Debian Bug report logs -
#549293
CVE-2009-3490: does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate
Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>
Date: Fri, 2 Oct 2009 07:48:01 UTC
Severity: grave
Tags: security
Found in version wget/1.11.4-4
Fixed in versions wget/1.12-1, wget/1.11.4-2+lenny1, wget/1.10.2-2+etch4
Done: Giuseppe Iuculano <iuculano@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Noèl Köthe <noel@debian.org>:
Bug#549293; Package wget.
(Fri, 02 Oct 2009 07:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Noèl Köthe <noel@debian.org>.
(Fri, 02 Oct 2009 07:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: wget
Version: 1.11.4-4
Severity: grave
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for wget.
CVE-2009-3490[0]:
| GNU Wget before 1.12 does not properly handle a '\0' character in a
| domain name in the Common Name field of an X.509 certificate, which
| allows man-in-the-middle remote attackers to spoof arbitrary SSL
| servers via a crafted certificate issued by a legitimate Certification
| Authority, a related issue to CVE-2009-2408.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3490
http://security-tracker.debian.net/tracker/CVE-2009-3490
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrFrkwACgkQNxpp46476aqi+gCePfmrLdxhk/yebah+M5rMO0uC
P3oAn3EA9CZ+IdC2g0Da3eIlIKLEtT8Q
=346W
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Noèl Köthe <noel@debian.org>:
Bug#549293; Package wget.
(Fri, 02 Oct 2009 16:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Micah Cowan <micah@cowan.name>:
Extra info received and forwarded to list. Copy sent to Noèl Köthe <noel@debian.org>.
(Fri, 02 Oct 2009 16:12:03 GMT) (full text, mbox, link).
Message #10 received at submit@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Giuseppe Iuculano wrote:
> Package: wget
> Version: 1.11.4-4
> Severity: grave
> Tags: security
>
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for wget.
>
> CVE-2009-3490[0]:
> | GNU Wget before 1.12 does not properly handle a '\0' character in a
> | domain name in the Common Name field of an X.509 certificate, which
> | allows man-in-the-middle remote attackers to spoof arbitrary SSL
> | servers via a crafted certificate issued by a legitimate Certification
> | Authority, a related issue to CVE-2009-2408.
Please note that upstream has already fixed this in Wget 1.12. If you
wish to apply it to Wget 1.11.4 (it should apply pretty cleanly), the
relevant changesets at http://hg.addictivecode.org/wget/mainline/ are:
2d8c76a23e7d ( <-- the change itself )
f2d2ca32fd1b ( <-- a message adjustment )
1eab157d3be7 ( <-- NEWS entry )
- --
HTH,
Micah J. Cowan
Programmer, musician, typesetting enthusiast, gamer.
Maintainer of GNU Wget and GNU Teseq
http://micah.cowan.name/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkrGGFsACgkQ7M8hyUobTrED5wCeK6GVNz/9CZIGzm/zTCbwrJqf
15gAniRRrXdkAvMEK3yc/8F6FlX8FsVG
=IogO
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Noèl Köthe <noel@debian.org>:
Bug#549293; Package wget.
(Fri, 02 Oct 2009 16:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Micah Cowan <micah@cowan.name>:
Extra info received and forwarded to list. Copy sent to Noèl Köthe <noel@debian.org>.
(Fri, 02 Oct 2009 16:12:05 GMT) (full text, mbox, link).
Reply sent
to Noèl Köthe <noel@debian.org>:
You have taken responsibility.
(Tue, 06 Oct 2009 20:30:42 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer.
(Tue, 06 Oct 2009 20:30:42 GMT) (full text, mbox, link).
Message #20 received at 549293-close@bugs.debian.org (full text, mbox, reply):
Source: wget
Source-Version: 1.12-1
We believe that the bug you reported is fixed in the latest version of
wget, which is due to be installed in the Debian FTP archive:
wget_1.12-1.diff.gz
to pool/main/w/wget/wget_1.12-1.diff.gz
wget_1.12-1.dsc
to pool/main/w/wget/wget_1.12-1.dsc
wget_1.12-1_amd64.deb
to pool/main/w/wget/wget_1.12-1_amd64.deb
wget_1.12.orig.tar.gz
to pool/main/w/wget/wget_1.12.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 549293@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noèl Köthe <noel@debian.org> (supplier of updated wget package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 06 Oct 2009 21:00:30 +0200
Source: wget
Binary: wget
Architecture: source amd64
Version: 1.12-1
Distribution: unstable
Urgency: low
Maintainer: Noèl Köthe <noel@debian.org>
Changed-By: Noèl Köthe <noel@debian.org>
Description:
wget - retrieves files from the web
Closes: 250670 288716 338326 405127 481064 528642 549293
Changes:
wget (1.12-1) unstable; urgency=low
.
* new upstream release from 2009-09-22
- fix CVE-2009-3490 "does not properly handle a '\0' character in a
domain name in the Common Name field of an X.509 certificate"
closes: Bug#549293
- updated config.{guess,sub} closes: Bug#528642
- remove IPv4 precedence from wget closes: Bug#481064
- support for IDN/IRI domains closes: Bug#405127
- fix output of non-verbose spider mode closes: Bug#338326
- fix --delete-after leaves robots.txt lying around
closes: Bug#288716
- fix misleading error message when using -O -
closes: Bug#250670
* debian/control updated Standards-Version to 3.8.3, no changes
Checksums-Sha1:
79024dce49a36ac37fb173a8a4631602ea059cf1 1021 wget_1.12-1.dsc
50d4ed2441e67db7aa5061d8a4dde41ee0e94248 2464747 wget_1.12.orig.tar.gz
e1e120f7c41041904afce19f22dc272387992d2d 37026 wget_1.12-1.diff.gz
ab3fa69693051a8f901aea91767188104f59e567 761166 wget_1.12-1_amd64.deb
Checksums-Sha256:
0db3b186f6bdad355d3a6d2233291ab2b9430925e184736e293ea6966c4649a8 1021 wget_1.12-1.dsc
7578ed0974e12caa71120581fa3962ee5a69f7175ddc3d6a6db0ecdcba65b572 2464747 wget_1.12.orig.tar.gz
40badc69c7140173b277e439afaabfbfb0e943015f54811bd1449700ba626465 37026 wget_1.12-1.diff.gz
d626475983a5e139c1280c3cca18309e9b6de9efa21362ef7c53e7cd37be0c04 761166 wget_1.12-1_amd64.deb
Files:
fab46e94c54fc0cf8c847b4f41f0de3e 1021 web important wget_1.12-1.dsc
141461b9c04e454dc8933c9d1f2abf83 2464747 web important wget_1.12.orig.tar.gz
ea67af0a9046ac1470d3d3c7b84bba54 37026 web important wget_1.12-1.diff.gz
410e3e36d8dbea11a06b1e2d8fe6e214 761166 web important wget_1.12-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrLovoACgkQ9/DnDzB9Vu2MfwCeJyH9YWZwdJCQolBBn9znLrH2
AxgAnROgmypAIZPQELO8ElP0LkgZUdBu
=Gns9
-----END PGP SIGNATURE-----
Reply sent
to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility.
(Sat, 10 Oct 2009 14:42:12 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer.
(Sat, 10 Oct 2009 14:42:13 GMT) (full text, mbox, link).
Message #25 received at 549293-close@bugs.debian.org (full text, mbox, reply):
Source: wget
Source-Version: 1.11.4-2+lenny1
We believe that the bug you reported is fixed in the latest version of
wget, which is due to be installed in the Debian FTP archive:
wget_1.11.4-2+lenny1.diff.gz
to pool/main/w/wget/wget_1.11.4-2+lenny1.diff.gz
wget_1.11.4-2+lenny1.dsc
to pool/main/w/wget/wget_1.11.4-2+lenny1.dsc
wget_1.11.4-2+lenny1_i386.deb
to pool/main/w/wget/wget_1.11.4-2+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 549293@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated wget package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 08 Oct 2009 14:33:55 +0200
Source: wget
Binary: wget
Architecture: source i386
Version: 1.11.4-2+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Noèl Köthe <noel@debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description:
wget - retrieves files from the web
Closes: 549293
Changes:
wget (1.11.4-2+lenny1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2009-3490: Fixed incorrect verification of SSL certificate with NUL in
name (Closes: #549293)
Checksums-Sha1:
68a435009266d45c63616fa21ad8b269553f2861 1060 wget_1.11.4-2+lenny1.dsc
a78a3b71fd59504df3ff3dbc0a2195a1410e9eac 1475149 wget_1.11.4.orig.tar.gz
09a7219220058da94d05b1be677688441409ab72 17216 wget_1.11.4-2+lenny1.diff.gz
efb63cd2cb8f0dd96d6b84dce616efacf2606033 608204 wget_1.11.4-2+lenny1_i386.deb
Checksums-Sha256:
b9e72374132e8cbd963f39e60ca772d77dfc0c535fee7f7ffdec815f653f8097 1060 wget_1.11.4-2+lenny1.dsc
7315963b6eefb7530b4a4f63a5d5ccdab30078784cf41ccb5297873f9adea2f3 1475149 wget_1.11.4.orig.tar.gz
ea8c2c46070bbf120274c4b9bfadbf982702eaacde314f03102feeb9ce77cb51 17216 wget_1.11.4-2+lenny1.diff.gz
d88f10c351243752f0185f1a60893d200bb46edd1321a7bc8a82fbcba8f5e6a7 608204 wget_1.11.4-2+lenny1_i386.deb
Files:
ae958363f4aca0f82943525780a37f92 1060 web important wget_1.11.4-2+lenny1.dsc
69e8a7296c0e12c53bd9ffd786462e87 1475149 web important wget_1.11.4.orig.tar.gz
0052572de990c970b9514069710d9110 17216 web important wget_1.11.4-2+lenny1.diff.gz
496dee8ea297c44aebddb3d06edb523f 608204 web important wget_1.11.4-2+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrN4yEACgkQNxpp46476ar4qwCgkjjtU08RuHIRa8kDwSznygyR
IbUAoIixahEgLUe/PZt7txmkm2F1m54r
=AP9Q
-----END PGP SIGNATURE-----
Reply sent
to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility.
(Mon, 19 Oct 2009 02:12:03 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer.
(Mon, 19 Oct 2009 02:12:03 GMT) (full text, mbox, link).
Message #30 received at 549293-close@bugs.debian.org (full text, mbox, reply):
Source: wget
Source-Version: 1.10.2-2+etch4
We believe that the bug you reported is fixed in the latest version of
wget, which is due to be installed in the Debian FTP archive:
wget_1.10.2-2+etch4.diff.gz
to pool/main/w/wget/wget_1.10.2-2+etch4.diff.gz
wget_1.10.2-2+etch4.dsc
to pool/main/w/wget/wget_1.10.2-2+etch4.dsc
wget_1.10.2-2+etch4_i386.deb
to pool/main/w/wget/wget_1.10.2-2+etch4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 549293@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated wget package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 08 Oct 2009 13:44:36 +0200
Source: wget
Binary: wget
Architecture: source i386
Version: 1.10.2-2+etch4
Distribution: oldstable-security
Urgency: high
Maintainer: Noèl Köthe <noel@debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description:
wget - retrieves files from the web
Closes: 549293
Changes:
wget (1.10.2-2+etch4) oldstable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2009-3490: Fixed incorrect verification of SSL certificate with NUL in
name (Closes: #549293)
Files:
8e9e518014d108e22e446d575e9e1168 630 web important wget_1.10.2-2+etch4.dsc
795fefbb7099f93e2d346b026785c4b8 1213056 web important wget_1.10.2.orig.tar.gz
116250977db43cb1981600c9722b7faa 17947 web important wget_1.10.2-2+etch4.diff.gz
3dc181c1b15d6ed6bdbd7444eb6881fe 612200 web important wget_1.10.2-2+etch4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrN0kQACgkQNxpp46476ar7DACfZRXw4IuNh4jDGcqTcUgVS8PH
KEIAn0TWjr1z///p39tK0hTdMNNvk20S
=14d2
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 16 Aug 2011 07:36:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:37:12 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon