Debian Bug report logs -
#732754
openssl: CVE-2013-6449: crash when using TLS 1.2
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 21 Dec 2013 07:21:01 UTC
Severity: grave
Tags: patch, security, upstream
Found in version openssl/1.0.1e-2
Fixed in versions openssl/1.0.1e-5, openssl/1.0.1e-2+deb7u1
Done: Kurt Roeckx <kurt@roeckx.be>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#732754
; Package openssl
.
(Sat, 21 Dec 2013 07:21:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Sat, 21 Dec 2013 07:21:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: openssl
Version: 1.0.1e-2
Severity: grave
Tags: security upstream patch
Hi,
the following vulnerability was published for openssl.
CVE-2013-6449[0]:
crash when using TLS 1.2
It was reported in Apache Traffic Server[1] and upstream at [2], see
also [3]. I was not able to reproduce any crash myself, just checking
against the openssl source package to verify upstrem patches apply.
See [4] and [5] for the patches applied.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6449
http://security-tracker.debian.org/tracker/CVE-2013-6449
[1] https://issues.apache.org/jira/browse/TS-2355
[2] http://rt.openssl.org/Ticket/Display.html?id=3200&user=guest&pass=guest
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1045363
[4] http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ca98926
[5] http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0294b2b
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#732754
; Package openssl
.
(Sat, 21 Dec 2013 08:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Sat, 21 Dec 2013 08:39:04 GMT) (full text, mbox, link).
Message #10 received at 732754@bugs.debian.org (full text, mbox, reply):
On Sat, Dec 21, 2013 at 08:16:42AM +0100, Salvatore Bonaccorso wrote:
> Package: openssl
> Version: 1.0.1e-2
> Severity: grave
> Tags: security upstream patch
>
> Hi,
>
> the following vulnerability was published for openssl.
>
> CVE-2013-6449[0]:
> crash when using TLS 1.2
>
> It was reported in Apache Traffic Server[1] and upstream at [2], see
> also [3]. I was not able to reproduce any crash myself, just checking
> against the openssl source package to verify upstrem patches apply.
> See [4] and [5] for the patches applied.
I was expecting this, and planning an upload for it already. I'll
prepare an upload later today.
I have a bunch of other patches that I'd like to see reach stable,
but I'm not sure how many of those you like in a DSA.
Kurt
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#732754
; Package openssl
.
(Sat, 21 Dec 2013 20:27:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Sat, 21 Dec 2013 20:27:12 GMT) (full text, mbox, link).
Message #15 received at 732754@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Kurt,
On Sat, Dec 21, 2013 at 09:35:38AM +0100, Kurt Roeckx wrote:
> On Sat, Dec 21, 2013 at 08:16:42AM +0100, Salvatore Bonaccorso wrote:
> > Package: openssl
> > Version: 1.0.1e-2
> > Severity: grave
> > Tags: security upstream patch
> >
> > Hi,
> >
> > the following vulnerability was published for openssl.
> >
> > CVE-2013-6449[0]:
> > crash when using TLS 1.2
> >
> > It was reported in Apache Traffic Server[1] and upstream at [2], see
> > also [3]. I was not able to reproduce any crash myself, just checking
> > against the openssl source package to verify upstrem patches apply.
> > See [4] and [5] for the patches applied.
>
> I was expecting this, and planning an upload for it already. I'll
> prepare an upload later today.
Thanks!
> I have a bunch of other patches that I'd like to see reach stable,
> but I'm not sure how many of those you like in a DSA.
Okay. Could you sent what you are thinking off, to the security team
alias, so that somebody the team can comment/have a look/...? Is this
about #720426? (If so an 'ack' from the Release Team would be needed
also to have them included).
Regards,
Salvatore
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#732754
; Package openssl
.
(Sat, 21 Dec 2013 23:27:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Sat, 21 Dec 2013 23:27:09 GMT) (full text, mbox, link).
Message #20 received at 732754@bugs.debian.org (full text, mbox, reply):
On Sat, Dec 21, 2013 at 09:24:38PM +0100, Salvatore Bonaccorso wrote:
> Hi Kurt,
>
> On Sat, Dec 21, 2013 at 09:35:38AM +0100, Kurt Roeckx wrote:
> > On Sat, Dec 21, 2013 at 08:16:42AM +0100, Salvatore Bonaccorso wrote:
> > > Package: openssl
> > > Version: 1.0.1e-2
> > > Severity: grave
> > > Tags: security upstream patch
> > >
> > > Hi,
> > >
> > > the following vulnerability was published for openssl.
> > >
> > > CVE-2013-6449[0]:
> > > crash when using TLS 1.2
> > >
> > > It was reported in Apache Traffic Server[1] and upstream at [2], see
> > > also [3]. I was not able to reproduce any crash myself, just checking
> > > against the openssl source package to verify upstrem patches apply.
> > > See [4] and [5] for the patches applied.
> >
> > I was expecting this, and planning an upload for it already. I'll
> > prepare an upload later today.
>
> Thanks!
>
> > I have a bunch of other patches that I'd like to see reach stable,
> > but I'm not sure how many of those you like in a DSA.
>
> Okay. Could you sent what you are thinking off, to the security team
> alias, so that somebody the team can comment/have a look/...? Is this
> about #720426? (If so an 'ack' from the Release Team would be needed
> also to have them included).
I'd like to see those reach stable too, and I'm really tired on
waiting for them.
But I'm also thinking about at least #732710
There are also things like:
Author: Dr. Stephen Henson <steve@openssl.org>
Date: Mon Sep 16 05:23:44 2013 +0100
Disable Dual EC DRBG.
Return an error if an attempt is made to enable the Dual EC DRBG: it
is not used by default.
And there is a whole bunch of other things I want to get fixed but
which are less important.
Kurt
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#732754
; Package openssl
.
(Sun, 22 Dec 2013 18:18:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Sun, 22 Dec 2013 18:18:05 GMT) (full text, mbox, link).
Message #25 received at 732754@bugs.debian.org (full text, mbox, reply):
On Sun, Dec 22, 2013 at 12:25:16AM +0100, Kurt Roeckx wrote:
> But I'm also thinking about at least #732710
>
> There are also things like:
> Author: Dr. Stephen Henson <steve@openssl.org>
> Date: Mon Sep 16 05:23:44 2013 +0100
>
> Disable Dual EC DRBG.
>
> Return an error if an attempt is made to enable the Dual EC DRBG: it
> is not used by default.
>
> And there is a whole bunch of other things I want to get fixed but
> which are less important.
And then this just appeared in git too:
commit 34628967f1e65dc8f34e000f0f5518e21afbfc7b
Author: Dr. Stephen Henson <steve@openssl.org>
Date: Fri Dec 20 15:26:50 2013 +0000
Fix DTLS retransmission from previous session.
For DTLS we might need to retransmit messages from the previous session
so keep a copy of write context in DTLS retransmission buffers instead
of replacing it after sending CCS. CVE-2013-6450.
Kurt
Reply sent
to Kurt Roeckx <kurt@roeckx.be>
:
You have taken responsibility.
(Sun, 22 Dec 2013 19:51:22 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 22 Dec 2013 19:51:22 GMT) (full text, mbox, link).
Message #30 received at 732754-close@bugs.debian.org (full text, mbox, reply):
Source: openssl
Source-Version: 1.0.1e-5
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 732754@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kurt Roeckx <kurt@roeckx.be> (supplier of updated openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 22 Dec 2013 19:25:35 +0100
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc libssl1.0.0-dbg
Architecture: source all amd64
Version: 1.0.1e-5
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <kurt@roeckx.be>
Description:
libcrypto1.0.0-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb)
libssl-dev - Secure Sockets Layer toolkit - development files
libssl-doc - Secure Sockets Layer toolkit - development documentation
libssl1.0.0 - Secure Sockets Layer toolkit - shared libraries
libssl1.0.0-dbg - Secure Sockets Layer toolkit - debug information
openssl - Secure Sockets Layer toolkit - cryptographic utility
Closes: 694738 728055 732348 732710 732754
Changes:
openssl (1.0.1e-5) unstable; urgency=low
.
* Change default digest to SHA256 instead of SHA1. (Closes: #694738)
* Drop support for multiple certificates in 1 file. It never worked
properly in the first place, and the only one shipping in
ca-certificates has been split.
* Fix libdoc-manpgs-pod-spell.patch to only fix spalling errors
* Remove make-targets.patch. It prevented the test dir from being cleaned.
* Update to a git snapshot of the OpenSSL_1_0_1-stable branch.
- Fixes CVE-2013-6449 (Closes: #732754)
- Fixes CVE-2013-6450
- Drop patches ssltest_no_sslv2.patch cpuid.patch aesni-mac.patch
dtls_version.patch get_certificate.patch, since they where all
already commited upstream.
- adjust fix-pod-errors.patch for the reordering of items in the
documentation they've done trying to fix those pod errors.
- disable rdrand engine by default (Closes: #732710)
* disable zlib support. Fixes CVE-2012-4929 (Closes: #728055)
* Add arm64 support (Closes: #732348)
* Properly use the default number of bits in req when none are given
Checksums-Sha1:
1015bdeffc5f854fb184d573f94833a7eb4be187 2197 openssl_1.0.1e-5.dsc
94694a8c6f571524b4340a5a187027fbe569bc0d 196978 openssl_1.0.1e-5.debian.tar.gz
17bf4ad750294ef277103f25a9eccd9801e51721 1132258 libssl-doc_1.0.1e-5_all.deb
c4b4b82514fa989834ddfd26693c3a360845a672 662002 openssl_1.0.1e-5_amd64.deb
90ddd72866f6f410daebf1997471ec9a05a9331c 1003238 libssl1.0.0_1.0.1e-5_amd64.deb
f33bfe2ec9891ac3a9a1d24ca1dd490bb803bd47 623904 libcrypto1.0.0-udeb_1.0.1e-5_amd64.udeb
48aaa3fc63dfd07d6c55809d728116234ebc6452 1241958 libssl-dev_1.0.1e-5_amd64.deb
bf57262021d4da0da70f5f6de491e31190da0c58 2826986 libssl1.0.0-dbg_1.0.1e-5_amd64.deb
Checksums-Sha256:
b7bedc00efe2870722adf58e9c1461cf6dbd73e74c9f74c34ac40a515817d137 2197 openssl_1.0.1e-5.dsc
e2fa44b2ba4418840b3ce2fd144cd7a0fce29ce25d90551e492ef19c7c368ea1 196978 openssl_1.0.1e-5.debian.tar.gz
e54f7e533bc33d51f3ee2b773bf4357558f9c74df4ba5ede62b08974c4e4b268 1132258 libssl-doc_1.0.1e-5_all.deb
8923c9df7ab5c2bb8444c4a4e4288571d618fb929a5446d63cb1439038b56eeb 662002 openssl_1.0.1e-5_amd64.deb
25d769b9235b290bedd5f020e87dc78ccaa67adda4997cddcdc1cb09f6d7f764 1003238 libssl1.0.0_1.0.1e-5_amd64.deb
3bf27252bc51cdcf30f45ac690b39b9e5fff1bbc11ca37b544b7d194caf6f953 623904 libcrypto1.0.0-udeb_1.0.1e-5_amd64.udeb
433ddb83f39322aefbbcb6cc36e217f19e2415510046aa274d0396561b5cd5ce 1241958 libssl-dev_1.0.1e-5_amd64.deb
c103856c6ea28429eeb365575394ff5983449b697028569a16829b4f3eafd732 2826986 libssl1.0.0-dbg_1.0.1e-5_amd64.deb
Files:
c73ef6bf0bbf7499c0fcd5e2783341ab 2197 utils optional openssl_1.0.1e-5.dsc
1cea0119b9ed9ed76a7e8538f9ae4545 196978 utils optional openssl_1.0.1e-5.debian.tar.gz
aec19eec4eec9adf861df8c36dc52079 1132258 doc optional libssl-doc_1.0.1e-5_all.deb
9e9ea1c07dfa9480a0e89b0c7df4488b 662002 utils optional openssl_1.0.1e-5_amd64.deb
7549079d3517842ddc4a588d04cc92af 1003238 libs important libssl1.0.0_1.0.1e-5_amd64.deb
1f28be32a4c76f0c835b693cf9126726 623904 debian-installer optional libcrypto1.0.0-udeb_1.0.1e-5_amd64.udeb
d569fe1cb27ec9d8c4b5450672b6dc9a 1241958 libdevel optional libssl-dev_1.0.1e-5_amd64.deb
66871173845c2ce096c8141bb684275e 2826986 debug extra libssl1.0.0-dbg_1.0.1e-5_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQIcBAEBCgAGBQJSt0EPAAoJEKGfLDAaVSLd/TwP/0LxJgPvFkEkSFnlRaAJv7ru
kva/26a32XNEr61Q655rWaVrqmBggyk8Tpa4Rc1I4Kfk3UMtexrUKtzlhtuf+V9f
nTf98daKR7lo+JfKqcSpNdmULwstK10GItZ/EHXMVAcHpaFZaqvjlCGuSQrfL0pw
+eDLePfrvj+/T4TFp8CLYU+MgqNS1dYNXn38zEwSw5EfjIzycf61i6ETJgfKFb8S
EhDU9exgimShP0o7B95pPYPjuxNH3lxj69J3e5GGQ4gJQENDUYTx7j3BZrw105Co
WNahqgkZXWRv965gdk8DLmwIht0OHjVkrfViXdbeSXygbJ9dBOqLBaivnNKW6jzF
+K4EE0/SwS+MHXmuw7IF0FgDBcZ/xP8IDrDE1nPT6ylX8aoDSkP1ajx62rZAxeRq
o8V4/Mug5QLsPkGUrJ3uEEEYPzt2gL/PV9IT+ITXuZqMbXUAAVTUmgQylx9b+EBb
HMeewrFSwl3XVuQr1c1oqF2lvhSlEOdplsUsvc5YAOwcASfV7QWtUyY0RgsvtGEl
2kTy0Etriuy/zFVw0x+ci/49Nl9d/JifsVawMfbqKcOLNJCoQn2NU82fQ9+yX5U7
jBZbssJZcgW2tQU94m0vf+XJe05p4kxCChC2VkHVUpl0qlQJT7zgk8eslxtK5jy/
0MpQBQSZKBcpEVej+wv3
=yv/Q
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#732754
; Package openssl
.
(Sun, 22 Dec 2013 22:54:15 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Sun, 22 Dec 2013 22:54:15 GMT) (full text, mbox, link).
Message #35 received at 732754@bugs.debian.org (full text, mbox, reply):
On Sun, Dec 22, 2013 at 07:14:00PM +0100, Kurt Roeckx wrote:
> On Sun, Dec 22, 2013 at 12:25:16AM +0100, Kurt Roeckx wrote:
> > But I'm also thinking about at least #732710
> >
> > There are also things like:
> > Author: Dr. Stephen Henson <steve@openssl.org>
> > Date: Mon Sep 16 05:23:44 2013 +0100
> >
> > Disable Dual EC DRBG.
> >
> > Return an error if an attempt is made to enable the Dual EC DRBG: it
> > is not used by default.
> >
> > And there is a whole bunch of other things I want to get fixed but
> > which are less important.
>
> And then this just appeared in git too:
> commit 34628967f1e65dc8f34e000f0f5518e21afbfc7b
> Author: Dr. Stephen Henson <steve@openssl.org>
> Date: Fri Dec 20 15:26:50 2013 +0000
>
> Fix DTLS retransmission from previous session.
>
> For DTLS we might need to retransmit messages from the previous session
> so keep a copy of write context in DTLS retransmission buffers instead
> of replacing it after sending CCS. CVE-2013-6450.
So after looking at things, I have about 25 patches I'd like to
move to testing.
For security I would like to have the following:
- CVE-2013-6449: 0294b2be5f4c11e60620c0018674ff0e17b14238 +
ca989269a2876bae79393bd54c3e72d49975fc75
- CVE-2013-6450: 34628967f1e65dc8f34e000f0f5518e21afbfc7b
- disable rdrand: 1c2c5e402a757a63d690bd2390bd6b8b491ef184
- Disable Dual EC DRBG: a4870de5aaef562c0947494b410a2387f3a6d04d
Kurt
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#732754
; Package openssl
.
(Mon, 23 Dec 2013 17:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Mon, 23 Dec 2013 17:45:04 GMT) (full text, mbox, link).
Message #40 received at 732754@bugs.debian.org (full text, mbox, reply):
On Sun, Dec 22, 2013 at 11:51:09PM +0100, Kurt Roeckx wrote:
>
> For security I would like to have the following:
> - CVE-2013-6449: 0294b2be5f4c11e60620c0018674ff0e17b14238 +
> ca989269a2876bae79393bd54c3e72d49975fc75
> - CVE-2013-6450: 34628967f1e65dc8f34e000f0f5518e21afbfc7b
> - disable rdrand: 1c2c5e402a757a63d690bd2390bd6b8b491ef184
> - Disable Dual EC DRBG: a4870de5aaef562c0947494b410a2387f3a6d04d
So I've put that at:
http://people.debian.org/~kroeckx/openssl/
Kurt
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#732754
; Package openssl
.
(Sun, 29 Dec 2013 07:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Sun, 29 Dec 2013 07:57:04 GMT) (full text, mbox, link).
Message #45 received at 732754@bugs.debian.org (full text, mbox, reply):
On Mon, Dec 23, 2013 at 06:44:23PM +0100, Kurt Roeckx wrote:
> On Sun, Dec 22, 2013 at 11:51:09PM +0100, Kurt Roeckx wrote:
> >
> > For security I would like to have the following:
> > - CVE-2013-6449: 0294b2be5f4c11e60620c0018674ff0e17b14238 +
> > ca989269a2876bae79393bd54c3e72d49975fc75
> > - CVE-2013-6450: 34628967f1e65dc8f34e000f0f5518e21afbfc7b
> > - disable rdrand: 1c2c5e402a757a63d690bd2390bd6b8b491ef184
> > - Disable Dual EC DRBG: a4870de5aaef562c0947494b410a2387f3a6d04d
>
> So I've put that at:
> http://people.debian.org/~kroeckx/openssl/
Looks good to me. Please upload to security-master.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#732754
; Package openssl
.
(Mon, 06 Jan 2014 17:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Mon, 06 Jan 2014 17:33:04 GMT) (full text, mbox, link).
Message #50 received at 732754@bugs.debian.org (full text, mbox, reply):
On Mon, Dec 23, 2013 at 06:44:23PM +0100, Kurt Roeckx wrote:
> On Sun, Dec 22, 2013 at 11:51:09PM +0100, Kurt Roeckx wrote:
> >
> > For security I would like to have the following:
> > - CVE-2013-6449: 0294b2be5f4c11e60620c0018674ff0e17b14238 +
> > ca989269a2876bae79393bd54c3e72d49975fc75
> > - CVE-2013-6450: 34628967f1e65dc8f34e000f0f5518e21afbfc7b
> > - disable rdrand: 1c2c5e402a757a63d690bd2390bd6b8b491ef184
> > - Disable Dual EC DRBG: a4870de5aaef562c0947494b410a2387f3a6d04d
>
> So I've put that at:
> http://people.debian.org/~kroeckx/openssl/
So the patch for CVE-2013-6450 was missing a commit. See:
http://rt.openssl.org/Ticket/Display.html?id=3214&user=guest&pass=guest
I'll upload a 1.0.1e-2+deb7u2 soon.
Kurt
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#732754
; Package openssl
.
(Mon, 06 Jan 2014 17:57:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Mon, 06 Jan 2014 17:57:09 GMT) (full text, mbox, link).
Message #55 received at 732754@bugs.debian.org (full text, mbox, reply):
On Mon, Jan 06, 2014 at 06:24:14PM +0100, Kurt Roeckx wrote:
> On Mon, Dec 23, 2013 at 06:44:23PM +0100, Kurt Roeckx wrote:
> > On Sun, Dec 22, 2013 at 11:51:09PM +0100, Kurt Roeckx wrote:
> > >
> > > For security I would like to have the following:
> > > - CVE-2013-6449: 0294b2be5f4c11e60620c0018674ff0e17b14238 +
> > > ca989269a2876bae79393bd54c3e72d49975fc75
> > > - CVE-2013-6450: 34628967f1e65dc8f34e000f0f5518e21afbfc7b
> > > - disable rdrand: 1c2c5e402a757a63d690bd2390bd6b8b491ef184
> > > - Disable Dual EC DRBG: a4870de5aaef562c0947494b410a2387f3a6d04d
> >
> > So I've put that at:
> > http://people.debian.org/~kroeckx/openssl/
>
> So the patch for CVE-2013-6450 was missing a commit. See:
> http://rt.openssl.org/Ticket/Display.html?id=3214&user=guest&pass=guest
>
> I'll upload a 1.0.1e-2+deb7u2 soon.
I've uploaded it. The changelog for it:
* The patch we applied for CVE-2013-6450 was causing segfaults,
also apply the previous commit checking for NULL in
EVP_MD_CTX_destroy()
* Fix for TLS record tampering bug CVE-2013-4353
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#732754
; Package openssl
.
(Mon, 06 Jan 2014 18:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Mon, 06 Jan 2014 18:24:04 GMT) (full text, mbox, link).
Message #60 received at 732754@bugs.debian.org (full text, mbox, reply):
On Mon, Jan 06, 2014 at 06:54:33PM +0100, Kurt Roeckx wrote:
> On Mon, Jan 06, 2014 at 06:24:14PM +0100, Kurt Roeckx wrote:
> > On Mon, Dec 23, 2013 at 06:44:23PM +0100, Kurt Roeckx wrote:
> > > On Sun, Dec 22, 2013 at 11:51:09PM +0100, Kurt Roeckx wrote:
> > > >
> > > > For security I would like to have the following:
> > > > - CVE-2013-6449: 0294b2be5f4c11e60620c0018674ff0e17b14238 +
> > > > ca989269a2876bae79393bd54c3e72d49975fc75
> > > > - CVE-2013-6450: 34628967f1e65dc8f34e000f0f5518e21afbfc7b
> > > > - disable rdrand: 1c2c5e402a757a63d690bd2390bd6b8b491ef184
> > > > - Disable Dual EC DRBG: a4870de5aaef562c0947494b410a2387f3a6d04d
> > >
> > > So I've put that at:
> > > http://people.debian.org/~kroeckx/openssl/
> >
> > So the patch for CVE-2013-6450 was missing a commit. See:
> > http://rt.openssl.org/Ticket/Display.html?id=3214&user=guest&pass=guest
> >
> > I'll upload a 1.0.1e-2+deb7u2 soon.
>
> I've uploaded it. The changelog for it:
> * The patch we applied for CVE-2013-6450 was causing segfaults,
> also apply the previous commit checking for NULL in
> EVP_MD_CTX_destroy()
> * Fix for TLS record tampering bug CVE-2013-4353
So after uploading this, I got this as reply:
> Although there is no CVE connected to it it is also advisable to
> include f3dcc8411e518fb0835c7d72df4a58718205260d as well.
Should I make an other upload (with different version) for that?
Kurt
The patch would be:
commit f3dcc8411e518fb0835c7d72df4a58718205260d
Author: Dr. Stephen Henson <steve@openssl.org>
Date: Tue Dec 24 18:17:00 2013 +0000
Don't change version number if session established
When sending an invalid version number alert don't change the
version number to the client version if a session is already
established.
Thanks to Marek Majkowski for additional analysis of this issue.
PR#3191
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index c4bc4e7..96ba632 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -335,7 +335,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
if (version != s->version)
{
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
- if ((s->version & 0xFF00) == (version & 0xFF00))
+ if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash)
/* Send back error using their minor version number :-) */
s->version = (unsigned short)version;
al=SSL_AD_PROTOCOL_VERSION;
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index e5a8b3f..52efed3 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -958,7 +958,8 @@ int ssl3_get_client_hello(SSL *s)
(s->version != DTLS1_VERSION && s->client_version < s->version))
{
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
- if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
+ if ((s->client_version>>8) == SSL3_VERSION_MAJOR &&
+ !s->enc_write_ctx && !s->write_hash)
{
/* similar to ssl3_get_record, send alert using remote version number */
s->version = s->client_version;
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#732754
; Package openssl
.
(Mon, 06 Jan 2014 18:36:17 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Mon, 06 Jan 2014 18:36:17 GMT) (full text, mbox, link).
Message #65 received at 732754@bugs.debian.org (full text, mbox, reply):
On Mon, Jan 06, 2014 at 07:20:25PM +0100, Kurt Roeckx wrote:
> On Mon, Jan 06, 2014 at 06:54:33PM +0100, Kurt Roeckx wrote:
> > On Mon, Jan 06, 2014 at 06:24:14PM +0100, Kurt Roeckx wrote:
> > > On Mon, Dec 23, 2013 at 06:44:23PM +0100, Kurt Roeckx wrote:
> > > > On Sun, Dec 22, 2013 at 11:51:09PM +0100, Kurt Roeckx wrote:
> > > > >
> > > > > For security I would like to have the following:
> > > > > - CVE-2013-6449: 0294b2be5f4c11e60620c0018674ff0e17b14238 +
> > > > > ca989269a2876bae79393bd54c3e72d49975fc75
> > > > > - CVE-2013-6450: 34628967f1e65dc8f34e000f0f5518e21afbfc7b
> > > > > - disable rdrand: 1c2c5e402a757a63d690bd2390bd6b8b491ef184
> > > > > - Disable Dual EC DRBG: a4870de5aaef562c0947494b410a2387f3a6d04d
> > > >
> > > > So I've put that at:
> > > > http://people.debian.org/~kroeckx/openssl/
> > >
> > > So the patch for CVE-2013-6450 was missing a commit. See:
> > > http://rt.openssl.org/Ticket/Display.html?id=3214&user=guest&pass=guest
> > >
> > > I'll upload a 1.0.1e-2+deb7u2 soon.
> >
> > I've uploaded it. The changelog for it:
> > * The patch we applied for CVE-2013-6450 was causing segfaults,
> > also apply the previous commit checking for NULL in
> > EVP_MD_CTX_destroy()
> > * Fix for TLS record tampering bug CVE-2013-4353
>
> So after uploading this, I got this as reply:
> > Although there is no CVE connected to it it is also advisable to
> > include f3dcc8411e518fb0835c7d72df4a58718205260d as well.
>
> Should I make an other upload (with different version) for that?
Yes, please include it.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#732754
; Package openssl
.
(Mon, 06 Jan 2014 18:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Mon, 06 Jan 2014 18:45:04 GMT) (full text, mbox, link).
Message #70 received at 732754@bugs.debian.org (full text, mbox, reply):
On Mon, Jan 06, 2014 at 07:35:40PM +0100, Moritz Mühlenhoff wrote:
> On Mon, Jan 06, 2014 at 07:20:25PM +0100, Kurt Roeckx wrote:
> > On Mon, Jan 06, 2014 at 06:54:33PM +0100, Kurt Roeckx wrote:
> > > On Mon, Jan 06, 2014 at 06:24:14PM +0100, Kurt Roeckx wrote:
> > > > On Mon, Dec 23, 2013 at 06:44:23PM +0100, Kurt Roeckx wrote:
> > > > > On Sun, Dec 22, 2013 at 11:51:09PM +0100, Kurt Roeckx wrote:
> > > > > >
> > > > > > For security I would like to have the following:
> > > > > > - CVE-2013-6449: 0294b2be5f4c11e60620c0018674ff0e17b14238 +
> > > > > > ca989269a2876bae79393bd54c3e72d49975fc75
> > > > > > - CVE-2013-6450: 34628967f1e65dc8f34e000f0f5518e21afbfc7b
> > > > > > - disable rdrand: 1c2c5e402a757a63d690bd2390bd6b8b491ef184
> > > > > > - Disable Dual EC DRBG: a4870de5aaef562c0947494b410a2387f3a6d04d
> > > > >
> > > > > So I've put that at:
> > > > > http://people.debian.org/~kroeckx/openssl/
> > > >
> > > > So the patch for CVE-2013-6450 was missing a commit. See:
> > > > http://rt.openssl.org/Ticket/Display.html?id=3214&user=guest&pass=guest
> > > >
> > > > I'll upload a 1.0.1e-2+deb7u2 soon.
> > >
> > > I've uploaded it. The changelog for it:
> > > * The patch we applied for CVE-2013-6450 was causing segfaults,
> > > also apply the previous commit checking for NULL in
> > > EVP_MD_CTX_destroy()
> > > * Fix for TLS record tampering bug CVE-2013-4353
> >
> > So after uploading this, I got this as reply:
> > > Although there is no CVE connected to it it is also advisable to
> > > include f3dcc8411e518fb0835c7d72df4a58718205260d as well.
> >
> > Should I make an other upload (with different version) for that?
>
> Yes, please include it.
So should I reuse the version number, or change it?
Kurt
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#732754
; Package openssl
.
(Mon, 06 Jan 2014 18:57:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Mon, 06 Jan 2014 18:57:11 GMT) (full text, mbox, link).
Message #75 received at 732754@bugs.debian.org (full text, mbox, reply):
On Mon, Jan 06, 2014 at 07:41:05PM +0100, Kurt Roeckx wrote:
> On Mon, Jan 06, 2014 at 07:35:40PM +0100, Moritz Mühlenhoff wrote:
> > On Mon, Jan 06, 2014 at 07:20:25PM +0100, Kurt Roeckx wrote:
> > > On Mon, Jan 06, 2014 at 06:54:33PM +0100, Kurt Roeckx wrote:
> > > > On Mon, Jan 06, 2014 at 06:24:14PM +0100, Kurt Roeckx wrote:
> > > > > On Mon, Dec 23, 2013 at 06:44:23PM +0100, Kurt Roeckx wrote:
> > > > > > On Sun, Dec 22, 2013 at 11:51:09PM +0100, Kurt Roeckx wrote:
> > > > > > >
> > > > > > > For security I would like to have the following:
> > > > > > > - CVE-2013-6449: 0294b2be5f4c11e60620c0018674ff0e17b14238 +
> > > > > > > ca989269a2876bae79393bd54c3e72d49975fc75
> > > > > > > - CVE-2013-6450: 34628967f1e65dc8f34e000f0f5518e21afbfc7b
> > > > > > > - disable rdrand: 1c2c5e402a757a63d690bd2390bd6b8b491ef184
> > > > > > > - Disable Dual EC DRBG: a4870de5aaef562c0947494b410a2387f3a6d04d
> > > > > >
> > > > > > So I've put that at:
> > > > > > http://people.debian.org/~kroeckx/openssl/
> > > > >
> > > > > So the patch for CVE-2013-6450 was missing a commit. See:
> > > > > http://rt.openssl.org/Ticket/Display.html?id=3214&user=guest&pass=guest
> > > > >
> > > > > I'll upload a 1.0.1e-2+deb7u2 soon.
> > > >
> > > > I've uploaded it. The changelog for it:
> > > > * The patch we applied for CVE-2013-6450 was causing segfaults,
> > > > also apply the previous commit checking for NULL in
> > > > EVP_MD_CTX_destroy()
> > > > * Fix for TLS record tampering bug CVE-2013-4353
> > >
> > > So after uploading this, I got this as reply:
> > > > Although there is no CVE connected to it it is also advisable to
> > > > include f3dcc8411e518fb0835c7d72df4a58718205260d as well.
> > >
> > > Should I make an other upload (with different version) for that?
> >
> > Yes, please include it.
>
> So should I reuse the version number, or change it?
Better bump it, that way we don't cause confusion on the buildds.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#732754
; Package openssl
.
(Mon, 06 Jan 2014 19:39:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Mon, 06 Jan 2014 19:39:09 GMT) (full text, mbox, link).
Message #80 received at 732754@bugs.debian.org (full text, mbox, reply):
On Mon, Jan 06, 2014 at 07:53:41PM +0100, Moritz Mühlenhoff wrote:
> > > >
> > > > So after uploading this, I got this as reply:
> > > > > Although there is no CVE connected to it it is also advisable to
> > > > > include f3dcc8411e518fb0835c7d72df4a58718205260d as well.
> > > >
> > > > Should I make an other upload (with different version) for that?
> > >
> > > Yes, please include it.
> >
> > So should I reuse the version number, or change it?
>
> Better bump it, that way we don't cause confusion on the buildds.
New version uploaded.
Kurt
Reply sent
to Kurt Roeckx <kurt@roeckx.be>
:
You have taken responsibility.
(Mon, 06 Jan 2014 22:51:28 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Mon, 06 Jan 2014 22:51:28 GMT) (full text, mbox, link).
Message #85 received at 732754-close@bugs.debian.org (full text, mbox, reply):
Source: openssl
Source-Version: 1.0.1e-2+deb7u1
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 732754@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kurt Roeckx <kurt@roeckx.be> (supplier of updated openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 23 Dec 2013 17:47:19 +0100
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc libssl1.0.0-dbg
Architecture: source all amd64
Version: 1.0.1e-2+deb7u1
Distribution: stable-security
Urgency: medium
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <kurt@roeckx.be>
Description:
libcrypto1.0.0-udeb - crypto shared library - udeb (udeb)
libssl-dev - SSL development libraries, header files and documentation
libssl-doc - SSL development documentation documentation
libssl1.0.0 - SSL shared libraries
libssl1.0.0-dbg - Symbol tables for libssl and libcrypto
openssl - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 732710 732754
Changes:
openssl (1.0.1e-2+deb7u1) stable-security; urgency=medium
.
* Fix CVE-2013-6449 (Closes: #732754)
* Fix CVE-2013-6450
* disable rdrand by default. It was used as only source of entropy when
available. (Closes: #732710)
* Disable Dual EC DRBG.
Checksums-Sha1:
df07fffd312e26f10a9d937aea135f94abae2d1b 2228 openssl_1.0.1e-2+deb7u1.dsc
3f1b1223c9e8189bfe4e186d86449775bd903460 4459777 openssl_1.0.1e.orig.tar.gz
99bd93a87a9c55fa19385c02a0cfa4d2e3610f90 95169 openssl_1.0.1e-2+deb7u1.debian.tar.gz
66bf040c8ac7be5d4f2f9942249400a4ab1e69bc 1197168 libssl-doc_1.0.1e-2+deb7u1_all.deb
a9ce52aaf530bbcea63936fa1b597d6bb1482ad3 699348 openssl_1.0.1e-2+deb7u1_amd64.deb
40451425e3ff2d71872e601283181360cb3d49bf 1224380 libssl1.0.0_1.0.1e-2+deb7u1_amd64.deb
b424473f0171644e10ca4e852b4938552661a4e5 604560 libcrypto1.0.0-udeb_1.0.1e-2+deb7u1_amd64.udeb
b15315f13cb1ca52d36cfe8ca63b780434587adf 1706732 libssl-dev_1.0.1e-2+deb7u1_amd64.deb
ec35f89f4db0b37b03545c49825336fa2ac9e867 3016388 libssl1.0.0-dbg_1.0.1e-2+deb7u1_amd64.deb
Checksums-Sha256:
2118c53bc0172a06b09af316faba4851905eaeb8bddfcf0c5946742810a23814 2228 openssl_1.0.1e-2+deb7u1.dsc
f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3 4459777 openssl_1.0.1e.orig.tar.gz
d67d7b56c95c683f56a9eebeb87324442adae69175fe6f7f4664ddf06ece3f53 95169 openssl_1.0.1e-2+deb7u1.debian.tar.gz
c6b0fe25495b2f57c932373fa0229afdceef014261f58f53eaa19cc5df8d9d1a 1197168 libssl-doc_1.0.1e-2+deb7u1_all.deb
ef37da8352f3d2cfc614a9254ec4ea3654716bfd7d8b0b9ca640b8d589739e26 699348 openssl_1.0.1e-2+deb7u1_amd64.deb
30e9582a97a4bddb73af6b756f82ce68e8f890826fd8429c6b34c6d599ad6914 1224380 libssl1.0.0_1.0.1e-2+deb7u1_amd64.deb
dbacc547aced8efe203043aa45fbbfb29d4e2fce0ed39a818a64d4969927a534 604560 libcrypto1.0.0-udeb_1.0.1e-2+deb7u1_amd64.udeb
a143bf420a8eac6fffe7e2b6f410168e5c4146f9a9f5a0f00bfb90172d1afcbb 1706732 libssl-dev_1.0.1e-2+deb7u1_amd64.deb
3644feb52253ac27431f46552d3c9c27fbddc083e0982e8e39b955fd84748144 3016388 libssl1.0.0-dbg_1.0.1e-2+deb7u1_amd64.deb
Files:
2dc22b937c4c0a4810046a6b28de569d 2228 utils optional openssl_1.0.1e-2+deb7u1.dsc
66bf6f10f060d561929de96f9dfe5b8c 4459777 utils optional openssl_1.0.1e.orig.tar.gz
93bfd76b302c59941cf49d8dd212f6ce 95169 utils optional openssl_1.0.1e-2+deb7u1.debian.tar.gz
b0eccec9f4be71f565cb7f8465241c52 1197168 doc optional libssl-doc_1.0.1e-2+deb7u1_all.deb
746752adf3775df5e20e6ee7e77a6cd3 699348 utils optional openssl_1.0.1e-2+deb7u1_amd64.deb
691cf5a95087a04fd90753caa2e9e71f 1224380 libs important libssl1.0.0_1.0.1e-2+deb7u1_amd64.deb
e42306fa3914cd5f0a330bc445999e66 604560 debian-installer optional libcrypto1.0.0-udeb_1.0.1e-2+deb7u1_amd64.udeb
8a58f858edefec12e45da82767ca712b 1706732 libdevel optional libssl-dev_1.0.1e-2+deb7u1_amd64.deb
5fef5bd1dc433beab29e442a9c504fb1 3016388 debug extra libssl1.0.0-dbg_1.0.1e-2+deb7u1_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQIcBAEBCgAGBQJSuHWFAAoJEKGfLDAaVSLd1ogP/0tyAtUyzBmDcqRNMa9zUmQX
ih9+J5Mk5OCyEwEplpw3b3PqOojzdEdm/fbzETTHdjT+lt4JWHP3Ug/66AMjhtzT
pLGorVLk5p7OSeBplTk+7wTdgLI4bu4PRRIl/N0hHfueSY3HJr/Jbeo+2oJNXxWN
rmrAS3iJNRJqo8dzFKLQghsx75+tbUYGAisxqEc6fwvYPIAUPARmTM+370n2R2V0
NlcxDquHIIhCFX1jh43dz36c/ANJ7GcwGxQktwBFRhMRASVYApCxDZZj2pa2Ksvd
laQCvqeONIZMcAnE3oqciZQNyanp3tq4JtY2TN8U8DGw07nzH6sUN/ibe2DaI0C5
Vy4EqJPPJfPTd5DFN7ugzGV5tyjhs659+SriFdHd02WGPGRqIFVLmKHE1JsO/Cvz
a8mLE7HcAbqyWyxVjuV8nzv0Pl5UXAnm6Ok36VJm/Bdk0JLfPYQ+RyXP46YbQJX2
XvFPr/7pP0OnQ5fGu3eqOJ42/Vfth/0oGAmrYq0GxV8PQmiiSo/wUTDh4kIPcUD3
IEUii0PZUGFaht2ShluXD3ax95q2IuTTz16qTE6betSxS8fE+RDxJ9BXvZsKB/4C
S2O35yJ4/6bOwiR7onELT54wsXyJr5+4XtAo5CSroE1/e2u26RWBbKfK+g+munuj
tm5K7Rj5CeoCp93Pkbaf
=itBf
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 09 Feb 2014 07:31:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:07:26 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.