Debian Bug report logs -
#747432
openssl: CVE-2014-0198 Null pointer dereference bug in OpenSSL 1.0.1g and earlier
Reported by: Demetris Demetriou <mitsosgtir@gmail.com>
Date: Thu, 8 May 2014 15:57:02 UTC
Severity: important
Tags: security
Found in versions openssl/1.0.1e-2+deb7u7, openssl/1.0.1g-3
Fixed in versions openssl/1.0.1g-4, openssl/1.0.1e-2+deb7u9
Done: Kurt Roeckx <kurt@roeckx.be>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#747432; Package openssl.
(Thu, 08 May 2014 15:57:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Demetris Demetriou <mitsosgtir@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>.
(Thu, 08 May 2014 15:57:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: openssl
Version: 1.0.1e-2+deb7u7
Severity: important
Hello,
Please see this link:http://advisories.mageia.org/MGASA-2014-0204.html
Does this affect the version included in wheezy?
Thank you
-- System Information:
Debian Release: 7.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssl depends on:
ii libc6 2.13-38+deb7u1
ii libssl1.0.0 1.0.1e-2+deb7u7
ii zlib1g 1:1.2.7.dfsg-13
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20130119
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#747432; Package openssl.
(Thu, 08 May 2014 16:33:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>.
(Thu, 08 May 2014 16:33:08 GMT) (full text, mbox, link).
Message #10 received at 747432@bugs.debian.org (full text, mbox, reply):
On Thu, May 08, 2014 at 06:53:27PM +0300, Demetris Demetriou wrote:
> Package: openssl
> Version: 1.0.1e-2+deb7u7
> Severity: important
>
> Hello,
> Please see this link:http://advisories.mageia.org/MGASA-2014-0204.html
I've know about that CVE for some time. I'm waiting for upstream
to confirm that the patch in the master branch from a few months
ago is the right fix or not.
> Does this affect the version included in wheezy?
As far as I know it affects all branches.
Kurt
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 09 May 2014 05:48:05 GMT) (full text, mbox, link).
Marked as found in versions openssl/1.0.1g-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 09 May 2014 05:48:06 GMT) (full text, mbox, link).
Reply sent
to Kurt Roeckx <kurt@roeckx.be>:
You have taken responsibility.
(Mon, 12 May 2014 21:27:14 GMT) (full text, mbox, link).
Notification sent
to Demetris Demetriou <mitsosgtir@gmail.com>:
Bug acknowledged by developer.
(Mon, 12 May 2014 21:27:14 GMT) (full text, mbox, link).
Message #19 received at 747432-close@bugs.debian.org (full text, mbox, reply):
Source: openssl
Source-Version: 1.0.1g-4
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 747432@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kurt Roeckx <kurt@roeckx.be> (supplier of updated openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 12 May 2014 22:22:16 +0200
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc libssl1.0.0-dbg
Architecture: source all amd64
Version: 1.0.1g-4
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <kurt@roeckx.be>
Description:
libcrypto1.0.0-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb)
libssl-dev - Secure Sockets Layer toolkit - development files
libssl-doc - Secure Sockets Layer toolkit - development documentation
libssl1.0.0 - Secure Sockets Layer toolkit - shared libraries
libssl1.0.0-dbg - Secure Sockets Layer toolkit - debug information
openssl - Secure Sockets Layer toolkit - cryptographic utility
Closes: 745801 747432
Changes:
openssl (1.0.1g-4) unstable; urgency=medium
.
* Update to git snapshot
- Fixes CVE-2014-0198 (Closes: #747432)
- Drop the following patches that got applied upstream:
fix-pod-errors.patch, CVE-2010-5298.patch,
CVE-2014-XXXX-Extension-checking-fixes.patch
* Actually restart the services when restart-without-asking is set.
(Closes: #745801)
Checksums-Sha1:
6a545d1ec6dc26c578dd0543f25e0ee9ca3240a8 2231 openssl_1.0.1g-4.dsc
213b66b7c0ad108bd7e522b484992ee1290026cb 90984 openssl_1.0.1g-4.debian.tar.xz
ff55e2f2c8938a75933cf7fd556842b6cc111c4e 1138034 libssl-doc_1.0.1g-4_all.deb
06d3d5ecaee39252947c5a900af264dbb7c74b12 665022 openssl_1.0.1g-4_amd64.deb
3da8e92a65b9f528fb9055dab9f608c81657d109 1011048 libssl1.0.0_1.0.1g-4_amd64.deb
cfe6005877c8a79264f54761bd95dd93f405557f 624064 libcrypto1.0.0-udeb_1.0.1g-4_amd64.udeb
3032c56455d6b3f9c59e861cbb91291c2f404343 1244064 libssl-dev_1.0.1g-4_amd64.deb
0b21d36292828c09f0ad09b5dc56e8b528d297f3 2829216 libssl1.0.0-dbg_1.0.1g-4_amd64.deb
Checksums-Sha256:
1ad61c0dad8526eede51d14dcaf96a3e79df210f9d38d913452aea18164b5b67 2231 openssl_1.0.1g-4.dsc
c6acf0590a5aa2315a6291a3185685db5c88cc96c7669520c1ed2e8d0b2ffb98 90984 openssl_1.0.1g-4.debian.tar.xz
b7aa038923bf08d09ec9236d06b41bf4db5f8bbde996bf34e62bbda51da06b9c 1138034 libssl-doc_1.0.1g-4_all.deb
38eac376c352b71c07e3b3b313aaad39ea611ade3105cc5fc0493505ee48b130 665022 openssl_1.0.1g-4_amd64.deb
d8572fc1e856cbd0181756d94cfb869ee1898d0ba299771d2f9027bd0a3ab5ac 1011048 libssl1.0.0_1.0.1g-4_amd64.deb
79599286693762e4e18d1f6b0b2347719e339af6b06637c4850598ae157530a0 624064 libcrypto1.0.0-udeb_1.0.1g-4_amd64.udeb
7758eba5441ca25167f49c48e4474d4b799fb951de2e021689c4e5ca9a2a4435 1244064 libssl-dev_1.0.1g-4_amd64.deb
7f050b6006fd077d011bd2a311bb26b9005ff13dda12c44020d1db0a75cb0e15 2829216 libssl1.0.0-dbg_1.0.1g-4_amd64.deb
Files:
85780f83c24681e16ff338fb7ba35569 1138034 doc optional libssl-doc_1.0.1g-4_all.deb
bb4bfdf7fe3d9249bafd6e056113ece1 665022 utils optional openssl_1.0.1g-4_amd64.deb
ae9c3ec7618ad546a7647e6afc3b1442 1011048 libs important libssl1.0.0_1.0.1g-4_amd64.deb
23e7d8733c67f65555e25c9402227815 624064 debian-installer optional libcrypto1.0.0-udeb_1.0.1g-4_amd64.udeb
f5e65a55edcc24494c7957887776c142 1244064 libdevel optional libssl-dev_1.0.1g-4_amd64.deb
5ef101dc0208c415cf62d83da17e09d0 2829216 debug extra libssl1.0.0-dbg_1.0.1g-4_amd64.deb
b3c568ec91a45440aaf62fbb51527f2a 2231 utils optional openssl_1.0.1g-4.dsc
a28ab2f41e45dcd2099db05128e49651 90984 utils optional openssl_1.0.1g-4.debian.tar.xz
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJTcTVyAAoJEKGfLDAaVSLdoYUQAJRLcmG8bZnGGR6eWhQP09/X
/gHj5MXm+MXeaNiNlWcG4NsrdPFmYXg63zVa9jmIoJ/G4DAWsG8vQ39mOLIqmn8n
Novl67GjE5ltkRxKg6OIgyPGJjNUUlB95P1Ylwoc/yLsadD93/pFbye1VPUSCB19
/2wu9uB8ycv5CSNZQLrznqs16/o4DIWnlIgZ/cY8c8b85R0/FfdxFwzNJNiYyNuH
IsHEH6HwVZyZ14vVCez4KfBg+sWEmU8pcGh4Y7XzyH2Pppk7w5uHRl2nv84bCeCL
gIDfYcMC5iyVbRoEw08TemprD53LUdL6BIcotIRKMuIYV3xq74gy+46GEF1dq/Mt
6vtZ41CBjXF74umWr2LKArRPMt02ZqiUD+3PLRFa9AbR4Mn8cps0g6YjBxkiZOfs
dH8n94dUdZtmkdQDRNadQV0L346PcXY9n5fMUE2Hnn/e+dpUsinkswVTwZ3/ikei
sRlOU9b0Gn1ZriFF+cNjNQayN650y1Hvmyx2XLZxQ/v2fZC6quoRDKmYE9bWP6Yu
xHdOicpGdpnDOGZH77KsmNHkUNDHe+6v51DKks/OLjBQs11+pHS2akeFTOGnykO2
Ohlt+kdgy5u5ntaluHjyod3nYCK3Aqo1v5Vu2gy8c939lBkHQzvGZ/IqluysaRiS
Ik71Z92ODaaGL8p9iesq
=oS4/
-----END PGP SIGNATURE-----
Reply sent
to Kurt Roeckx <kurt@roeckx.be>:
You have taken responsibility.
(Wed, 04 Jun 2014 06:51:35 GMT) (full text, mbox, link).
Notification sent
to Demetris Demetriou <mitsosgtir@gmail.com>:
Bug acknowledged by developer.
(Wed, 04 Jun 2014 06:51:35 GMT) (full text, mbox, link).
Message #24 received at 747432-close@bugs.debian.org (full text, mbox, reply):
Source: openssl
Source-Version: 1.0.1e-2+deb7u9
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 747432@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kurt Roeckx <kurt@roeckx.be> (supplier of updated openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 12 May 2014 22:10:41 +0200
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc libssl1.0.0-dbg
Architecture: source all amd64
Version: 1.0.1e-2+deb7u9
Distribution: wheezy-security
Urgency: medium
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <kurt@roeckx.be>
Description:
libcrypto1.0.0-udeb - crypto shared library - udeb (udeb)
libssl-dev - SSL development libraries, header files and documentation
libssl-doc - SSL development documentation documentation
libssl1.0.0 - SSL shared libraries
libssl1.0.0-dbg - Symbol tables for libssl and libcrypto
openssl - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 747432
Changes:
openssl (1.0.1e-2+deb7u9) wheezy-security; urgency=medium
.
* Fix CVE-2014-0198 (Closes: #747432)
Checksums-Sha1:
7b2786cda25b0f46eef61e5674d1f632ce757f97 2214 openssl_1.0.1e-2+deb7u9.dsc
7dbf22f512e3aebb984a4fdf0df1d4d2b311b840 103950 openssl_1.0.1e-2+deb7u9.debian.tar.gz
ad3884c3658b66c5ad60ebd25b9725254545e228 1197974 libssl-doc_1.0.1e-2+deb7u9_all.deb
b4c6bd2f934cf35e9601e971927c0a9293887002 700280 openssl_1.0.1e-2+deb7u9_amd64.deb
acc7c51d48495614e082642b65aa48b7bd297f38 1257882 libssl1.0.0_1.0.1e-2+deb7u9_amd64.deb
6d165af4fd4436827c75e9cd16cdc739a8115181 635696 libcrypto1.0.0-udeb_1.0.1e-2+deb7u9_amd64.udeb
79d1ddfc2a0311bff0974a0e883eae8129cffcf7 1752510 libssl-dev_1.0.1e-2+deb7u9_amd64.deb
750dbd6abc09ab1201f77d68769c131fa0ec59a6 3078244 libssl1.0.0-dbg_1.0.1e-2+deb7u9_amd64.deb
Checksums-Sha256:
3f6f86a3ee39fb529c907e760b52b8eff81fadb26ca4fe4516e8422a1cdcceae 2214 openssl_1.0.1e-2+deb7u9.dsc
c605b61bdb2f49234f42a43f3600b46771448198947c908489613e44c35e0134 103950 openssl_1.0.1e-2+deb7u9.debian.tar.gz
ba063854e3b868c7efadd8dd2785291d40fecc6619b81a56b5a6b543240e86fe 1197974 libssl-doc_1.0.1e-2+deb7u9_all.deb
7d26d0c414ae5557ec989c119997e0d0471c2b35897f3dc1bc85d7fc7fb9642b 700280 openssl_1.0.1e-2+deb7u9_amd64.deb
2b7a62bfd8918682d92e4311fd844200e7fd1061374e0c71e5ddc83269ebb77e 1257882 libssl1.0.0_1.0.1e-2+deb7u9_amd64.deb
eff0cbd5e2a725a8868aa9dbfec238836bba7326247d7ef11bdbe8e5e2b241f8 635696 libcrypto1.0.0-udeb_1.0.1e-2+deb7u9_amd64.udeb
a556d5693dc5fa80d68352256ac193d85674a721e1e75f0945a1e7aedc3d1886 1752510 libssl-dev_1.0.1e-2+deb7u9_amd64.deb
6381e11bb90896a870e210e61f5305656d07945d2755659095e4b1ee6be89ddc 3078244 libssl1.0.0-dbg_1.0.1e-2+deb7u9_amd64.deb
Files:
92364a9835dca57b2a9e62434030b3c0 2214 utils optional openssl_1.0.1e-2+deb7u9.dsc
92496cfe2c6cd9efae196ad446d733dc 103950 utils optional openssl_1.0.1e-2+deb7u9.debian.tar.gz
517fd54b82dc2a6343909651e31596f9 1197974 doc optional libssl-doc_1.0.1e-2+deb7u9_all.deb
53699f0ded6b96a665a4feb67b5526af 700280 utils optional openssl_1.0.1e-2+deb7u9_amd64.deb
9219b78e3af03b5a2dca7d7b0f833735 1257882 libs important libssl1.0.0_1.0.1e-2+deb7u9_amd64.deb
b122959233ed6ea7e37ba43471e93018 635696 debian-installer optional libcrypto1.0.0-udeb_1.0.1e-2+deb7u9_amd64.udeb
70c1c5e7eda1cf48f4699b77fee12092 1752510 libdevel optional libssl-dev_1.0.1e-2+deb7u9_amd64.deb
43e571d7f33f96bdd312117692074e62 3078244 debug extra libssl1.0.0-dbg_1.0.1e-2+deb7u9_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJTcUBtAAoJEKGfLDAaVSLdDw4P/jhr1vCIA5XWYa1Yg8g7819X
H71pDEAJDElEgaXcwc06SgXACDxOm30V1xqH3dCboexowJAYrUq/RjAdXo6wanBm
00wywMoT38kV7DgxHrdYIxOkbHHOpquG07ovTmMvVrMD+G7Ps1M3ch4zvIi4AGA9
WqyK4cllTHaty/F6gU8YVJqQITOwr5TJoCbXUZbzGZtXNC0S1COD3d36rYIRa9K9
TpBQfQO7jKyckJerc5DrZLDmHSS9x1iThpTls14uTc4DfqXxR/EyrqA2RfjMa3tu
n+8mRZpkG0QA9RNlJC2uhopsl4gkKh4/TvjDDV7PzCcpr0VYuggXorB6jtSZc1Ib
sL/dA9uUW6rUad2XCsYAQnnqpfOQ0vhdYvWIneG1vb1Mo3UNKqmDMeHQ2OYjcTK8
anNbM2EPXwCVdmZzA+ttSbvLOXIoPL8UGrNxLYJvB4bDWlU+2OYyl7kq2N/PPJbn
waesLDky4kA5a5XjxAWkZY7TgF6YQiFQDC2b1ObwAuvay1rTl8C6euYG2Q0PatNN
ecw9AxccSGOj1eR9EVrmYo5wgVOzCxhLjDpRAxXq2SDwhi7YbIDOxCADng8w8/fd
NwBuYb+a4n8S0jYv9YXGh/HEu7mGDF9xbd6mGSp2rqTKVwLdCFYJzBKEtJHTRn/X
uJzjX/2s8qnl8HN3Bapo
=3xx4
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 02 Jul 2014 07:27:49 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:12:31 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon