Debian Bug report logs -
#754655
polarssl: CVE-2014-4911: Denial of Service against GCM enabled servers and clients
Reported by: Henri Salo <henri@nerv.fi>
Date: Sun, 13 Jul 2014 07:57:02 UTC
Severity: critical
Tags: fixed-upstream, security, upstream
Found in versions 1.2.9-1, 1.2.9-1~deb7u1, 1.3.7-2, 1.2.8-2, 1.2.9-1~deb6u1
Fixed in versions polarssl/1.3.7-2.1, polarssl/1.2.9-1~deb7u3
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#754655; Package polarssl.
(Sun, 13 Jul 2014 07:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Roland Stigge <stigge@antcom.de>.
(Sun, 13 Jul 2014 07:57:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: polarssl
Version: 1.3.7-2
Severity: critical
Tags: security, fixed-upstream
Please see for details:
https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-02
---
Henri Salo
[signature.asc (application/pgp-signature, inline)]
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 13 Jul 2014 19:57:04 GMT) (full text, mbox, link).
Marked as found in versions 1.2.9-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 14 Jul 2014 18:42:04 GMT) (full text, mbox, link).
Marked as found in versions 1.2.9-1~deb7u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 14 Jul 2014 18:57:04 GMT) (full text, mbox, link).
Marked as found in versions 1.2.9-1~deb6u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 14 Jul 2014 18:57:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#754655; Package polarssl.
(Tue, 15 Jul 2014 06:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>.
(Tue, 15 Jul 2014 06:18:04 GMT) (full text, mbox, link).
Message #18 received at 754655@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Attached is a (not-yet tested) proposed debdiff for wheezy-security.
Regards,
Salvatore
[polarssl_1.2.9-1~deb7u3.debdiff (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#754655; Package polarssl.
(Tue, 15 Jul 2014 08:15:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Roland Stigge <stigge@antcom.de>:
Extra info received and forwarded to list.
(Tue, 15 Jul 2014 08:15:10 GMT) (full text, mbox, link).
Message #23 received at 754655@bugs.debian.org (full text, mbox, reply):
Lookg good - thanks for your work.
NMU welcome.
Roland.
On 07/15/2014 08:14 AM, Salvatore Bonaccorso wrote:
> Hi,
>
> Attached is a (not-yet tested) proposed debdiff for wheezy-security.
>
> Regards,
> Salvatore
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#754655; Package polarssl.
(Tue, 15 Jul 2014 11:30:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>.
(Tue, 15 Jul 2014 11:30:08 GMT) (full text, mbox, link).
Message #28 received at 754655@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Roland,
Thanks for quick feedback, still not tested but now also attaching the
debdiff for unstable.
On Tue, Jul 15, 2014 at 10:07:39AM +0200, Roland Stigge wrote:
> Lookg good - thanks for your work.
>
> NMU welcome.
Ok, I can do the NMU (probably tonight).
Regards,
Salvatore
[polarssl_1.3.7-2.1.debdiff (text/plain, attachment)]
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Tue, 15 Jul 2014 21:42:26 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Tue, 15 Jul 2014 21:42:26 GMT) (full text, mbox, link).
Message #33 received at 754655-close@bugs.debian.org (full text, mbox, reply):
Source: polarssl
Source-Version: 1.3.7-2.1
We believe that the bug you reported is fixed in the latest version of
polarssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 754655@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated polarssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 15 Jul 2014 21:39:13 +0200
Source: polarssl
Binary: libpolarssl-dev libpolarssl-runtime libpolarssl6
Architecture: source amd64
Version: 1.3.7-2.1
Distribution: unstable
Urgency: high
Maintainer: Roland Stigge <stigge@antcom.de>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libpolarssl-dev - lightweight crypto and SSL/TLS library
libpolarssl-runtime - lightweight crypto and SSL/TLS library
libpolarssl6 - lightweight crypto and SSL/TLS library
Closes: 754655
Changes:
polarssl (1.3.7-2.1) unstable; urgency=high
.
* Non-maintainer upload with maintainers approval.
* Add CVE-2014-4911.patch patch.
CVE-2014-4911: Fix Denial of Service against GCM enabled servers (and
clients). (Closes: #754655)
Checksums-Sha1:
bb6334f6c287d5b51935e7678d5f5465292616b5 1833 polarssl_1.3.7-2.1.dsc
08747cdf22ec7d29c72e70e8f21cb11ee56be6be 5128 polarssl_1.3.7-2.1.debian.tar.xz
b5ca7466744676802e9a5fe144ebd6a58edb171b 314198 libpolarssl-dev_1.3.7-2.1_amd64.deb
28ab3c8459601c041283e4949c9b3db05904b01a 639174 libpolarssl-runtime_1.3.7-2.1_amd64.deb
051a1d53a188d8b15ca841cd424cc83c120dd9b0 220768 libpolarssl6_1.3.7-2.1_amd64.deb
Checksums-Sha256:
ed9c83ca0b51ce819c856879ddb5189aa58ba959c63553823525fe8fc497e3a7 1833 polarssl_1.3.7-2.1.dsc
4fbbb367acdb6dca497ae5d1d23623a4fbfa4ca4924f30d2e8d7cf0ff643a264 5128 polarssl_1.3.7-2.1.debian.tar.xz
d57a16921ed28b6fd82b3600f5a6b280f786fd80429a6626c37118399084aaab 314198 libpolarssl-dev_1.3.7-2.1_amd64.deb
8e44b8a0c7c5bfb7ad14b3840039625aee73e192e3c47bb85749ffaa644f5b82 639174 libpolarssl-runtime_1.3.7-2.1_amd64.deb
bd1915dcc68b5ebe932df2b098bcbc6b5c11811c67cd512f1112b45000743d15 220768 libpolarssl6_1.3.7-2.1_amd64.deb
Files:
8457734e76a0a0cd68f9d157d4dc6954 314198 libdevel optional libpolarssl-dev_1.3.7-2.1_amd64.deb
e69b64eb46f280a64a0af294c66101b9 639174 libdevel optional libpolarssl-runtime_1.3.7-2.1_amd64.deb
4e8f6a56781cb1649f6d9d74c39f4903 220768 libs optional libpolarssl6_1.3.7-2.1_amd64.deb
8b132374e20420275e0b447e1891cfdd 1833 libs optional polarssl_1.3.7-2.1.dsc
aab8e5c9963c06846ee636c5eaeb6674 5128 libs optional polarssl_1.3.7-2.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJTxYYUAAoJEAVMuPMTQ89Ee3AP+QEblaf8YBtYlEOF/cqrCM8T
1X4Z1xhhwXmhnfk6kE1kZic/NiP0MwHIqU6/fkGFf923pZ8Zlc4PferlKgZ/6ZL+
KkG3L5fYqJ3OP/vll/UtvV5Sm77gVBFBHVzj01eOXAI+ylV84IuOdbOn2BVNY+o2
MfFtjFqLq1E0fAPusFb97B75qdfxJWt6A4Jj1h4yDt3eeqq06k4xAsTvwgdWAEww
Uo7UiFvjSr4/XyQkLKyaIWYcPPTv4AevsrHe6mc59FY5DWz6FI9L1FB4XftNqOV3
sqOQJRSrhze5qXHsAdXmlzJLYT0jMoynXbAHJea4Ob4ME7StFtLsr+Cof8N6jsBP
LtzRsBig6oQX6Kv8epH3vRo8jeeSOz7ILwg+9XP6ffeZnOoq04z1/D8DoS8K9NDW
9DSqm00o/4jMZdtnJGGlNgIXptaQNLCwZZBzdakCD+LoFA+AXFwKUCy/OipKipEE
eVMxy8O8tavrD73/7xYb/ET2dH6Ys4dw7b2gCjJs5nr9f+l+eC1kr2/3Lphq7Doi
MEmJlIs8uLLmpoe/nS26nSIPnIL8YyNGrGQLKiLltqzLJeJE9RJYWDIvG8f9MyIz
5khz1Dj20tQjtiIMi3yhDBNrCzlZh6WAe2RmMbO4gOJl0IwDj3ysj92vYL7Etjiw
oQsvndMkjRSCdrFQQZgf
=eH69
-----END PGP SIGNATURE-----
Marked as found in versions 1.2.8-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 16 Jul 2014 15:54:05 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 18 Jul 2014 18:51:05 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Fri, 18 Jul 2014 18:51:05 GMT) (full text, mbox, link).
Message #40 received at 754655-close@bugs.debian.org (full text, mbox, reply):
Source: polarssl
Source-Version: 1.2.9-1~deb7u3
We believe that the bug you reported is fixed in the latest version of
polarssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 754655@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated polarssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 15 Jul 2014 06:39:38 +0200
Source: polarssl
Binary: libpolarssl-dev libpolarssl-runtime libpolarssl0
Architecture: source amd64
Version: 1.2.9-1~deb7u3
Distribution: wheezy-security
Urgency: high
Maintainer: Roland Stigge <stigge@antcom.de>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libpolarssl-dev - lightweight crypto and SSL/TLS library
libpolarssl-runtime - lightweight crypto and SSL/TLS library
libpolarssl0 - lightweight crypto and SSL/TLS library
Closes: 754655
Changes:
polarssl (1.2.9-1~deb7u3) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add CVE-2014-4911.patch patch.
CVE-2014-4911: Fix Denial of Service against GCM enabled servers (and
clients). (Closes: #754655)
Checksums-Sha1:
8bb1dc2b57b172f41e89d814349b11d86c4bfbf7 1827 polarssl_1.2.9-1~deb7u3.dsc
dfdf34be655bf9ea8a7f066bb5ad0222fbd5d85f 9176 polarssl_1.2.9-1~deb7u3.debian.tar.gz
6142e33191c5c13aa23b6715cfef341f8f4d1dd6 275988 libpolarssl-dev_1.2.9-1~deb7u3_amd64.deb
521ace7040e14f4bd7a108610977ba9d8e50c5db 2789942 libpolarssl-runtime_1.2.9-1~deb7u3_amd64.deb
cda61e86ed8cf00950a624790f0b5c7f6a58d5d9 185898 libpolarssl0_1.2.9-1~deb7u3_amd64.deb
Checksums-Sha256:
da3e74f422d69b6fc4af71c11ec41ad0d02cbcc70b1f93b0eb5dce5bff5c9757 1827 polarssl_1.2.9-1~deb7u3.dsc
20bec0c3823a86e621d5cfc7049fd04d64c837d86dcd82887ff4921d6414a77e 9176 polarssl_1.2.9-1~deb7u3.debian.tar.gz
78ac0be0a83c91a6a33387cad3a30eca0c055fcc444d377b6223a3d73211ee2e 275988 libpolarssl-dev_1.2.9-1~deb7u3_amd64.deb
caedcafb67ca7a712db289271101f7ece58032617302ccf0c5c496ec633ba3be 2789942 libpolarssl-runtime_1.2.9-1~deb7u3_amd64.deb
fc4867fba95939a83a0f066d9bbdc3765769cd81b01621ef5a65340730de9638 185898 libpolarssl0_1.2.9-1~deb7u3_amd64.deb
Files:
262f9d7fc4330e8a1866a9afa277422b 1827 libs optional polarssl_1.2.9-1~deb7u3.dsc
ff1db42de9c1058f3e2761c0c7de5853 9176 libs optional polarssl_1.2.9-1~deb7u3.debian.tar.gz
708dc82dc2aa952af0dd8fe5a1c9932c 275988 libdevel optional libpolarssl-dev_1.2.9-1~deb7u3_amd64.deb
6080663c793046bd5bf6a4c9491be7b4 2789942 libdevel optional libpolarssl-runtime_1.2.9-1~deb7u3_amd64.deb
74c4117e3fb10ddb73c162bea93fe3d7 185898 libs optional libpolarssl0_1.2.9-1~deb7u3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJTxYiQAAoJEAVMuPMTQ89E7YAP/iKZ6UBbI+uLFkq1pweiXoTS
FzEfl9E97PXzcTvpkqLw9c8Y19idAGBXzegggjBFNYLZAsxkpc+27NcNarj7hNYD
/cf/LJCNU2A47ykhc5bsZmX0T8fMg9LCz9AOB86mDPswEGxXX7py5xcURmJDX5l1
himT5ig8tYMoTXYXjY6fLA+GwULba7Ke8HUUrFoXNkCHnm23Ba4iMBCavr8oRkow
nWc7Wjoowui5o/8Y7WDHcZe9cOSuMxHKmzv2Wd1d+/sceeQwE954bpOQnEOh8kn3
GPyMZXAAycqsFvxfoJMvCzBL3yWFB1OmDq63Alkvm6AXuj7iz1SiXVWi+7c11YJe
k2UubGUkqzANZXfxZWm2th7HO7q+60THFMiRW9IM7XU0ZBNZUy+sewwmyNrrrgua
kBCI3OMJDUuvy5nrWHk8jJSVVkLXUx1pBEuRM6l9QPDAEgd2xfV/TMzLAg2GFn4K
5enWbXQeusACVOyNZs2HP0sIM6wdwTHtDJ7IleFAyK30d27falSe6oXcpttkUj97
C+cOeeQnYdtUQvwWzlMdy9Fi7HBZoRN42PYUnup1sHVOXPSWWCU7d2nKY2kFRciH
2QMnEMbB+9zyipA84cwXdLJB7iIRJPfzLgZO2XKAETviaQvzYdoo46wjKIY8+7GK
JVn+WSTgskXhLMD5mnqD
=nZVC
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 19 Oct 2014 07:31:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:51:59 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon