Debian Bug report logs -
#522002
openssl: CVE-2009-0590 denial of service
Reported by: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
Date: Tue, 31 Mar 2009 04:06:01 UTC
Severity: important
Tags: security
Fixed in version openssl/0.9.8g-16
Done: Kurt Roeckx <kurt@roeckx.be>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#522002
; Package openssl
.
(Tue, 31 Mar 2009 04:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
:
New Bug report received and forwarded. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Tue, 31 Mar 2009 04:06:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: openssl
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openssl.
CVE-2009-0590[0]:
The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows
remote attackers to cause a denial of service (invalid memory access
and application crash) via vectors that trigger printing of a (1)
BMPString or (2) UniversalString with an invalid encoded length.
This was just fixed in ubuntu [1]. Please coordinate with the
security team to release fixes for the stable releases.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0590
http://security-tracker.debian.net/tracker/CVE-2009-0590
[1] http://www.ubuntu.com/usn/usn-750-1
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#522002
; Package openssl
.
(Wed, 01 Apr 2009 09:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jon Daley <debian@jon.limedaley.com>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Wed, 01 Apr 2009 09:57:04 GMT) (full text, mbox, link).
Message #10 received at 522002@bugs.debian.org (full text, mbox, reply):
From my reading of this advisory, Debian builds aren't vulnerable, as it
only affects 0.9.8h and higher? (additionally, with a non-default setting
turned on)
http://secunia.com/advisories/34411
--
Jon Daley
http://jon.limedaley.com
~~
He who laughs last is generally the last to get the joke.
-- Terry Cohen
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#522002
; Package openssl
.
(Wed, 01 Apr 2009 09:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Jon Daley <jon@limedaley.com>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Wed, 01 Apr 2009 09:57:05 GMT) (full text, mbox, link).
Message #15 received at 522002@bugs.debian.org (full text, mbox, reply):
Ah sorry, I read it again more carefully - the secunia advisory is
reporting multiple vulnerabilities, and we are vulnerable to the ASN one.
On Wed, 1 Apr 2009, Jon Daley wrote:
> From my reading of this advisory, Debian builds aren't vulnerable, as it only
> affects 0.9.8h and higher? (additionally, with a non-default setting turned
> on)
>
> http://secunia.com/advisories/34411
>
>
>
>
--
Jon Daley
http://jon.limedaley.com
~~
If you're really afraid of some bad outcome, that's what you're going
to get. If you behave as if you trust somebody, you're more likely to
get trust back.
-- Charles Green, founder of Trusted Advisor Associates
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#522002
; Package openssl
.
(Wed, 01 Apr 2009 17:15:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Wed, 01 Apr 2009 17:15:02 GMT) (full text, mbox, link).
Message #20 received at 522002@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, Mar 31, 2009 at 12:03:42AM -0400, Michael S. Gilbert wrote:
> Package: openssl
> Severity: important
> Tags: security
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for openssl.
>
> CVE-2009-0590[0]:
> The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows
> remote attackers to cause a denial of service (invalid memory access
> and application crash) via vectors that trigger printing of a (1)
> BMPString or (2) UniversalString with an invalid encoded length.
>
> This was just fixed in ubuntu [1]. Please coordinate with the
> security team to release fixes for the stable releases.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0590
> http://security-tracker.debian.net/tracker/CVE-2009-0590
> [1] http://www.ubuntu.com/usn/usn-750-1
I've attached the patch from upstream CVS.
Kurt
[CVE-2009-0590.diff (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#522002
; Package openssl
.
(Wed, 01 Apr 2009 20:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Wed, 01 Apr 2009 20:39:03 GMT) (full text, mbox, link).
Message #25 received at 522002@bugs.debian.org (full text, mbox, reply):
On Wed, Apr 01, 2009 at 07:14:06PM +0200, Kurt Roeckx wrote:
> On Tue, Mar 31, 2009 at 12:03:42AM -0400, Michael S. Gilbert wrote:
> > Package: openssl
> > Severity: important
> > Tags: security
> >
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for openssl.
> >
> > CVE-2009-0590[0]:
> > The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows
> > remote attackers to cause a denial of service (invalid memory access
> > and application crash) via vectors that trigger printing of a (1)
> > BMPString or (2) UniversalString with an invalid encoded length.
Hi,
I've put up packages for oldstable and stable at:
http://people.debian.org/~kroeckx/openssl/CVE-2009-0590/
I'll also upload version 0.9.8g-16 to unstable shortly.
Kurt
Reply sent
to Kurt Roeckx <kurt@roeckx.be>
:
You have taken responsibility.
(Wed, 01 Apr 2009 21:15:29 GMT) (full text, mbox, link).
Notification sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
:
Bug acknowledged by developer.
(Wed, 01 Apr 2009 21:15:31 GMT) (full text, mbox, link).
Message #30 received at 522002-close@bugs.debian.org (full text, mbox, reply):
Source: openssl
Source-Version: 0.9.8g-16
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:
libcrypto0.9.8-udeb_0.9.8g-16_amd64.udeb
to pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-16_amd64.udeb
libssl-dev_0.9.8g-16_amd64.deb
to pool/main/o/openssl/libssl-dev_0.9.8g-16_amd64.deb
libssl0.9.8-dbg_0.9.8g-16_amd64.deb
to pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-16_amd64.deb
libssl0.9.8_0.9.8g-16_amd64.deb
to pool/main/o/openssl/libssl0.9.8_0.9.8g-16_amd64.deb
openssl_0.9.8g-16.dsc
to pool/main/o/openssl/openssl_0.9.8g-16.dsc
openssl_0.9.8g-16.tar.gz
to pool/main/o/openssl/openssl_0.9.8g-16.tar.gz
openssl_0.9.8g-16_amd64.deb
to pool/main/o/openssl/openssl_0.9.8g-16_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 522002@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kurt Roeckx <kurt@roeckx.be> (supplier of updated openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 01 Apr 2009 22:04:53 +0200
Source: openssl
Binary: openssl libssl0.9.8 libcrypto0.9.8-udeb libssl-dev libssl0.9.8-dbg
Architecture: source amd64
Version: 0.9.8g-16
Distribution: unstable
Urgency: high
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <kurt@roeckx.be>
Description:
libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
libssl-dev - SSL development libraries, header files and documentation
libssl0.9.8 - SSL shared libraries
libssl0.9.8-dbg - Symbol tables for libssl and libcrypto
openssl - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 522002
Changes:
openssl (0.9.8g-16) unstable; urgency=high
.
* Properly validate the length of an encoded BMPString and UniversalString
(CVE-2009-0590) (Closes: #522002)
Checksums-Sha1:
8c78bc63c276f2ec38360c1cb8417fa289294f9a 1060 openssl_0.9.8g-16.dsc
3e18fdd229f7e3deef8848a7805b188330015351 3495823 openssl_0.9.8g-16.tar.gz
aa76b2fbf2e87dc1e12283d5b4bf17b39ac5c043 1040180 openssl_0.9.8g-16_amd64.deb
bbda241085daa165ca97da70993c55487462700a 974098 libssl0.9.8_0.9.8g-16_amd64.deb
73835d33550378d6e34f142ebce1f70a4d2e269b 638074 libcrypto0.9.8-udeb_0.9.8g-16_amd64.udeb
7a7e11e9274d4944b0761674a223d8292bd4df9e 2241328 libssl-dev_0.9.8g-16_amd64.deb
ad4df2106cb9e4a489bef53bfc94c70620695f16 1627132 libssl0.9.8-dbg_0.9.8g-16_amd64.deb
Checksums-Sha256:
d8a0bd5876cbf462a6caaab175af8f47f5a5e08c2fdfcb2223c4df3ac7ceebfb 1060 openssl_0.9.8g-16.dsc
100ef3ddf64a31ab4c1a7598fd2b5c6c1ee16e7df7da193e116c600bb4831f34 3495823 openssl_0.9.8g-16.tar.gz
2d3ca07a9131451bb5ab238f18972f4245bc3396cb4eaba9cc52c6d70d29215f 1040180 openssl_0.9.8g-16_amd64.deb
da36b2417df9145a2d7cd342d62ee03d082a3029430ba0c8ff58a092e0e7d689 974098 libssl0.9.8_0.9.8g-16_amd64.deb
e703c76dfa89e213bc507af0205f735161be9fa075d0fad4efa5cedcf0f17a95 638074 libcrypto0.9.8-udeb_0.9.8g-16_amd64.udeb
d788fc024969611ecbb3c4ccc8638cdebd9be3c64c7b6e8387bcd57faafeaffe 2241328 libssl-dev_0.9.8g-16_amd64.deb
09e2210a2796d016170dabdf98e5af33232734e6a4b8f71f0a4d7bb4ebc1162f 1627132 libssl0.9.8-dbg_0.9.8g-16_amd64.deb
Files:
588bd900315a89c46b397ef677b2d9bf 1060 utils optional openssl_0.9.8g-16.dsc
5d2abe50e7cb7d8c23c1ae6096e03e80 3495823 utils optional openssl_0.9.8g-16.tar.gz
ef888cdd080b96039e027c89848e5532 1040180 utils optional openssl_0.9.8g-16_amd64.deb
747e247079368518b12ec94a2c40976b 974098 libs important libssl0.9.8_0.9.8g-16_amd64.deb
ecdcd1912ca417b545470e64d2e89bf5 638074 debian-installer optional libcrypto0.9.8-udeb_0.9.8g-16_amd64.udeb
76f060a819faa04da4a0d7a834ae857d 2241328 libdevel optional libssl-dev_0.9.8g-16_amd64.deb
0bdfabd8f256f4c323cb3ea97262560e 1627132 libdevel extra libssl0.9.8-dbg_0.9.8g-16_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAknT0tkACgkQQdwckHJElwuB/ACcDd9I7NrH7WbeX81SnND1XdXQ
IXEAoJ8r19BuhGel6e6/zDCiQhMpGcRo
=SYSQ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 02 Jun 2009 07:26:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:59:25 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.