Debian Bug report logs - #684511
libpython2.6: CVE-2011-3389 - SSL man-in-the-middle attack

version graph

Package: libpython2.6; Maintainer for libpython2.6 is (unknown);

Reported by: aw@linux.de

Date: Fri, 10 Aug 2012 16:27:01 UTC

Severity: important

Tags: security

Found in version python2.6/2.6.6-8

Fixed in versions python2.6/2.6.8-0.1, 2.6.8-2+rm

Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthias Klose <doko@debian.org>:
Bug#684511; Package libpython2.6. (Fri, 10 Aug 2012 16:27:04 GMT) (full text, mbox, link).

Acknowledgement sent to aw@linux.de:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthias Klose <doko@debian.org>. (Fri, 10 Aug 2012 16:27:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: aw@linux.de
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libpython2.6: CVE-2011-3389 - SSL man-in-the-middle attack
Date: Fri, 10 Aug 2012 18:19:26 +0200
Package: libpython2.6
Version: 2.6.6-8
Severity: important
Tags: security, squeeze
Justification: user security hole


CVE-2011-3389 is fixed in unstable/testing, but not in stable, yet:

The SSL protocol [...] encrypts data by using CBC mode with chained
initialization vectors, which allows man-in-the-middle attackers to obtain
plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an
HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5
WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient
API, aka a "BEAST" attack.

cu

AW

-- System Information:
Debian Release: 6.0.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (50, 'proposed-updates')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash

Versions of packages libpython2.6 depends on:
ii  libc6                  2.11.3-4          Embedded GNU C Library: Shared lib
ii  libssl0.9.8            0.9.8o-4squeeze13 SSL shared libraries
ii  python2.6              2.6.6-8           An interactive high-level object-o
ii  zlib1g                 1:1.2.3.4.dfsg-3  compression library - runtime

libpython2.6 recommends no packages.

libpython2.6 suggests no packages.

-- no debconf information

Marked as fixed in versions python2.6/2.6.8-0.1. Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Wed, 28 Nov 2012 09:03:04 GMT) (full text, mbox, link).

Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Mon, 01 Jul 2013 10:18:13 GMT) (full text, mbox, link).

Notification sent to aw@linux.de:
Bug acknowledged by developer. (Mon, 01 Jul 2013 10:18:13 GMT) (full text, mbox, link).

Message #12 received at 684511-done@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 545196-done@bugs.debian.org,545303-done@bugs.debian.org,568195-done@bugs.debian.org,575428-done@bugs.debian.org,579549-done@bugs.debian.org,585278-done@bugs.debian.org,587606-done@bugs.debian.org,591471-done@bugs.debian.org,593433-done@bugs.debian.org,593461-done@bugs.debian.org,593772-done@bugs.debian.org,594074-done@bugs.debian.org,594323-done@bugs.debian.org,597025-done@bugs.debian.org,598676-done@bugs.debian.org,598727-done@bugs.debian.org,599361-done@bugs.debian.org,599876-done@bugs.debian.org,600917-done@bugs.debian.org,601457-done@bugs.debian.org,602640-done@bugs.debian.org,603851-done@bugs.debian.org,606962-done@bugs.debian.org,607115-done@bugs.debian.org,607661-done@bugs.debian.org,608066-done@bugs.debian.org,608352-done@bugs.debian.org,611748-done@bugs.debian.org,612311-done@bugs.debian.org,614553-done@bugs.debian.org,614860-done@bugs.debian.org,623055-done@bugs.debian.org,625478-done@bugs.debian.org,626611-done@bugs.debian.org,630425-done@bugs.debian.org,631794-done@bugs.debian.org,640071-done@bugs.debian.org,645195-done@bugs.debian.org,652926-done@bugs.debian.org,652927-done@bugs.debian.org,653403-done@bugs.debian.org,668107-done@bugs.debian.org,670519-done@bugs.debian.org,679030-done@bugs.debian.org,684511-done@bugs.debian.org,689308-done@bugs.debian.org,699029-done@bugs.debian.org,701001-done@bugs.debian.org,702235-done@bugs.debian.org,702675-done@bugs.debian.org,706758-done@bugs.debian.org,
Cc: python2.6@packages.debian.org, python2.6@packages.qa.debian.org
Subject: Bug#714116: Removed package(s) from unstable
Date: Mon, 01 Jul 2013 10:13:07 +0000
Version: 2.6.8-2+rm

Dear submitter,

as the package python2.6 has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see http://bugs.debian.org/714116

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Ansgar Burchardt (the ftpmaster behind the curtain)

Removed tag(s) squeeze. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Sat, 18 Jan 2014 13:45:42 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 16 Feb 2014 07:28:50 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jan 25 09:43:41 2026; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.