Debian Bug report logs -
#704946
polarssl: CVE-2009-3555
Reported by: Michael Gilbert <mgilbert@debian.org>
Date: Mon, 8 Apr 2013 02:39:02 UTC
Severity: important
Tags: security
Fixed in version polarssl/1.3.1-1
Done: Roland Stigge <stigge@antcom.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#704946; Package polarssl.
(Mon, 08 Apr 2013 02:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>:
New Bug report received and forwarded. Copy sent to Roland Stigge <stigge@antcom.de>.
(Mon, 08 Apr 2013 02:39:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: polarssl
Severity: important
Tags: security
Hi,
This issue is still being tracked as affecting polarssl in the
security tracker. It's old, so it's likely been fixed, but it's
important to be thorough, so please check that it is and adjust the
affected versions appropriately.
CVE-2009-3555[0]:
| The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as
| used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in
| the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l,
| GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS)
| 3.12.4 and earlier, multiple Cisco products, and other products, does
| not properly associate renegotiation handshakes with an existing
| connection, which allows man-in-the-middle attackers to insert data
| into HTTPS sessions, and possibly other types of sessions protected by
| TLS or SSL, by sending an unauthenticated request that is processed
| retroactively by a server in a post-renegotiation context, related to
| a "plaintext injection" attack, aka the "Project Mogul" issue.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
http://security-tracker.debian.org/tracker/CVE-2009-3555
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#704946; Package polarssl.
(Mon, 08 Apr 2013 08:03:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Roland Stigge <stigge@antcom.de>:
Extra info received and forwarded to list.
(Mon, 08 Apr 2013 08:03:08 GMT) (full text, mbox, link).
Message #10 received at 704946@bugs.debian.org (full text, mbox, reply):
Hi!
Thanks for the note!
On 04/08/2013 04:34 AM, Michael Gilbert wrote:
> This issue is still being tracked as affecting polarssl in the
> security tracker. It's old, so it's likely been fixed, but it's
> important to be thorough, so please check that it is and adjust the
> affected versions appropriately.
>
> CVE-2009-3555[0]:
> | The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as
> | used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in
> | the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l,
> | GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS)
> | 3.12.4 and earlier, multiple Cisco products, and other products, does
> | not properly associate renegotiation handshakes with an existing
> | connection, which allows man-in-the-middle attackers to insert data
> | into HTTPS sessions, and possibly other types of sessions protected by
> | TLS or SSL, by sending an unauthenticated request that is processed
> | retroactively by a server in a post-renegotiation context, related to
> | a "plaintext injection" attack, aka the "Project Mogul" issue.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
> http://security-tracker.debian.org/tracker/CVE-2009-3555
At the polarssl's upstream tracker, I found the following similar issue:
https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2011-01
regarding CVE-2011-1923
Is CVE-2011-1923 related to CVE-2009-3555?
For CVE-2011-1923, they have a patch that applies to Debian's version in
squeeze (fixed upstream in >squeeze), which I can adapt easily and
prepare as a security fix.
Nothing found directly for CVE-2009-3555 - will ask upstream.
Thanks,
Roland
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#704946; Package polarssl.
(Mon, 08 Apr 2013 08:12:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Roland Stigge <stigge@antcom.de>:
Extra info received and forwarded to list.
(Mon, 08 Apr 2013 08:12:07 GMT) (full text, mbox, link).
Message #15 received at 704946@bugs.debian.org (full text, mbox, reply):
Hi,
at
https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2011-01
I found that CVE-2011-1923 is fixed in PolarSSL 0.14.2.
Haven't found anything about PolarSSL and CVE-2009-3555. So wondering if
it affects PolarSSL at all, if it's related to CVE-2011-1923 and if it's
fixed in PolarSSL already, if applicable.
See also http://bugs.debian.org/704946
Thanks in advance,
Roland
Information forwarded
to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#704946; Package polarssl.
(Wed, 10 Apr 2013 16:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>.
(Wed, 10 Apr 2013 16:42:04 GMT) (full text, mbox, link).
Message #20 received at 704946@bugs.debian.org (full text, mbox, reply):
On Mon, Apr 8, 2013 at 4:00 AM, Roland Stigge wrote:
> At the polarssl's upstream tracker, I found the following similar issue:
>
> https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2011-01
> regarding CVE-2011-1923
>
> Is CVE-2011-1923 related to CVE-2009-3555?
>
> For CVE-2011-1923, they have a patch that applies to Debian's version in
> squeeze (fixed upstream in >squeeze), which I can adapt easily and
> prepare as a security fix.
>
> Nothing found directly for CVE-2009-3555 - will ask upstream.
They've definitely different issues. CVE-2009-3555 as an ssl protocol
design flaw, so it affected pretty much every ssl implementation. If
you can get a statement from upstream about it, that would be great.
Best wishes,
Mike
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#704946; Package polarssl.
(Wed, 10 Apr 2013 21:21:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Roland Stigge <stigge@antcom.de>:
Extra info received and forwarded to list.
(Wed, 10 Apr 2013 21:21:07 GMT) (full text, mbox, link).
Message #25 received at 704946@bugs.debian.org (full text, mbox, reply):
On 10/04/13 18:39, Michael Gilbert wrote:
>> Is CVE-2011-1923 related to CVE-2009-3555?
>>
>> For CVE-2011-1923, they have a patch that applies to Debian's version in
>> squeeze (fixed upstream in >squeeze), which I can adapt easily and
>> prepare as a security fix.
>>
>> Nothing found directly for CVE-2009-3555 - will ask upstream.
>
> They've definitely different issues. CVE-2009-3555 as an ssl protocol
> design flaw, so it affected pretty much every ssl implementation. If
> you can get a statement from upstream about it, that would be great.
Upstream's statement is that it's fixed (i.e. new protocol implemented)
upstream only at 1.2.0.
I.e. issue affects current Debian versions in stable, testing and
unstable. (Fixed in experimental.)
Hope I can get around separating-out and backporting respective changes
to squeeze and wheezy. Any help appreciated.
Thanks,
Roland
Reply sent
to Roland Stigge <stigge@antcom.de>:
You have taken responsibility.
(Wed, 16 Oct 2013 18:36:04 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <mgilbert@debian.org>:
Bug acknowledged by developer.
(Wed, 16 Oct 2013 18:36:04 GMT) (full text, mbox, link).
Message #30 received at 704946-close@bugs.debian.org (full text, mbox, reply):
Source: polarssl
Source-Version: 1.3.1-1
We believe that the bug you reported is fixed in the latest version of
polarssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 704946@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roland Stigge <stigge@antcom.de> (supplier of updated polarssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 16 Oct 2013 19:35:28 +0200
Source: polarssl
Binary: libpolarssl-dev libpolarssl-runtime libpolarssl0
Architecture: source amd64
Version: 1.3.1-1
Distribution: unstable
Urgency: low
Maintainer: Roland Stigge <stigge@antcom.de>
Changed-By: Roland Stigge <stigge@antcom.de>
Description:
libpolarssl-dev - lightweight crypto and SSL/TLS library
libpolarssl-runtime - lightweight crypto and SSL/TLS library
libpolarssl0 - lightweight crypto and SSL/TLS library
Closes: 704946 719954 725359
Changes:
polarssl (1.3.1-1) unstable; urgency=low
.
* New upstream release
- Fixes CVE-2013-5914, CVE-2013-5915 (Closes: #725359)
- Fixes CVE-2013-4623 (Closes: #719954)
- Fixes CVE-2009-3555 (Closes: #704946)
Checksums-Sha1:
de2187b3d0370bbdf8b6eea60850fb3fbfd5ab53 1171 polarssl_1.3.1-1.dsc
b33856a1b2f736b18a49a20d48986bce6b3133f5 1168560 polarssl_1.3.1.orig.tar.gz
9aa4f132057bc008426e650284881badbb4924ed 4927 polarssl_1.3.1-1.debian.tar.gz
9c63a2079fe259eb88dabe51df226fde42a44f05 267458 libpolarssl-dev_1.3.1-1_amd64.deb
c345d43d17ca6d63425d00767be4c1277280320b 541390 libpolarssl-runtime_1.3.1-1_amd64.deb
a5155b37794c3da5589479e440f5d150bf58c5c1 186632 libpolarssl0_1.3.1-1_amd64.deb
Checksums-Sha256:
82d230e9a478f5937248ac424dbdb224f9a85dd1a7c08e87549f7914c388ae01 1171 polarssl_1.3.1-1.dsc
b60d59c24d3744e5c16121054bfdac5615bffb19974ee7e0c1964eeb481612b3 1168560 polarssl_1.3.1.orig.tar.gz
be270e7598d9b5cb1524dc537fde827eaf36af596c597bce152a86ed89309c73 4927 polarssl_1.3.1-1.debian.tar.gz
3f8b686fbb4b84489e89f85bfcaebc5859088fe5f8d01619ea49a7590214a1a6 267458 libpolarssl-dev_1.3.1-1_amd64.deb
99bb97dd912ec9606d6831a39c2eab2b2382ee232b9a39e24321c8a39704492c 541390 libpolarssl-runtime_1.3.1-1_amd64.deb
57c06b9b7ef745a4e420c4011a7afc98a0e227fcc308c8700b7d6397f8ed4025 186632 libpolarssl0_1.3.1-1_amd64.deb
Files:
b29348e8a443697d30475c5b3dccb724 1171 libs optional polarssl_1.3.1-1.dsc
e6ee020496f315254f178c672132218d 1168560 libs optional polarssl_1.3.1.orig.tar.gz
9280bcb07daca67654fccbd7ba1f2a9c 4927 libs optional polarssl_1.3.1-1.debian.tar.gz
e56cbd4d27edd297a545c27670c33af0 267458 libdevel optional libpolarssl-dev_1.3.1-1_amd64.deb
bb43c000391b429247497f62e73553e5 541390 libdevel optional libpolarssl-runtime_1.3.1-1_amd64.deb
953871b049c87240e3b243b9fd1a3dba 186632 libs optional libpolarssl0_1.3.1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFSXtSdcaH/YBv43g8RAvsGAKDLGExAeO5qhYz1oAeWAzVCBF36IwCgtfUj
+YRFfegGoFFZc07jGB81844=
=yoTU
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Nov 2013 07:35:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:21:12 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon