[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#546212: marked as done (CVE-2009-2702: KDE KSSL NULL Character Certificate Spoofing Vulnerability)

Your message dated Sat, 24 Oct 2009 19:58:35 +0000
with message-id <E1N1ml1-0005tR-B6@ries.debian.org>
and subject line Bug#546212: fixed in kdelibs 4:3.5.5a.dfsg.1-8etch3
has caused the Debian Bug report #546212,
regarding CVE-2009-2702: KDE KSSL NULL Character Certificate Spoofing Vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
546212: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546212
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: kdelibs,kde4libs
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for kdelibs and kde4libs.

CVE-2009-2702[0]:
| KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a
| '\0' character in a domain name in the Subject Alternative Name field
| of an X.509 certificate, which allows man-in-the-middle attackers to
| spoof arbitrary SSL servers via a crafted certificate issued by a
| legitimate Certification Authority, a related issue to CVE-2009-2408.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2702
    http://security-tracker.debian.net/tracker/CVE-2009-2702

Cheers,
Giuseppe

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqqhtMACgkQNxpp46476ao+jQCgjGZaW64GZRrVZpcGFAxW4+Ap
FpMAn2EWIhIe+Qgd0RBvO3abWnsLtRF2
=LoWY
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message --- 
Source: kdelibs
Source-Version: 4:3.5.5a.dfsg.1-8etch3

We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:

kdelibs-data_3.5.5a.dfsg.1-8etch3_all.deb
  to pool/main/k/kdelibs/kdelibs-data_3.5.5a.dfsg.1-8etch3_all.deb
kdelibs-dbg_3.5.5a.dfsg.1-8etch3_i386.deb
  to pool/main/k/kdelibs/kdelibs-dbg_3.5.5a.dfsg.1-8etch3_i386.deb
kdelibs4-dev_3.5.5a.dfsg.1-8etch3_i386.deb
  to pool/main/k/kdelibs/kdelibs4-dev_3.5.5a.dfsg.1-8etch3_i386.deb
kdelibs4-doc_3.5.5a.dfsg.1-8etch3_all.deb
  to pool/main/k/kdelibs/kdelibs4-doc_3.5.5a.dfsg.1-8etch3_all.deb
kdelibs4c2a_3.5.5a.dfsg.1-8etch3_i386.deb
  to pool/main/k/kdelibs/kdelibs4c2a_3.5.5a.dfsg.1-8etch3_i386.deb
kdelibs_3.5.5a.dfsg.1-8etch3.diff.gz
  to pool/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-8etch3.diff.gz
kdelibs_3.5.5a.dfsg.1-8etch3.dsc
  to pool/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-8etch3.dsc
kdelibs_3.5.5a.dfsg.1-8etch3_all.deb
  to pool/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-8etch3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 546212@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated kdelibs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 16 Oct 2009 08:57:21 +0200
Source: kdelibs
Binary: kdelibs4c2a kdelibs kdelibs4-doc kdelibs-dbg kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.5.5a.dfsg.1-8etch3
Distribution: oldstable-security
Urgency: high
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 kdelibs    - core libraries from the official KDE release
 kdelibs-data - core shared data for all KDE applications
 kdelibs-dbg - debugging symbols for kdelibs
 kdelibs4-dev - development files for the KDE core libraries
 kdelibs4-doc - developer documentation for the KDE core libraries
 kdelibs4c2a - core libraries and binaries for all KDE applications
Closes: 546212
Changes: 
 kdelibs (4:3.5.5a.dfsg.1-8etch3) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-2702: KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not
     properly handle a '\0' character in a domain name in the Subject
     Alternative Name field of an X.509 certificate, which allows
     man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted
     certificate issued by a legitimate Certification Authority (Closes: #546212)
Files: 
 430e1a184def8c61269ebd4236ecf902 1636 libs optional kdelibs_3.5.5a.dfsg.1-8etch3.dsc
 616c29ec7f685e9b10c802eb6879d912 601207 libs optional kdelibs_3.5.5a.dfsg.1-8etch3.diff.gz
 f4697ef70a2bc020b1c633c92981e81f 34648 libs optional kdelibs_3.5.5a.dfsg.1-8etch3_all.deb
 a1326c3e10f4a1696b9d73115b417061 8607892 libs optional kdelibs-data_3.5.5a.dfsg.1-8etch3_all.deb
 83be81e20b84b786c47a3351a3600c77 40162414 doc optional kdelibs4-doc_3.5.5a.dfsg.1-8etch3_all.deb
 3bd6b5136465fbc6eb18f1112cbd3b58 9738260 libs optional kdelibs4c2a_3.5.5a.dfsg.1-8etch3_i386.deb
 7ecda9b7973b7122035828d49c26864a 1380274 libdevel optional kdelibs4-dev_3.5.5a.dfsg.1-8etch3_i386.deb
 63b27cabf41954b3b7d1f3a247d16573 26272380 libdevel extra kdelibs-dbg_3.5.5a.dfsg.1-8etch3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrYR44ACgkQNxpp46476aodxwCdEP49HQ+d6vdkWe4g0IutBTh7
sIsAn22CMGXCFaaYA6K4aei6Zh2lMPMU
=irNr
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: