Debian Bug report logs -
#530400
CVE-2009-137{7,8,9}
Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>
Date: Sun, 24 May 2009 16:21:01 UTC
Severity: serious
Tags: patch, security
Fixed in version openssl/0.9.8k-1
Done: Kurt Roeckx <kurt@roeckx.be>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#530400; Package openssl.
(Sun, 24 May 2009 16:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>.
(Sun, 24 May 2009 16:21:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: openssl
Severity: serious
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for openssl.
CVE-2009-1377[0]:
| The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and
| earlier 0.9.8 versions allows remote attackers to cause a denial of
| service (memory consumption) via a large series of "future epoch" DTLS
| records that are buffered in a queue, aka "DTLS record buffer
| limitation bug."
CVE-2009-1378[1]:
| Multiple memory leaks in the dtls1_process_out_of_seq_message function
| in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow
| remote attackers to cause a denial of service (memory consumption) via
| DTLS records that (1) are duplicates or (2) have sequence numbers much
| greater than current sequence numbers, aka "DTLS fragment handling
| memory leak."
CVE-2009-1379[2]:
| Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment
| function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote
| attackers to cause a denial of service (openssl s_client crash) and
| possibly have unspecified other impact via a DTLS packet, as
| demonstrated by a packet from a server that uses a crafted server
| certificate.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1377
http://security-tracker.debian.net/tracker/CVE-2009-1377
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1378
http://security-tracker.debian.net/tracker/CVE-2009-1378
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1379
http://security-tracker.debian.net/tracker/CVE-2009-1379
Patches:
http://cvs.openssl.org/chngview?cn=18187
http://cvs.openssl.org/chngview?cn=18188
http://marc.info/?l=openssl-dev&m=124202891602690&w=2 (not committed in upstream cvs repository)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoZcvgACgkQNxpp46476apLNgCdEM7aDLJ/IyonSmBLtdLv6sE0
4m4An2MX1eG9vaDK9OKR188IkshIkqvR
=2FSH
-----END PGP SIGNATURE-----
Reply sent
to Kurt Roeckx <kurt@roeckx.be>:
You have taken responsibility.
(Mon, 01 Jun 2009 12:51:07 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer.
(Mon, 01 Jun 2009 12:51:07 GMT) (full text, mbox, link).
Message #10 received at 530400-close@bugs.debian.org (full text, mbox, reply):
Source: openssl
Source-Version: 0.9.8k-1
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:
libcrypto0.9.8-udeb_0.9.8k-1_amd64.udeb
to pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8k-1_amd64.udeb
libssl-dev_0.9.8k-1_amd64.deb
to pool/main/o/openssl/libssl-dev_0.9.8k-1_amd64.deb
libssl0.9.8-dbg_0.9.8k-1_amd64.deb
to pool/main/o/openssl/libssl0.9.8-dbg_0.9.8k-1_amd64.deb
libssl0.9.8_0.9.8k-1_amd64.deb
to pool/main/o/openssl/libssl0.9.8_0.9.8k-1_amd64.deb
openssl_0.9.8k-1.diff.gz
to pool/main/o/openssl/openssl_0.9.8k-1.diff.gz
openssl_0.9.8k-1.dsc
to pool/main/o/openssl/openssl_0.9.8k-1.dsc
openssl_0.9.8k-1_amd64.deb
to pool/main/o/openssl/openssl_0.9.8k-1_amd64.deb
openssl_0.9.8k.orig.tar.gz
to pool/main/o/openssl/openssl_0.9.8k.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 530400@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kurt Roeckx <kurt@roeckx.be> (supplier of updated openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 16 May 2009 17:33:55 +0200
Source: openssl
Binary: openssl libssl0.9.8 libcrypto0.9.8-udeb libssl-dev libssl0.9.8-dbg
Architecture: source amd64
Version: 0.9.8k-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <kurt@roeckx.be>
Description:
libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
libssl-dev - SSL development libraries, header files and documentation
libssl0.9.8 - SSL shared libraries
libssl0.9.8-dbg - Symbol tables for libssl and libcrypto
openssl - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 528648 530400 530459
Changes:
openssl (0.9.8k-1) unstable; urgency=low
.
* New upstream release
* Make aes-x86_64.pl use PIC.
* Fix security issues (Closes: #530400)
- "DTLS record buffer limitation bug." (CVE-2009-1377)
- "DTLS fragment handling" (CVE-2009-1378)
- "DTLS use after free" (CVE-2009-1379)
* Fixed Configure for hurd: use -mtune=i486 instead of -m486
Patch by Marc Dequènes (Duck) <duck@hurdfr.org> (Closes: #530459)
* Add support for avr32 (Closes: #528648)
Checksums-Sha1:
89b37e346eb23dd411c6ba12e9ae17a79f2d7b62 1300 openssl_0.9.8k-1.dsc
3ba079f91d3c1ec90a36dcd1d43857165035703f 3852259 openssl_0.9.8k.orig.tar.gz
e4a6cc378cb48d053592248a9a21dab37ad52359 55602 openssl_0.9.8k-1.diff.gz
6218dd300a48fc66c6bd9ec2d672fbed90de1542 1050212 openssl_0.9.8k-1_amd64.deb
a10757c3b97aa8509eb62af26e6e831483957227 982384 libssl0.9.8_0.9.8k-1_amd64.deb
102b99057237109f7ae1d3a99768cb7e5d0ad49e 638586 libcrypto0.9.8-udeb_0.9.8k-1_amd64.udeb
c7fcc56496faadd3f7e077a929e637514841dc83 2267178 libssl-dev_0.9.8k-1_amd64.deb
882823763f82f7a10d8010b9a5c47a25fafd0e12 1630826 libssl0.9.8-dbg_0.9.8k-1_amd64.deb
Checksums-Sha256:
3233a8d5180951b829033be44fb064fb7a6a2d12110babe12371f1f90b664704 1300 openssl_0.9.8k-1.dsc
7e7cd4f3974199b729e6e3a0af08bd4279fde0370a1120c1a3b351ab090c6101 3852259 openssl_0.9.8k.orig.tar.gz
f21981db80ec8291326ca8850719ec0ed5486f3bcaa233ac338f4d75e71884f4 55602 openssl_0.9.8k-1.diff.gz
8a8d55dd1eee4780f4cf2be4d91dd5c473ff04d837dd9109c39d2e3fe8a89f05 1050212 openssl_0.9.8k-1_amd64.deb
b42fc2a603684e7b94f13dbea72085d45deae8617d3aaf20f5129e80b884c7ac 982384 libssl0.9.8_0.9.8k-1_amd64.deb
4bcf9005fa7839bd162ccce3f79ffe132eefd28bd5d79c27ca442fb77b88bc4c 638586 libcrypto0.9.8-udeb_0.9.8k-1_amd64.udeb
c3ce2ed416e2bdc5a911e80b0ddca27f35264ef501a1b2b139a278a8f42ca4a6 2267178 libssl-dev_0.9.8k-1_amd64.deb
996d1a48b62a694f2225836e2c4ddf6ad4d39f0de36705b86c7dbef0624ba480 1630826 libssl0.9.8-dbg_0.9.8k-1_amd64.deb
Files:
28c5f61ca4e3ba1e697ee6f9ca1fba66 1300 utils optional openssl_0.9.8k-1.dsc
e555c6d58d276aec7fdc53363e338ab3 3852259 utils optional openssl_0.9.8k.orig.tar.gz
85bca25957f9804b8d5ee7caef2e8978 55602 utils optional openssl_0.9.8k-1.diff.gz
ff8136e4699c1afd830ed6465d920727 1050212 utils optional openssl_0.9.8k-1_amd64.deb
3865baf52e0be3929487b972d8111ff2 982384 libs important libssl0.9.8_0.9.8k-1_amd64.deb
fc94824552a9ff3f8a87db87121d122d 638586 debian-installer optional libcrypto0.9.8-udeb_0.9.8k-1_amd64.udeb
caf8d8c4d5b55226d9b024c71b1111c0 2267178 libdevel optional libssl-dev_0.9.8k-1_amd64.deb
8a29da2619b2ffd7ee753c96b75562a9 1630826 libdevel extra libssl0.9.8-dbg_0.9.8k-1_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkojyL4ACgkQQdwckHJElwsVewCfcgx+mGo/NkQgL6AxS6RNQIkA
Ax0An0IKC5npyPGCd2M+K9gl8Cj+d7ca
=hvIN
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#530400; Package openssl.
(Mon, 01 Jun 2009 14:00:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>.
(Mon, 01 Jun 2009 14:00:07 GMT) (full text, mbox, link).
Message #15 received at 530400@bugs.debian.org (full text, mbox, reply):
On Sun, May 24, 2009 at 06:17:00PM +0200, Giuseppe Iuculano wrote:
> Package: openssl
> Severity: serious
> Tags: security patch
>
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for openssl.
I've fix this in unstable and prepared packages for stable
and unstable at:
http://people.debian.org/~kroeckx/openssl
The openssl097 source package is not affected, it doesn't have
DTLS support.
Kurt
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 02 Jul 2009 07:30:38 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:15:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon