Debian Bug report logs -
#532037
CVE-2009-138{6,7}: Two OpenSSL DTLS remote DoS
Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>
Date: Fri, 5 Jun 2009 22:12:04 UTC
Severity: serious
Tags: security
Fixed in version openssl/0.9.8k-2
Done: Kurt Roeckx <kurt@roeckx.be>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#532037
; Package openssl
.
(Fri, 05 Jun 2009 22:12:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Fri, 05 Jun 2009 22:12:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: openssl
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for openssl.
CVE-2009-1386[0]:
| ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause
| a denial of service (NULL pointer dereference and daemon crash) via a
| DTLS ChangeCipherSpec packet that occurs before ClientHello.
CVE-2009-1387[1]:
| The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in
| OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial
| of service (NULL pointer dereference and daemon crash) via an
| out-of-sequence DTLS handshake message, related to a "fragment bug."
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1386
http://security-tracker.debian.net/tracker/CVE-2009-1386
http://rt.openssl.org/Ticket/Display.html?id=1679&user=guest&pass=guest
http://cvs.openssl.org/chngview?cn=17369
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1387
http://security-tracker.debian.net/tracker/CVE-2009-1387
http://rt.openssl.org/Ticket/Display.html?id=1838&user=guest&pass=guest
http://cvs.openssl.org/chngview?cn=17958
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkopl+kACgkQNxpp46476apHCwCgkOZVb6btWoJtE+xgbtiKfefF
U2kAn3B3ScTrmgrx8Px6WAJAx2AQ0aep
=vFTu
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#532037
; Package openssl
.
(Mon, 08 Jun 2009 17:30:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Mon, 08 Jun 2009 17:30:08 GMT) (full text, mbox, link).
Message #10 received at 532037@bugs.debian.org (full text, mbox, reply):
On Sat, Jun 06, 2009 at 12:10:53AM +0200, Giuseppe Iuculano wrote:
> Package: openssl
> Severity: serious
> Tags: security
>
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for openssl.
>
> CVE-2009-1386[0]:
> | ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause
> | a denial of service (NULL pointer dereference and daemon crash) via a
> | DTLS ChangeCipherSpec packet that occurs before ClientHello.
So this is already fixed in unstable, but not in
testing/stable/oldstable.
Since this seems to be DTLS related, this doesn't affect
openssl097.
> CVE-2009-1387[1]:
> | The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in
> | OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial
> | of service (NULL pointer dereference and daemon crash) via an
> | out-of-sequence DTLS handshake message, related to a "fragment bug."
I'll upload this to unstable, and provided fixed packages
for stable/oldstable for both issues.
Kurt
Reply sent
to Kurt Roeckx <kurt@roeckx.be>
:
You have taken responsibility.
(Mon, 08 Jun 2009 18:06:02 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <giuseppe@iuculano.it>
:
Bug acknowledged by developer.
(Mon, 08 Jun 2009 18:06:02 GMT) (full text, mbox, link).
Message #15 received at 532037-close@bugs.debian.org (full text, mbox, reply):
Source: openssl
Source-Version: 0.9.8k-2
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:
libcrypto0.9.8-udeb_0.9.8k-2_amd64.udeb
to pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8k-2_amd64.udeb
libssl-dev_0.9.8k-2_amd64.deb
to pool/main/o/openssl/libssl-dev_0.9.8k-2_amd64.deb
libssl0.9.8-dbg_0.9.8k-2_amd64.deb
to pool/main/o/openssl/libssl0.9.8-dbg_0.9.8k-2_amd64.deb
libssl0.9.8_0.9.8k-2_amd64.deb
to pool/main/o/openssl/libssl0.9.8_0.9.8k-2_amd64.deb
openssl_0.9.8k-2.diff.gz
to pool/main/o/openssl/openssl_0.9.8k-2.diff.gz
openssl_0.9.8k-2.dsc
to pool/main/o/openssl/openssl_0.9.8k-2.dsc
openssl_0.9.8k-2_amd64.deb
to pool/main/o/openssl/openssl_0.9.8k-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 532037@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kurt Roeckx <kurt@roeckx.be> (supplier of updated openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 08 Jun 2009 19:05:56 +0200
Source: openssl
Binary: openssl libssl0.9.8 libcrypto0.9.8-udeb libssl-dev libssl0.9.8-dbg
Architecture: source amd64
Version: 0.9.8k-2
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <kurt@roeckx.be>
Description:
libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
libssl-dev - SSL development libraries, header files and documentation
libssl0.9.8 - SSL shared libraries
libssl0.9.8-dbg - Symbol tables for libssl and libcrypto
openssl - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 532037 532336
Changes:
openssl (0.9.8k-2) unstable; urgency=low
.
* Move libssl0.9.8-dbg to the debug section.
* Use the rc4 assembler on kfreebsd-amd64 (Closes: #532336)
* Split the line to generate md5-x86_64.s in the Makefile. This will
hopefully fix the build issue on kfreebsd that now outputs the file
to stdout instead of the file.
* Fix denial of service via an out-of-sequence DTLS handshake message
(CVE-2009-1387) (Closes: #532037)
Checksums-Sha1:
8732d3af3c5126db11e3b9f824e26f17b343e8b0 1940 openssl_0.9.8k-2.dsc
796d7595eb79c24e37efa8576ee91c716d575f34 56115 openssl_0.9.8k-2.diff.gz
8c0b5e3173159bf351dfe541e3e6b6e6d5ed816f 1050408 openssl_0.9.8k-2_amd64.deb
a777aa9ac2b50b23f73484e4129a55c9b7f089bb 982468 libssl0.9.8_0.9.8k-2_amd64.deb
24aa0ebb24e91c64a767b99dfe31f9578b52a959 638594 libcrypto0.9.8-udeb_0.9.8k-2_amd64.udeb
e46edba6253c91f46c050ae90308b91cdca1fbc3 2267228 libssl-dev_0.9.8k-2_amd64.deb
2f9f205d76d418d4c10bcb09bbeac851aa36b0fe 1630962 libssl0.9.8-dbg_0.9.8k-2_amd64.deb
Checksums-Sha256:
fa0bc5dbd61df708cbabde9d09efa56d031535a0e95301cfcc055a71bfb1ca4a 1940 openssl_0.9.8k-2.dsc
2ac28c478969a94917ad5ccdc0d0dfee70fc059d3d96950714d5f94c05b75301 56115 openssl_0.9.8k-2.diff.gz
bf72e80feae96b94c24ff87964ce0e9f96556dc5e5442b56bec21c2b53122e73 1050408 openssl_0.9.8k-2_amd64.deb
f8669cc029f35834a8afba1bba8146898e9457b5a69cb395d54c587d6e16149d 982468 libssl0.9.8_0.9.8k-2_amd64.deb
10c84d92dc32baaeb45bc9c46ca212a747875d40371c63f26f5aca17628e53b0 638594 libcrypto0.9.8-udeb_0.9.8k-2_amd64.udeb
f0203c55550f59f79d53768917ae7e073470a14fcd6f4b9e2a8b8dee808a3020 2267228 libssl-dev_0.9.8k-2_amd64.deb
050b1174b8074cbc4e2642670ad07d6e786dd2d0c357317b6902f8a0c935b381 1630962 libssl0.9.8-dbg_0.9.8k-2_amd64.deb
Files:
35b916ab660bddb81608b8adc4fc57d3 1940 utils optional openssl_0.9.8k-2.dsc
b5488d61516de26b438bd5b4408b1ba6 56115 utils optional openssl_0.9.8k-2.diff.gz
b95c88b5301a188d8aa3f9812ad9b336 1050408 utils optional openssl_0.9.8k-2_amd64.deb
0854251370131c5e3d8c1719ac8cf79f 982468 libs important libssl0.9.8_0.9.8k-2_amd64.deb
4b279f2efae9b685e3451c0e0d1613b3 638594 debian-installer optional libcrypto0.9.8-udeb_0.9.8k-2_amd64.udeb
0fa4d7dd3d15868a87d4ded40af62f9d 2267228 libdevel optional libssl-dev_0.9.8k-2_amd64.deb
87a225d0cb82621f14c8d495bf32e95c 1630962 debug extra libssl0.9.8-dbg_0.9.8k-2_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQIcBAEBCgAGBQJKLUwUAAoJEGpMZM6DE7Xwj/kP/1+8IE7wBVTbMXYiJL43pvyj
zLlYefQ6nfqBmD6mK0DCUJafuYPoxn1mDSpbqDviNXD1CnkxrH3yAJR3sKRLPjMO
0oHmBG42iJkMKI8u2XIW5PVtUdxWE1re1X0KdE8OHNMmNdSjSBBivj6rgez19jd4
qKS1XZeXMDZd4jP+qDCBPC1dt/v26AhF6E1+51PDyebBHuJTGAtlWsLms5Hpqbvz
4RE5R5XJAvrlZSq/rz4L92mwOACXfjCEuFPiLQTLA7kIiQTdbE4Ee+YkaqXABBdR
tSsPHQBLj0Nxb6oSEQxQSmmH+hzIkURGJKbTz3ubs+f2lRZFB0pFZpzngV0WZD9K
7AkiFVmvsPOsnqFmCyavZdIEoUk/5nC48k6cqys9XCXsgC96ayeM0c44c5h9Ok2I
L02SYAoihkxf0EhxP2cqlfuwuViEw9fPKyQ3JsbwjgZjim7HUB0Kwu3QBWT7bO4i
x9zPqJBgvEBmspN2l6/KBcD0+nbZzdL1OKmcUrkUby9YhSrStxwmGKIJ5pIIZndn
DyK727azMkfyASLSsmjuNT9RT8MgSpz5mVy3ZZPi+MK1BVtLP9n6FbcoEFhByOi6
5ymGUmayCjZa+LaxeeuaMbJQ/ZupSTkFdZg3v0E6FDQyb+PzaBmq1Io7B/S7/qXe
bqU9IK75mdEPpz7eYm/A
=CBHb
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#532037
; Package openssl
.
(Mon, 08 Jun 2009 19:00:17 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Mon, 08 Jun 2009 19:00:17 GMT) (full text, mbox, link).
Message #20 received at 532037@bugs.debian.org (full text, mbox, reply):
On Sat, Jun 06, 2009 at 12:10:53AM +0200, Giuseppe Iuculano wrote:
> Package: openssl
> Severity: serious
> Tags: security
>
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for openssl.
>
> CVE-2009-1386[0]:
> | ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause
> | a denial of service (NULL pointer dereference and daemon crash) via a
> | DTLS ChangeCipherSpec packet that occurs before ClientHello.
>
> CVE-2009-1387[1]:
> | The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in
> | OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial
> | of service (NULL pointer dereference and daemon crash) via an
> | out-of-sequence DTLS handshake message, related to a "fragment bug."
Packages for stable and olstable are available at:
http://people.debian.org/~kroeckx/openssl/
Note that the issues fixed in previous versions were never
uploaded to the security archive, so both fix 5 CVEs.
Kurt
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#532037
; Package openssl
.
(Thu, 18 Jun 2009 22:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Thu, 18 Jun 2009 22:51:02 GMT) (full text, mbox, link).
Message #25 received at 532037@bugs.debian.org (full text, mbox, reply):
On Mon, Jun 08, 2009 at 08:57:20PM +0200, Kurt Roeckx wrote:
> On Sat, Jun 06, 2009 at 12:10:53AM +0200, Giuseppe Iuculano wrote:
> > Package: openssl
> > Severity: serious
> > Tags: security
> >
> >
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) ids were
> > published for openssl.
> >
> > CVE-2009-1386[0]:
> > | ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause
> > | a denial of service (NULL pointer dereference and daemon crash) via a
> > | DTLS ChangeCipherSpec packet that occurs before ClientHello.
> >
> > CVE-2009-1387[1]:
> > | The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in
> > | OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial
> > | of service (NULL pointer dereference and daemon crash) via an
> > | out-of-sequence DTLS handshake message, related to a "fragment bug."
>
> Packages for stable and olstable are available at:
> http://people.debian.org/~kroeckx/openssl/
>
> Note that the issues fixed in previous versions were never
> uploaded to the security archive, so both fix 5 CVEs.
Hi,
Nothing happened with this yet. Are you planning on releasing a
DSA for this, or should I just upload them to proposed-updates
instead?
Kurt
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 22 Jul 2009 07:28:24 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:47:54 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.