Debian Bug report logs -
#517791
CVE-2009-0653: missing verification
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Mon, 2 Mar 2009 02:21:05 UTC
Severity: important
Tags: security
Found in version openssl/0.9.8g-15
Done: Kurt Roeckx <kurt@roeckx.be>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#517791; Package openssl.
(Mon, 02 Mar 2009 02:21:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>.
(Mon, 02 Mar 2009 02:21:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: openssl
Version: 0.9.8g-15
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openssl.
CVE-2009-0653[0]:
| OpenSSL, probably 0.9.6, does not verify the Basic Constraints for an
| intermediate CA-signed certificate, which allows remote attackers to
| spoof the certificates of trusted sites via a man-in-the-middle
| attack, a related issue to CVE-2002-0970.
I wasn't really sure about this issue, so could you maybe state your
opinion on it?
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0653
http://security-tracker.debian.net/tracker/CVE-2009-0653
Reply sent
to Kurt Roeckx <kurt@roeckx.be>:
You have taken responsibility.
(Wed, 04 Mar 2009 17:36:03 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(Wed, 04 Mar 2009 17:36:03 GMT) (full text, mbox, link).
Message #10 received at 517791-done@bugs.debian.org (full text, mbox, reply):
On Mon, Mar 02, 2009 at 01:20:17PM +1100, Steffen Joeris wrote:
> Package: openssl
> Version: 0.9.8g-15
> Severity: important
> Tags: security
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for openssl.
>
> CVE-2009-0653[0]:
> | OpenSSL, probably 0.9.6, does not verify the Basic Constraints for an
> | intermediate CA-signed certificate, which allows remote attackers to
> | spoof the certificates of trusted sites via a man-in-the-middle
> | attack, a related issue to CVE-2002-0970.
>
> I wasn't really sure about this issue, so could you maybe state your
> opinion on it?
Upstream said it was fixed in 0.9.5, but looking a the timeline
that doesn't seem to make sense. 0.9.6 was from 2000, 0.9.7
from 2002.
In any case, I believe the 0.9.8 versions are all ok. We do have
openssl097 in oldstable, that was released in 2006, so I believe
that has been fixed too.
So I'm closing this bug.
Kurt
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 02 Apr 2009 07:34:52 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:19:26 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon