nginx:CVE-2014-3616: possible to reuse cached SSL sessions in unrelated contexts

Debian Bug report logs - #761940
nginx:CVE-2014-3616: possible to reuse cached SSL sessions in unrelated contexts

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: nginx:CVE-2014-3616: possible to reuse cached SSL sessions in unrelated contexts

Date: Wed, 17 Sep 2014 07:05:44 +0200

Source: nginx
Version: 0.7.67-3
Severity: grave
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for nginx.

CVE-2014-3616[0]:
reuse cached SSL sessions in unrelated contexts

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-3616
[1] http://mailman.nginx.org/pipermail/nginx-announce/2014/000147.html

Regards,
Salvatore

Message #12 received at 761940-close@bugs.debian.org (full text, mbox, reply):

From: Christos Trochalakis <yatiohi@ideopolis.gr>

To: 761940-close@bugs.debian.org

Subject: Bug#761940: fixed in nginx 1.6.2-1

Date: Wed, 17 Sep 2014 09:31:31 +0000

Source: nginx
Source-Version: 1.6.2-1

We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 761940@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christos Trochalakis <yatiohi@ideopolis.gr> (supplier of updated nginx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 17 Sep 2014 11:19:01 +0300
Source: nginx
Binary: nginx nginx-doc nginx-common nginx-full nginx-full-dbg nginx-light nginx-light-dbg nginx-extras nginx-extras-dbg nginx-naxsi nginx-naxsi-dbg nginx-naxsi-ui
Architecture: source all amd64
Version: 1.6.2-1
Distribution: unstable
Urgency: high
Maintainer: Kartik Mistry <kartik@debian.org>
Changed-By: Christos Trochalakis <yatiohi@ideopolis.gr>
Description:
 nginx      - small, powerful, scalable web/proxy server
 nginx-common - small, powerful, scalable web/proxy server - common files
 nginx-doc  - small, powerful, scalable web/proxy server - documentation
 nginx-extras - nginx web/proxy server (extended version)
 nginx-extras-dbg - nginx web/proxy server (extended version) - debugging symbols
 nginx-full - nginx web/proxy server (standard version)
 nginx-full-dbg - nginx web/proxy server (standard version) - debugging symbols
 nginx-light - nginx web/proxy server (basic version)
 nginx-light-dbg - nginx web/proxy server (basic version) - debugging symbols
 nginx-naxsi - nginx web/proxy server (version with naxsi)
 nginx-naxsi-dbg - nginx web/proxy server (version with naxsi) - debugging symbols
 nginx-naxsi-ui - nginx web/proxy server - naxsi configuration front-end
Closes: 761940
Changes:
 nginx (1.6.2-1) unstable; urgency=high
 .
   [ Christos Trochalakis ]
   * New upstream release.
     CVE-2014-3616: "it was possible to reuse SSL sessions in unrelated
     contexts if a shared SSL session cache or the same TLS session ticket
     key was used for multiple "server" blocks".
     (Closes: #761940)
Checksums-Sha1:
 cfae5345e420199c2bc5b8c907756a651ff04a5b 2992 nginx_1.6.2-1.dsc
 1a5458bc15acf90eea16353a1dd17285cf97ec35 804164 nginx_1.6.2.orig.tar.gz
 279565b49899204bb7aee75e17f3096eb1de6b42 906648 nginx_1.6.2-1.debian.tar.xz
 c858c69d76ac0bce714a729b0e0275556561bd12 71460 nginx_1.6.2-1_all.deb
 209d2fb408387bdda479b93e1cdd290b6c72451b 82690 nginx-doc_1.6.2-1_all.deb
 268421284e6f1528bd4b3bf12ec853d6fa7fbd65 85252 nginx-common_1.6.2-1_all.deb
 cdb187e724b9eca30f11499889724f2e899464a0 428078 nginx-full_1.6.2-1_amd64.deb
 d0c3a6294585d0192c8349393dbd73ac768f3068 3122282 nginx-full-dbg_1.6.2-1_amd64.deb
 699854c0d6d6f36e2bddd8f965509e8a42c451d6 331036 nginx-light_1.6.2-1_amd64.deb
 af9f79028a6d337df98650317a1dff57177218a3 2159846 nginx-light-dbg_1.6.2-1_amd64.deb
 989fbf3532101521cba8bd38d53810365762a0e2 594098 nginx-extras_1.6.2-1_amd64.deb
 2e3d6a92818cccbf9093d4fc27042646941ffdf5 4944192 nginx-extras-dbg_1.6.2-1_amd64.deb
 99c8aa41fe9fcc17071512b7c74237362f047957 368476 nginx-naxsi_1.6.2-1_amd64.deb
 38bc7f43e1769a08015acb2c904fd72292cf024b 2279102 nginx-naxsi-dbg_1.6.2-1_amd64.deb
 e87d278b7e553301d7fc49f368487509c1d3bc5f 313628 nginx-naxsi-ui_1.6.2-1_all.deb
Checksums-Sha256:
 ccf9f447c49403cee412b22bde654a27e1ff8baa961c3ec3773436d885068ff9 2992 nginx_1.6.2-1.dsc
 b5608c2959d3e7ad09b20fc8f9e5bd4bc87b3bc8ba5936a513c04ed8f1391a18 804164 nginx_1.6.2.orig.tar.gz
 3a317d5fb068913d651bfc83c462cac3eefc1fb2caafe63473eef473621fe8e7 906648 nginx_1.6.2-1.debian.tar.xz
 1059af91f1ed893247a05206144ade75cae7dca72e7a880e27d778448467a7dc 71460 nginx_1.6.2-1_all.deb
 f2363c8c728a6ece1bdca3ffefe0d8187122a75a1b83aaffecd7b9f0d5caed87 82690 nginx-doc_1.6.2-1_all.deb
 9a8e2a82a8e200a7907f34bec7772927412310e7759f0631c6e1356b97ec4145 85252 nginx-common_1.6.2-1_all.deb
 10647f783cf264aab40e7a89671c5086118e32faaf1ab0465d4fc05ee6bf84d6 428078 nginx-full_1.6.2-1_amd64.deb
 4e6dc1be03f3a292651d394b459688da0415a00058799227e43a6d33e17d5e47 3122282 nginx-full-dbg_1.6.2-1_amd64.deb
 f57cec647a8cfb246eebf4df0fac5014561814bc27ffccf5469b1074e89cb9ea 331036 nginx-light_1.6.2-1_amd64.deb
 ce854664e43747c3a1587d0ecb4f1ad3c216b1cc1605a34e706eb614476b3dbd 2159846 nginx-light-dbg_1.6.2-1_amd64.deb
 f3b7d53274e9d4a5d32632849c149b3472514b93ba93b59c7fabf1b293e64e48 594098 nginx-extras_1.6.2-1_amd64.deb
 3cc67ab822f0211efb67c2bfe999abe6e48cdb57238677a77cd26f4786d182e8 4944192 nginx-extras-dbg_1.6.2-1_amd64.deb
 bbe5c519a71849d6486d0deae9d2fc0add6173132efa49aee75df6e63d420d2d 368476 nginx-naxsi_1.6.2-1_amd64.deb
 8f086169d4e43eb5e81556dc1030b9ae2c83c7f8da5db03c59ac9834c494e930 2279102 nginx-naxsi-dbg_1.6.2-1_amd64.deb
 f76a37acaa70eb465df45b6a93afd18ca35f01fb8892404c495a8bfd8f9721a0 313628 nginx-naxsi-ui_1.6.2-1_all.deb
Files:
 b6d890e7be9d01e03463267a1f5d20e9 71460 httpd optional nginx_1.6.2-1_all.deb
 1c170bfb35d9b526f3371b12530d0942 82690 doc optional nginx-doc_1.6.2-1_all.deb
 17d2da20cdc94184091a70c24aa4839f 85252 httpd optional nginx-common_1.6.2-1_all.deb
 527afdbbf5f7f2f85ac3c97c9d90195c 428078 httpd optional nginx-full_1.6.2-1_amd64.deb
 96338af9174e5bf230da290bf8d69971 3122282 debug extra nginx-full-dbg_1.6.2-1_amd64.deb
 6359b24b49fa7ce5fe43d41a1ea7f15f 331036 httpd extra nginx-light_1.6.2-1_amd64.deb
 f589eefce34d2a2bda68fce0296ef5e7 2159846 debug extra nginx-light-dbg_1.6.2-1_amd64.deb
 612555e83ef1163fa83cb77c3322827c 594098 httpd extra nginx-extras_1.6.2-1_amd64.deb
 2ae95f206a7a7913f473ba0fe7d2a94e 4944192 debug extra nginx-extras-dbg_1.6.2-1_amd64.deb
 3a4776868fa23fd4776aa73a2d28c060 368476 httpd extra nginx-naxsi_1.6.2-1_amd64.deb
 3740e013824f66ef4870a34cc6468684 2279102 debug extra nginx-naxsi-dbg_1.6.2-1_amd64.deb
 b1b4ca3a28ac637cee230ef81d21491e 313628 httpd extra nginx-naxsi-ui_1.6.2-1_all.deb
 009ed7872ab3e6bf21cd5afd16eef0a6 2992 httpd optional nginx_1.6.2-1.dsc
 d1b55031ae6e4bce37f8776b94d8b930 804164 httpd optional nginx_1.6.2.orig.tar.gz
 ab001f916d11f4a251cb8151d485bcf7 906648 httpd optional nginx_1.6.2-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJUGUbzAAoJEBE2JgCnR+zZG5QP/3LJusitFl2Y1zl7x3Q6mwL1
NiDC3+WnPP2NCG7ulS24WGsY1i216m5J4u5rMzkXw7erEB+lXZheyNXS5TaRA7B4
fXsxy10kZtjCDUOLdAD5q2CUQ5C/SCXppYRVrTvjMDAshqjPXOetawdvV4pZAUf/
2GUmzaCOT2eCeCYn0cQMnwJFOmoKFkDtIqWxiAyv+/Kmf5ZZw5KtOxD2x/Duss6H
pt+kgHEEcvLUvPXx+x/hglcI7CiXEyj6KJ2iXCuxHZwZ1Kkwc1Fg6wCSwKBL1d7V
0yHeFxbDaE6XS37suVm0iK5Sw47ZcwCV807M1dP3A2OocZw2w7iFVZctMFHxjKtJ
saBBlWeomq6L3HS2rTBOiqxQnI7yx+nhpsSBNo6j/e0hvMeTdnZhtYBDMUkmpApK
LfhdFmF677BhJpBh/qCXshlNyff4b8Vg9MaYML3gJnZe7fI9DYsv3J4oUtzkoMkF
bCFRg83dbgkogR0nCBUZ0vKFpRxnV8BilDmXkdIi1JBz2FmKBalQUK80jT/aQLGx
ccmCvTE7wO/+wXm0zKkOK1DrlERKxNqznRYiN+hqR8gNl2HCIZrYjO4A7VcNN2U/
BPs3OjVGbbAXg7i/gh0LVXcm74MoIatDt+zyNiBSTtKEV9Ijzi6qQVM+ruqtbQDt
RQpUPy72EX0jODuU/Xbz
=eYdD
-----END PGP SIGNATURE-----

Message #17 received at 761940-submitter@bugs.debian.org (full text, mbox, reply):

From: Christos Trochalakis <yatiohi@ideopolis.gr>

To: 761940-submitter@bugs.debian.org

Subject: Bug#761940 marked as pending

Date: Fri, 19 Sep 2014 07:39:56 +0000

tag 761940 pending
thanks

Hello,

Bug #761940 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=collab-maint/nginx.git;a=commitdiff;h=510ec78

---
commit 510ec78adf402dcc4ca4d4bd46fbd0267d9eb1cd
Author: Christos Trochalakis <yatiohi@ideopolis.gr>
Date:   Wed Sep 17 11:19:18 2014 +0300

    Release 1.6.2-1

diff --git a/debian/changelog b/debian/changelog
index 178101e..1ac0f8c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+nginx (1.6.2-1) unstable; urgency=high
+
+  [ Christos Trochalakis ]
+  * New upstream release.
+    CVE-2014-3616: "it was possible to reuse SSL sessions in unrelated
+    contexts if a shared SSL session cache or the same TLS session ticket
+    key was used for multiple "server" blocks".
+    (Closes: #761940)
+
+ -- Christos Trochalakis <yatiohi@ideopolis.gr>  Wed, 17 Sep 2014 11:19:01 +0300
+
 nginx (1.6.1-2) unstable; urgency=medium
 
   [ Christos Trochalakis ]

Message #22 received at 761940-close@bugs.debian.org (full text, mbox, reply):

From: Christos Trochalakis <yatiohi@ideopolis.gr>

To: 761940-close@bugs.debian.org

Subject: Bug#761940: fixed in nginx 1.2.1-2.2+wheezy3

Date: Sat, 20 Sep 2014 13:54:34 +0000

Source: nginx
Source-Version: 1.2.1-2.2+wheezy3

We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 761940@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christos Trochalakis <yatiohi@ideopolis.gr> (supplier of updated nginx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 18 Sep 2014 15:25:04 +0300
Source: nginx
Binary: nginx nginx-doc nginx-common nginx-full nginx-full-dbg nginx-light nginx-light-dbg nginx-extras nginx-extras-dbg nginx-naxsi nginx-naxsi-dbg nginx-naxsi-ui
Architecture: source all amd64
Version: 1.2.1-2.2+wheezy3
Distribution: wheezy-security
Urgency: high
Maintainer: Kartik Mistry <kartik@debian.org>
Changed-By: Christos Trochalakis <yatiohi@ideopolis.gr>
Description: 
 nginx      - small, powerful, scalable web/proxy server
 nginx-common - small, powerful, scalable web/proxy server - common files
 nginx-doc  - small, powerful, scalable web/proxy server - documentation
 nginx-extras - nginx web/proxy server (extended version)
 nginx-extras-dbg - nginx web/proxy server (extended version) - debugging symbols
 nginx-full - nginx web/proxy server (standard version)
 nginx-full-dbg - nginx web/proxy server (standard version) - debugging symbols
 nginx-light - nginx web/proxy server (basic version)
 nginx-light-dbg - nginx web/proxy server (basic version) - debugging symbols
 nginx-naxsi - nginx web/proxy server (version with naxsi)
 nginx-naxsi-dbg - nginx web/proxy server (version with naxsi) - debugging symbols
 nginx-naxsi-ui - nginx web/proxy server - naxsi configuration front-end
Closes: 761940
Changes: 
 nginx (1.2.1-2.2+wheezy3) wheezy-security; urgency=high
 .
   * debian/patches/fix-CVE-2014-3616.patch:
     CVE-2014-3616: It was possible to reuse cached SSL sessions in
     unrelated contexts, allowing virtual host confusion attacks in some
     configurations by an attacker in a privileged network position.
     (Closes: #761940)
Checksums-Sha1: 
 5382ab336c2021d61e58a79db6aeb26acfb8cd9d 2800 nginx_1.2.1-2.2+wheezy3.dsc
 8132d5799990250726a966bf7bb8a65bc367639b 1357986 nginx_1.2.1-2.2+wheezy3.debian.tar.gz
 34d7ff8f24cc47960688ae84d6d98f92275ad453 61374 nginx_1.2.1-2.2+wheezy3_all.deb
 31bdd7730d33415e980a32019a70ffc9982c9f8d 74214 nginx-doc_1.2.1-2.2+wheezy3_all.deb
 ff54c828017f7866cc84cf23eb54e516a07f81a8 72790 nginx-common_1.2.1-2.2+wheezy3_all.deb
 46626e63d9abe525e7c3c50b109e7e12158b6582 343250 nginx-naxsi-ui_1.2.1-2.2+wheezy3_all.deb
 7649e6e3708c3b54ed36b86790fbedbe447f544a 435520 nginx-full_1.2.1-2.2+wheezy3_amd64.deb
 87d9b33584b2446b1d2b70ecf3e56c8bc65e2f59 3070760 nginx-full-dbg_1.2.1-2.2+wheezy3_amd64.deb
 942ddbc2c8bfad073283f4ebd563fd8c26c9fbb5 319514 nginx-light_1.2.1-2.2+wheezy3_amd64.deb
 61ae251040412149a35575c5c663fa35cd1fa2b4 2128176 nginx-light-dbg_1.2.1-2.2+wheezy3_amd64.deb
 3816ccdd0f055b806776db1b8ecf0b6e56826a20 601686 nginx-extras_1.2.1-2.2+wheezy3_amd64.deb
 ef7e49c8d9b17e8171e6062c3e340bf74352ac2a 4550342 nginx-extras-dbg_1.2.1-2.2+wheezy3_amd64.deb
 669ed09ea5d8541883072cdebc45a749f7915225 359014 nginx-naxsi_1.2.1-2.2+wheezy3_amd64.deb
 d3ab8973284530516c6976f3d31b87ee3961e93d 2256108 nginx-naxsi-dbg_1.2.1-2.2+wheezy3_amd64.deb
Checksums-Sha256: 
 f3781e4a57edc48439dcf356efb5a426b37d0c3fe530bb0349f40e50f96f4cf8 2800 nginx_1.2.1-2.2+wheezy3.dsc
 cef63ba0fd6482da75d81221bc2e451aa42411090b7acf8f56b1a6bc579dd3fb 1357986 nginx_1.2.1-2.2+wheezy3.debian.tar.gz
 516d33cf93f20ca070a203bafacc6f7ceb04bd3ae221d5a9a59f90e2ab828245 61374 nginx_1.2.1-2.2+wheezy3_all.deb
 a7edf3e2d31ef6972259076d3d3c26c458a6c02fd36380823bd3ede7d2c7ff61 74214 nginx-doc_1.2.1-2.2+wheezy3_all.deb
 3c87c9377d66c574c45c977a602fa01d26e57b89b7cb1a8751fee4ab8f0e1225 72790 nginx-common_1.2.1-2.2+wheezy3_all.deb
 d60b77f60f11a35c30ad83a1f486a5b76f32170eb2a5731e2a9eac7e49f26353 343250 nginx-naxsi-ui_1.2.1-2.2+wheezy3_all.deb
 2bdbb9c4a2c1067b2e074087f25c7fdd94631b9f4009d7a1c66de3206590c3b1 435520 nginx-full_1.2.1-2.2+wheezy3_amd64.deb
 8b20916b87cea1c246249ebf8b574f8f459eba68dd880d7c5d10c505f4564238 3070760 nginx-full-dbg_1.2.1-2.2+wheezy3_amd64.deb
 8c1ecf3c6990501aa9b4de455afad41759c8aa70d07f9cbba5c51d0806ae34d0 319514 nginx-light_1.2.1-2.2+wheezy3_amd64.deb
 e8b2e9d512d2acfb9275c4019acf16912c611d3ff8abe6a4dbade5086572de68 2128176 nginx-light-dbg_1.2.1-2.2+wheezy3_amd64.deb
 e0b8b02eee426c3f8885a27a319e65210eb59572311fa17a545b94c1c48430b0 601686 nginx-extras_1.2.1-2.2+wheezy3_amd64.deb
 8007cb3473288a23c25eb5b85e0765fd3f470b5914e1d294e1ef53203b36d968 4550342 nginx-extras-dbg_1.2.1-2.2+wheezy3_amd64.deb
 9a89a3a451e1127f6b8e9c41a0eb58fa47c9f65fd3f974a796ff2726b5dfd00a 359014 nginx-naxsi_1.2.1-2.2+wheezy3_amd64.deb
 54d9bf37159a071b4a9e79a3cb62d5cd7eaacfd1153aa8a766c0c9774cc47089 2256108 nginx-naxsi-dbg_1.2.1-2.2+wheezy3_amd64.deb
Files: 
 495ec39c9f83878b66cfba9f54d4ab31 2800 httpd optional nginx_1.2.1-2.2+wheezy3.dsc
 66d69da43e5a9490573c494c4f9723de 1357986 httpd optional nginx_1.2.1-2.2+wheezy3.debian.tar.gz
 25ae5234388762babbfbe3632dbdcc57 61374 httpd optional nginx_1.2.1-2.2+wheezy3_all.deb
 3c9a98c55c59b0efb55628afded48383 74214 doc optional nginx-doc_1.2.1-2.2+wheezy3_all.deb
 45164faa28f8937d2864d1ccb5a8787f 72790 httpd optional nginx-common_1.2.1-2.2+wheezy3_all.deb
 6cc1a2f067b3eb15e490091f11563d47 343250 httpd extra nginx-naxsi-ui_1.2.1-2.2+wheezy3_all.deb
 3cf9502ba3919edd1f0cf7e0e66bbe1b 435520 httpd optional nginx-full_1.2.1-2.2+wheezy3_amd64.deb
 f0319611f3266dac821466a6ae65eecb 3070760 debug extra nginx-full-dbg_1.2.1-2.2+wheezy3_amd64.deb
 d93c80c37c85385ecef543c178b0939e 319514 httpd extra nginx-light_1.2.1-2.2+wheezy3_amd64.deb
 f6a75ebc430de20d4ffaede58b528f71 2128176 debug extra nginx-light-dbg_1.2.1-2.2+wheezy3_amd64.deb
 4d1c757c8ff300bfb86f7170c2c5f61e 601686 httpd extra nginx-extras_1.2.1-2.2+wheezy3_amd64.deb
 8dd831e007d0cb42d2efadfb07885193 4550342 debug extra nginx-extras-dbg_1.2.1-2.2+wheezy3_amd64.deb
 5795dee28c6bab2e33a6840fa9792e1f 359014 httpd extra nginx-naxsi_1.2.1-2.2+wheezy3_amd64.deb
 76bf1974875a502628c2bd6fb5ea5e70 2256108 debug extra nginx-naxsi-dbg_1.2.1-2.2+wheezy3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUHEPIAAoJEAVMuPMTQ89EiqYQAKKF240XCwHAIoeDMHaotHmY
3kY9ZFYoI8njPkjbl495REsm4VrmurN4THt7w0yiD3jy9lKgNZ4m6gfnQZLlnsQv
hzDt5Rz/2tU5Mn6cn7UbWcXty/uPoph4ZfN7/cLXNj9KTLFeNrswDIJYWpUwW5sr
Z/o9Rk1oGoInYmmd2mu4dTk/BKuq0BFHo/MSN2a9r+PJFpQVMkbFR+3eHpcUtStW
nuEVnjhEseyMEF+2Js5gv3e/PviNUZRS4zcjkLWu1qh9YcckQ5O3dI/m9kqSBUdR
jrJsZ4VQhwXeJX/7WvA74Z657uQVYJ3OMn8R/a1Jh7moJpYO6GIjNXqhsSzociEy
J7vCz84J0/gShunOMFuyYl0zGxbipur+s1+DSVArE6ztI3tl71sZwsveiw+6hH/L
H7X19VSO8xgSKSf4lMy6VZtyGmC1c48lk87v5TkF+D8cgb2IXRYjDOFGe4J8PeFw
eRtxRUyULf3jPMCWN33Gi9TZPK4A45gUIsRAEuHiGDaipoi7OH0JLk3vl6WiqUjp
hqe4nJrz4ROHyD5trDByxbSIS8SZQs3sFJOj2HK5FASdHo0Ec1i3YZrIasZGtlyR
4k0vULHPwiinN0bRmZyUIRWdqc9pmY3LX0Y0XbMpGiAKCiyPO9NpEeoqhKmSduXY
FJlYTyV2IUYZx5JrwRYM
=liAs
-----END PGP SIGNATURE-----

Message #27 received at 761940-submitter@bugs.debian.org (full text, mbox, reply):

From: Christos Trochalakis <yatiohi@ideopolis.gr>

To: 761940-submitter@bugs.debian.org

Subject: Bug#761940 marked as pending

Date: Sun, 02 Nov 2014 16:24:23 +0000

tag 761940 pending
thanks

Hello,

Bug #761940 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=collab-maint/nginx.git;a=commitdiff;h=b6807de

---
commit b6807de05a05c8f277ba30dbef1a528280139857
Author: Christos Trochalakis <yatiohi@ideopolis.gr>
Date:   Thu Sep 18 15:27:09 2014 +0300

     Release 1.2.1-2.2+wheezy3

diff --git a/debian/changelog b/debian/changelog
index 9aaed10..8f8eb4c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+nginx (1.2.1-2.2+wheezy3) wheezy-security; urgency=high
+
+  * debian/patches/fix-CVE-2014-3616.patch:
+    CVE-2014-3616: It was possible to reuse cached SSL sessions in
+    unrelated contexts, allowing virtual host confusion attacks in some
+    configurations by an attacker in a privileged network position.
+    (Closes: #761940)
+
+ -- Christos Trochalakis <yatiohi@ideopolis.gr>  Thu, 18 Sep 2014 15:25:04 +0300
+
 nginx (1.2.1-2.2+wheezy2) stable-security; urgency=high
 
   * debian/patches/fix-CVE-2013-4547.patch:

Send a report that this bug log contains spam.