unstable
Urgency: low
Maintainer: Roland Stigge <stigge@antcom.de>
Changed-By: Roland Stigge <stigge@antcom.de>
Description:
libpolarssl-dev - lightweight crypto and SSL/TLS library
libpolarssl-runtime - lightweight crypto and SSL/TLS library
libpolarssl0 - lightweight crypto and SSL/TLS library
Closes: 704946 719954 725359
Changes:
polarssl (1.3.1-1) unstable; urgency=low
.
* New upstream release
- Fixes CVE-2013-5914, CVE-2013-5915 (Closes: #725359)
- Fixes CVE-2013-4623 (Closes: #719954)
- Fixes CVE-2009-3555 (Closes: #704946)
Checksums-Sha1:
de2187b3d0370bbdf8b6eea60850fb3fbfd5ab53 1171 polarssl_1.3.1-1.dsc
b33856a1b2f736b18a49a20d48986bce6b3133f5 1168560 polarssl_1.3.1.orig.tar.gz
9aa4f132057bc008426e650284881badbb4924ed 4927 polarssl_1.3.1-1.debian.tar.gz
9c63a2079fe259eb88dabe51df226fde42a44f05 267458 libpolarssl-dev_1.3.1-1_amd64.deb
c345d43d17ca6d63425d00767be4c1277280320b 541390 libpolarssl-runtime_1.3.1-1_amd64.deb
a5155b37794c3da5589479e440f5d150bf58c5c1 186632 libpolarssl0_1.3.1-1_amd64.deb
Checksums-Sha256:
82d230e9a478f5937248ac424dbdb224f9a85dd1a7c08e87549f7914c388ae01 1171 polarssl_1.3.1-1.dsc
b60d59c24d3744e5c16121054bfdac5615bffb19974ee7e0c1964eeb481612b3 1168560 polarssl_1.3.1.orig.tar.gz
be270e7598d9b5cb1524dc537fde827eaf36af596c597bce152a86ed89309c73 4927 polarssl_1.3.1-1.debian.tar.gz
3f8b686fbb4b84489e89f85bfcaebc5859088fe5f8d01619ea49a7590214a1a6 267458 libpolarssl-dev_1.3.1-1_amd64.deb
99bb97dd912ec9606d6831a39c2eab2b2382ee232b9a39e24321c8a39704492c 541390 libpolarssl-runtime_1.3.1-1_amd64.deb
57c06b9b7ef745a4e420c4011a7afc98a0e227fcc308c8700b7d6397f8ed4025 186632 libpolarssl0_1.3.1-1_amd64.deb
Files:
b29348e8a443697d30475c5b3dccb724 1171 libs optional polarssl_1.3.1-1.dsc
e6ee020496f315254f178c672132218d 1168560 libs optional polarssl_1.3.1.orig.tar.gz
9280bcb07daca67654fccbd7ba1f2a9c 4927 libs optional polarssl_1.3.1-1.debian.tar.gz
e56cbd4d27edd297a545c27670c33af0 267458 libdevel optional libpolarssl-dev_1.3.1-1_amd64.deb
bb43c000391b429247497f62e73553e5 541390 libdevel optional libpolarssl-runtime_1.3.1-1_amd64.deb
953871b049c87240e3b243b9fd1a3dba 186632 libs optional libpolarssl0_1.3.1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFSXtSdcaH/YBv43g8RAvsGAKDLGExAeO5qhYz1oAeWAzVCBF36IwCgtfUj
+YRFfegGoFFZc07jGB81844=
=yoTU
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#725359; Package polarssl.
(Wed, 16 Oct 2013 18:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>.
(Wed, 16 Oct 2013 18:42:04 GMT) (full text, mbox, link).
Message #30 received at 725359@bugs.debian.org (full text, mbox, reply):
On Wed, Oct 16, 2013 at 08:20:07PM +0200, Roland Stigge wrote:
> Hi,
>
> On 16/10/13 17:20, Moritz Muehlenhoff wrote:
> >> yes, preparing a new 1.2.9 for stable. This also fixes the other
> >> outstanding issues with polarssl.
> >>
> >> Should I upload it to the security queue?
> >
> > Yes, but please send a debdiff to team@security.debian.org first
>
> See attached polarssl.debdiff: Only debian/changes is changed since all
> changes are in the upstream tarball only. Please tell if you need a diff
> of the latter one also.
>
> > Please use 1.2.9-1~deb7u1 for stable-security.
> >
> > Due to a bug in dak on security-master we cannot release a package
> > with the same tarball in oldstable-securit and stable-security.
> >
> > As such, we first need to release 1.2.9-1~deb7u1 for stable-security
> > and 1.2.9-1~deb6u1 for oldstable-security can follow later.
> >
> > Since the 1.2.9 tarball is new in the security archive, the updates
> > need to be built with "-sa".
>
> OK, please tell when I should upload.
Please go ahead.
Cheers,
Moritz
Reply sent
to Roland Stigge <stigge@antcom.de>:
You have taken responsibility.
(Sun, 20 Oct 2013 22:51:13 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Sun, 20 Oct 2013 22:51:13 GMT) (full text, mbox, link).
Message #35 received at 725359-close@bugs.debian.org (full text, mbox, reply):
Source: polarssl
Source-Version: 1.2.9-1~deb7u1
We believe that the bug you reported is fixed in the latest version of
polarssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 725359@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roland Stigge <stigge@antcom.de> (supplier of updated polarssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 16 Oct 2013 20:04:47 +0200
Source: polarssl
Binary: libpolarssl-dev libpolarssl-runtime libpolarssl0
Architecture: source amd64
Version: 1.2.9-1~deb7u1
Distribution: stable-security
Urgency: low
Maintainer: Roland Stigge <stigge@antcom.de>
Changed-By: Roland Stigge <stigge@antcom.de>
Description:
libpolarssl-dev - lightweight crypto and SSL/TLS library
libpolarssl-runtime - lightweight crypto and SSL/TLS library
libpolarssl0 - lightweight crypto and SSL/TLS library
Closes: 725359
Changes:
polarssl (1.2.9-1~deb7u1) stable-security; urgency=low
.
* New upstream release
- Fixes CVE-2013-5914 CVE-2013-5915 (Closes: #725359)
Checksums-Sha1:
836aef0a593b69eebe67a9db183046d60185db83 1196 polarssl_1.2.9-1~deb7u1.dsc
c870ba466ddf6a9fc3b62c57bf8a316c331f104b 999668 polarssl_1.2.9.orig.tar.gz
ce182d11d72906e90c0f21d000f506c184a43dae 4788 polarssl_1.2.9-1~deb7u1.debian.tar.gz
9d44400489b1c70464f93b2d1577276f02f06098 275776 libpolarssl-dev_1.2.9-1~deb7u1_amd64.deb
308c7c18638348dba8ffde199a8718de0f2040c2 2785662 libpolarssl-runtime_1.2.9-1~deb7u1_amd64.deb
b4c193ab745038dfd780c1babb0d92a512c8f558 185846 libpolarssl0_1.2.9-1~deb7u1_amd64.deb
Checksums-Sha256:
b68f260eb5ce2af38b5efa58449e59550636b585319a9a7f46eaa764fa464549 1196 polarssl_1.2.9-1~deb7u1.dsc
d125a6e7eb6eb3e5110035df1469099c5463837b1ef734e60771095dafc0ef56 999668 polarssl_1.2.9.orig.tar.gz
1aa1523e1e05a17e02e80a061db5df53a23c2d5578c7c26bcb566541ad5094df 4788 polarssl_1.2.9-1~deb7u1.debian.tar.gz
7b5f452c8efebea6d9f1bd358045c21de7713c09e30fdbf275b7341cbdf266a3 275776 libpolarssl-dev_1.2.9-1~deb7u1_amd64.deb
7fa706db6727c1a09670c76d4097d713f8e49766e1e2ffa59e01ad258921d000 2785662 libpolarssl-runtime_1.2.9-1~deb7u1_amd64.deb
36cf9d2ba34df0538e9af76ef9e8fd4e72406085e53875219d8797ebc2970465 185846 libpolarssl0_1.2.9-1~deb7u1_amd64.deb
Files:
4e93dd1efb47260a50cd1dd50f4fb65d 1196 libs optional polarssl_1.2.9-1~deb7u1.dsc
3d8e01537e747d7997993c70f2e108db 999668 libs optional polarssl_1.2.9.orig.tar.gz
587c95e5d6b2920282daaea3fafe6800 4788 libs optional polarssl_1.2.9-1~deb7u1.debian.tar.gz
4007136af6fc31879d13735576a8d2d9 275776 libdevel optional libpolarssl-dev_1.2.9-1~deb7u1_amd64.deb
b3a63307c92c6fd67b6003c48eca7ac0 2785662 libdevel optional libpolarssl-runtime_1.2.9-1~deb7u1_amd64.deb
e05b892cf4b1abd680e2b973e93d68e3 185846 libs optional libpolarssl0_1.2.9-1~deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFSYaC+caH/YBv43g8RAieUAJ9aTY7hrBxIUgbY3aKULardJLdfrACfSeIG
nM4J2UWl9iEcEKkV48rq2yc=
=ii09
-----END PGP SIGNATURE-----
Added tag(s) pending.
Request was from Anibal Monsalve Salazar <anibal@debian.org>
to control@bugs.debian.org.
(Tue, 22 Oct 2013 19:06:11 GMT) (full text, mbox, link).
Marked as found in versions 1.2.8-2.
Request was from Adrian Bunk <bunk@stusta.de>
to control@bugs.debian.org.
(Fri, 25 Oct 2013 02:27:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 22 Nov 2013 07:30:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:21:11 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon