Debian Bug report logs -
#775776
polarssl: CVE-2015-1182: Remote attack using crafted certificates
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 19 Jan 2015 19:18:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in versions polarssl/1.2.9-1~deb7u1, polarssl/1.2.9-1~deb6u1, polarssl/1.3.9-2
Fixed in versions polarssl/1.2.9-1~deb7u5, polarssl/1.3.9-2.1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#775776; Package src:polarssl.
(Mon, 19 Jan 2015 19:18:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Roland Stigge <stigge@antcom.de>.
(Mon, 19 Jan 2015 19:18:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: polarssl
Version: 1.3.9-2
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for polarssl.
CVE-2015-1182[0]:
Remote attack using crafted certificates
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-1182
[1] https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions polarssl/1.2.9-1~deb6u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 19 Jan 2015 19:21:08 GMT) (full text, mbox, link).
Marked as found in versions polarssl/1.2.9-1~deb7u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 19 Jan 2015 19:21:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#775776; Package src:polarssl.
(Wed, 21 Jan 2015 21:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>.
(Wed, 21 Jan 2015 21:15:04 GMT) (full text, mbox, link).
Message #14 received at 775776@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Roland,
I have used the attached debdiff for preparing the wheezy-security
update (not yet released though).
Regards,
Salvatore
[polarssl_1.2.9-1~deb7u5.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#775776; Package src:polarssl.
(Wed, 21 Jan 2015 21:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>.
(Wed, 21 Jan 2015 21:27:04 GMT) (full text, mbox, link).
Message #19 received at 775776@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Roland,
Attached would be the debdiff for the unstable upload (Note: I have
*not* uploaded it to archive, nor yet to a delayed queue). Do you plan
to do the upload yourself? (In case needed I can do the NMU too).
Regards,
Salvatore
[polarssl_1.3.9-2.1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#775776; Package src:polarssl.
(Thu, 22 Jan 2015 17:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>.
(Thu, 22 Jan 2015 17:06:04 GMT) (full text, mbox, link).
Message #24 received at 775776@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 775776 + pending
Dear maintainer,
I've prepared an NMU for polarssl (versioned as 1.3.9-2.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[polarssl-1.3.9-2.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 775776-submit@bugs.debian.org.
(Thu, 22 Jan 2015 17:06:04 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 25 Jan 2015 13:57:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 25 Jan 2015 13:57:12 GMT) (full text, mbox, link).
Message #31 received at 775776-close@bugs.debian.org (full text, mbox, reply):
Source: polarssl
Source-Version: 1.2.9-1~deb7u5
We believe that the bug you reported is fixed in the latest version of
polarssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775776@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated polarssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 21 Jan 2015 20:58:06 +0100
Source: polarssl
Binary: libpolarssl-dev libpolarssl-runtime libpolarssl0
Architecture: source amd64
Version: 1.2.9-1~deb7u5
Distribution: wheezy-security
Urgency: high
Maintainer: Roland Stigge <stigge@antcom.de>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libpolarssl-dev - lightweight crypto and SSL/TLS library
libpolarssl-runtime - lightweight crypto and SSL/TLS library
libpolarssl0 - lightweight crypto and SSL/TLS library
Closes: 775776
Changes:
polarssl (1.2.9-1~deb7u5) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add CVE-2015-1182.patch patch.
CVE-2015-1182: Denial of service and possible remote code execution
using crafted certificates. (Closes: #775776)
Checksums-Sha1:
e76d31147bf4db2f22b14ed71b277eea37b0ea3c 1830 polarssl_1.2.9-1~deb7u5.dsc
7b05c2fb3a7588ad41b100adafbd6b6df97ede35 11170 polarssl_1.2.9-1~deb7u5.debian.tar.gz
60f67e5a672f7fdb87147be3def4904e876f3385 276044 libpolarssl-dev_1.2.9-1~deb7u5_amd64.deb
04043670ec2f3a6a99fa9db1375ce5cd9d0d6bce 2789620 libpolarssl-runtime_1.2.9-1~deb7u5_amd64.deb
a48cf514bccc2785624fc6bcd00426b338e6cfe0 185966 libpolarssl0_1.2.9-1~deb7u5_amd64.deb
Checksums-Sha256:
a0a26b1a7e650c291c224c96894508f57b5a89dd44a980ba1a695967996c4154 1830 polarssl_1.2.9-1~deb7u5.dsc
9590e4cdba21c323e03655a387beae2ceadb9cf32a04d61e9ed9f47fcffbf101 11170 polarssl_1.2.9-1~deb7u5.debian.tar.gz
b1a60decd7dc565f5217506ec56df42fccfdf920c3bc53da3e9a59451898ae48 276044 libpolarssl-dev_1.2.9-1~deb7u5_amd64.deb
821e91484e7c54983736c27ff33b15a4cc03844bf3233728a46afb60e4b1fcb5 2789620 libpolarssl-runtime_1.2.9-1~deb7u5_amd64.deb
70b1e0e3d593dbd77b6ec06b850e7ca0f34ac16475cb2ee9a36af3089e514a84 185966 libpolarssl0_1.2.9-1~deb7u5_amd64.deb
Files:
053dfd53c71143348ed1d806c9ac163b 1830 libs optional polarssl_1.2.9-1~deb7u5.dsc
e3fd5b585d22f5cdc3297e054d84d881 11170 libs optional polarssl_1.2.9-1~deb7u5.debian.tar.gz
cfeea7c564171a737c8e9ae6228ddbbe 276044 libdevel optional libpolarssl-dev_1.2.9-1~deb7u5_amd64.deb
e764208dfe34ee3ee52d248bf9f0bbff 2789620 libdevel optional libpolarssl-runtime_1.2.9-1~deb7u5_amd64.deb
ef7c98a624efa3b202a7e41adc4f72bf 185966 libs optional libpolarssl0_1.2.9-1~deb7u5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUwAmHAAoJEAVMuPMTQ89EtrEP/Rn5jj8G2teqcweo+Lu4ayXE
/B/g6GLW9EDAmOmKRfIfK389mzXKF4XdhL3gZYnyugLARLguy2cGYrQAlE8dC2xI
DAIze+Nt1c6bxx0LfqiPXNT8z23RCRzQ+5VTIeB8+Bpsb9VhPJJs6GuTXZGvB7aI
zJmYcDmyXH/LkpXQnh4ht3yvxC03grdbCduwiF0HobEobhfEAxKG2jzcVrtHI6Kv
0lU5ATkUs9otvY5ev5H/IsraiESNCQzlXb4bGG+3b3wNx3plBp6uEnDJBQpAmsl0
H8HcgTrBbQYMK8JWx/PTb3cF4myogni3JN/Xe+BCuXb0QOqZ/hMGo3khs1kcHSS/
ab/useqq7hyAQI9YZv6FOagPrgFwljxquZxtLZH7CQXZn4DssPi0H6cNIli5tSLZ
bTZbECEq5S9B5Wver+TJbPvJjsP5D8dnl1uPSlNU94rh67o3+jCy/Wywm1/+WcwD
Mwe1s+ma4YhYPdUc6Qkx3fAmkuaF1lwHAsTMvYpH4So31qAE90RmXnT/b43siXV/
QNlf8/rB5LV6ewvydDIyA+1/03IRQPxQH0m77qs0cd78bEAyGf9qz5EUnHqDBhWq
cs1ht59EzuTiwu3KrMZ8hfJeqq+SPfdTwVlLtUug8cvbBdi8pKWEdSKybqDVxeuG
fLYWb7mOo8eknqKWuZ5l
=jifQ
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Tue, 27 Jan 2015 17:21:14 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 27 Jan 2015 17:21:14 GMT) (full text, mbox, link).
Message #36 received at 775776-close@bugs.debian.org (full text, mbox, reply):
Source: polarssl
Source-Version: 1.3.9-2.1
We believe that the bug you reported is fixed in the latest version of
polarssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775776@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated polarssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 21 Jan 2015 22:09:05 +0100
Source: polarssl
Binary: libpolarssl-dev libpolarssl-runtime libpolarssl7
Architecture: source amd64
Version: 1.3.9-2.1
Distribution: unstable
Urgency: high
Maintainer: Roland Stigge <stigge@antcom.de>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libpolarssl-dev - lightweight crypto and SSL/TLS library
libpolarssl-runtime - lightweight crypto and SSL/TLS library
libpolarssl7 - lightweight crypto and SSL/TLS library
Closes: 775776
Changes:
polarssl (1.3.9-2.1) unstable; urgency=high
.
* Non-maintainer upload.
* Add CVE-2015-1182.patch patch.
CVE-2015-1182: Denial of service and possible remote code execution
using crafted certificates. (Closes: #775776)
Checksums-Sha1:
d8f9dacdfe1e00c0cb41319b40fae41307750a57 1833 polarssl_1.3.9-2.1.dsc
13fb803bac2b1e3a83ec90ab7f7cf753a0b5ada6 5612 polarssl_1.3.9-2.1.debian.tar.xz
Checksums-Sha256:
017aa7fce9f8d61df4d0a4f5fbb9c91a5c1a797999e1672737bc324ea6e8dbe5 1833 polarssl_1.3.9-2.1.dsc
99ff3fb51beca52bc6b522e0ce42a95d424f67146223e58726fbc5a99ec522e8 5612 polarssl_1.3.9-2.1.debian.tar.xz
Files:
7ae3d2b06b11bdb6e33f6cfe483d8199 1833 libs optional polarssl_1.3.9-2.1.dsc
5a1f98fc7c48751d2912d115981dcb18 5612 libs optional polarssl_1.3.9-2.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUwSvUAAoJEAVMuPMTQ89E/kIP/1PLKNLpyu6CkAM1LcVaJELD
oKnGUE6Nmb/832CE9oPwnwz412ds3EyofR7ATr1dNnShcpgzw0iho5sBqKmjdMkd
f8RWcdkknTturZKj9JkOa927/FDcVURCGtUaYRfVVYk2LUX71qjvNEKdMARr60jk
57AWBPWKtDBEpDs67lavL/+W4FoOgQujEDySQFQsuVpkPWOg+Bj/LaE7TBkz0NEE
ePaN38/gOgQcjr7zp4fFK+KfOV9B5Q5DHSk7wiWhsCvBhqXlqKC39oFfPeRBzWjt
6V61OToDP+0yb3vkG1d+z3yLRPqss2SZ5+HT02Nq9t/jt50uJGn7Wy5C+nW8NYOc
lvjRlyecdeIgQ7p4VQ8oA5cACdcz46C3SZZua7Sx7ek0yfTlYTnxV5XpYSuyJnV9
BgnI20o4fZl5suNcA0lZVa2J/s0jJUBg3+RiC0dJFUB4NDFCTTypt7jp+w6DPX3a
5VYERWqL4Pe26+QJ8rFJg2dMO+Nh4jAIVRLT8s+DM8CVKFVRCdvZjSrrF7P+7g9l
r3tZC7WUQsf39HA/qwJhaEPsQaGzQtDGl3aCQ+5hmDkFqfHT8pyxVbEtyCnd/dI9
BvjlQCsd/AV6q41WIeXXirZoPNuh50Nvqn2auKUoLzjYOGinCa9FykMtliGYO14O
udKOzRvMffzQ55S1kU5v
=TCvG
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 May 2015 08:01:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:48:00 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon