Debian Bug report logs - #541439
CVE-2009-2730: does not properly handle a '\0' character

version graph

Package: gnutls26; Maintainer for gnutls26 is Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>;

Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>

Date: Fri, 14 Aug 2009 08:54:06 UTC

Severity: serious

Tags: security

Found in version 2.2.1-2

Fixed in versions gnutls26/2.8.3-1, gnutls13/1.4.4-3+etch5, gnutls26/2.4.2-6+lenny2

Done: Giuseppe Iuculano <iuculano@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#541439; Package gnutls26. (Fri, 14 Aug 2009 08:54:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Fri, 14 Aug 2009 08:54:09 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2009-2730: does not properly handle a '\0' character
Date: Fri, 14 Aug 2009 10:39:08 +0200
Package: gnutls26
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gnutls26.

CVE-2009-2730[0]:
| libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0'
| character in a domain name in the subject's (1) Common Name (CN) or
| (2) Subject Alternative Name (SAN) field of an X.509 certificate,
| which allows man-in-the-middle attackers to spoof arbitrary SSL
| servers via a crafted certificate issued by a legitimate Certification
| Authority.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Could you check if gnutls13 is affected please?

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2730
    http://security-tracker.debian.net/tracker/CVE-2009-2730

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqFIqkACgkQNxpp46476aoZcgCfdLyZVjvkaqi7aETk/La0YfwG
yg4Anj98j4y2XQkLkmgD+1kFY1xgyRf9
=+CWA
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#541439; Package gnutls26. (Fri, 14 Aug 2009 17:39:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Metzler <ametzler@downhill.at.eu.org>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Fri, 14 Aug 2009 17:39:10 GMT) Full text and rfc822 format available.

Message #10 received at 541439@bugs.debian.org (full text, mbox):

From: Andreas Metzler <ametzler@downhill.at.eu.org>
To: Giuseppe Iuculano <giuseppe@iuculano.it>, 541439@bugs.debian.org
Subject: Re: Bug#541439: CVE-2009-2730: does not properly handle a '\0' character
Date: Fri, 14 Aug 2009 19:32:30 +0200
On 2009-08-14 Giuseppe Iuculano <giuseppe@iuculano.it> wrote:
> Package: gnutls26
> Severity: serious
> Tags: security

> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for gnutls26.

> CVE-2009-2730[0]:
> | libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0'
> | character in a domain name in the subject's (1) Common Name (CN) or
> | (2) Subject Alternative Name (SAN) field of an X.509 certificate,
> | which allows man-in-the-middle attackers to spoof arbitrary SSL
> | servers via a crafted certificate issued by a legitimate Certification
> | Authority.

> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.

> Could you check if gnutls13 is affected please?

> For further information see:

> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2730
>     http://security-tracker.debian.net/tracker/CVE-2009-2730

> Cheers,
> Giuseppe.

I have verified through
http://lists.gnu.org/archive/html/help-gnutls/2009-08/msg00012.html
that gnutls13 is also affected.
cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'




Bug Marked as found in versions 2.2.1-2. Request was from Andreas Metzler <ametzler@debian.org> to control@bugs.debian.org. (Fri, 14 Aug 2009 17:39:13 GMT) Full text and rfc822 format available.

Reply sent to Andreas Metzler <ametzler@debian.org>:
You have taken responsibility. (Fri, 14 Aug 2009 18:30:06 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Fri, 14 Aug 2009 18:30:06 GMT) Full text and rfc822 format available.

Message #17 received at 541439-close@bugs.debian.org (full text, mbox):

From: Andreas Metzler <ametzler@debian.org>
To: 541439-close@bugs.debian.org
Subject: Bug#541439: fixed in gnutls26 2.8.3-1
Date: Fri, 14 Aug 2009 18:17:07 +0000
Source: gnutls26
Source-Version: 2.8.3-1

We believe that the bug you reported is fixed in the latest version of
gnutls26, which is due to be installed in the Debian FTP archive:

gnutls-bin_2.8.3-1_i386.deb
  to pool/main/g/gnutls26/gnutls-bin_2.8.3-1_i386.deb
gnutls-doc_2.8.3-1_all.deb
  to pool/main/g/gnutls26/gnutls-doc_2.8.3-1_all.deb
gnutls26_2.8.3-1.diff.gz
  to pool/main/g/gnutls26/gnutls26_2.8.3-1.diff.gz
gnutls26_2.8.3-1.dsc
  to pool/main/g/gnutls26/gnutls26_2.8.3-1.dsc
gnutls26_2.8.3.orig.tar.gz
  to pool/main/g/gnutls26/gnutls26_2.8.3.orig.tar.gz
guile-gnutls_2.8.3-1_i386.deb
  to pool/main/g/gnutls26/guile-gnutls_2.8.3-1_i386.deb
libgnutls-dev_2.8.3-1_i386.deb
  to pool/main/g/gnutls26/libgnutls-dev_2.8.3-1_i386.deb
libgnutls26-dbg_2.8.3-1_i386.deb
  to pool/main/g/gnutls26/libgnutls26-dbg_2.8.3-1_i386.deb
libgnutls26_2.8.3-1_i386.deb
  to pool/main/g/gnutls26/libgnutls26_2.8.3-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 541439@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated gnutls26 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Fri, 14 Aug 2009 19:14:29 +0200
Source: gnutls26
Binary: libgnutls-dev libgnutls26 libgnutls26-dbg gnutls-bin gnutls-doc guile-gnutls
Architecture: source all i386
Version: 2.8.3-1
Distribution: unstable
Urgency: high
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Description: 
 gnutls-bin - the GNU TLS library - commandline utilities
 gnutls-doc - the GNU TLS library - documentation and examples
 guile-gnutls - the GNU TLS library - GNU Guile bindings
 libgnutls-dev - the GNU TLS library - development files
 libgnutls26 - the GNU TLS library - runtime library
 libgnutls26-dbg - GNU TLS library - debugger symbols
Closes: 540449 541439
Changes: 
 gnutls26 (2.8.3-1) unstable; urgency=high
 .
   * New upstream version.
     + Stops hardcoding a hard dependency on the versions of gcrypt and tasn it
       was built against. Closes: #540449
     + Fixes CVE-2009-2730, a vulnerability related to NUL bytes in X.509
       certificate name fields. Closes: #541439        GNUTLS-SA-2009-4
       http://lists.gnu.org/archive/html/help-gnutls/2009-08/msg00011.html
   * Drop 15_chainverify_expiredcert.diff, included upstream.
   * Urgency high, since 541439 applies to testing, too.
Checksums-Sha1: 
 3d609cd505a97e38e2de9422caac1625a9ccb75f 1581 gnutls26_2.8.3-1.dsc
 58293f6b7fc36c05a70e0acb9096ce5b37317c31 7630252 gnutls26_2.8.3.orig.tar.gz
 0ecb3388e40bbba06b8afa9fb4aed2b94589cae8 16399 gnutls26_2.8.3-1.diff.gz
 346ba01455cfdc181ca94dd587bbe41204474524 2993732 gnutls-doc_2.8.3-1_all.deb
 b4209270e44f9e141c044cc93040766ad359e668 582750 libgnutls-dev_2.8.3-1_i386.deb
 bad3d21d45d6fed61c90953deaca45d3cd665531 505320 libgnutls26_2.8.3-1_i386.deb
 7ecfed6d230db189f818b97b4ef8d081f149e779 1106210 libgnutls26-dbg_2.8.3-1_i386.deb
 1841076eef719dce80afeb2b1df9be3e109fa215 312274 gnutls-bin_2.8.3-1_i386.deb
 060d458d35d7c939cba339fb81606513eeb28e1e 247222 guile-gnutls_2.8.3-1_i386.deb
Checksums-Sha256: 
 3c9bd88c8f509539cf8cf26df7f3f72d609318e52794480ed5327e473f52dfa5 1581 gnutls26_2.8.3-1.dsc
 cae9fa0fbf29592eb2062a9f1005c6651975f3d390ffa4e94a0fc9052bbff0cf 7630252 gnutls26_2.8.3.orig.tar.gz
 c07df01b4acc2eca50d1b32be987305277f673d7e841ca1ec7980083604d1882 16399 gnutls26_2.8.3-1.diff.gz
 2b2e5b6baeaf7c76498f2d6406a804cea7c1cce0cfd0faf741ee0ca4e33d4571 2993732 gnutls-doc_2.8.3-1_all.deb
 4be4734f90cef261fb2dc4cd92b35045810578a4b795a686376aeaaf39d1d8eb 582750 libgnutls-dev_2.8.3-1_i386.deb
 8b5f967e65352507567f9fc80f87669567a0886a7a93e9cf1b19daaf6fa33309 505320 libgnutls26_2.8.3-1_i386.deb
 bf90068108cb2dbd972b04edab11eb2c140b84b74f0d17002653f4bca3634365 1106210 libgnutls26-dbg_2.8.3-1_i386.deb
 936caa7a10f543461d2314d7daff28f64cb1065884cf1603c83f874a37dd0858 312274 gnutls-bin_2.8.3-1_i386.deb
 f5c43ea522df62454dc39d4e935e51ccc049e39dcbb5550614440ecf30634fd4 247222 guile-gnutls_2.8.3-1_i386.deb
Files: 
 4db15d56cce332260c8bd1cbfa2a039d 1581 libs optional gnutls26_2.8.3-1.dsc
 779f5c86462a4bcac90762019730b7d4 7630252 libs optional gnutls26_2.8.3.orig.tar.gz
 51a107943f62d1c9f00d0103f8bff094 16399 libs optional gnutls26_2.8.3-1.diff.gz
 f34517f78027aaa1962bce78be74c117 2993732 doc optional gnutls-doc_2.8.3-1_all.deb
 542932aba2d46f386684456af101ab10 582750 libdevel optional libgnutls-dev_2.8.3-1_i386.deb
 3089067c7881ae0242d02af57ff8c3d9 505320 libs important libgnutls26_2.8.3-1_i386.deb
 1d089e3dccf93c4a548fdf41e6e04cd3 1106210 debug extra libgnutls26-dbg_2.8.3-1_i386.deb
 a0987fea82c86c9e1b470be4ec5e7215 312274 net optional gnutls-bin_2.8.3-1_i386.deb
 c95d5d0f6647a52dbfa208ce047b74e8 247222 lisp optional guile-gnutls_2.8.3-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEAREDAAYFAkqFpWEACgkQHTOcZYuNdmNILACgq52zqy0k6kDn4LapqWDJXylm
JUsAniwpamvXLBxlxmfZBT6b8RnxBiGu
=+G9b
-----END PGP SIGNATURE-----





Message sent on to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug#541439. (Fri, 14 Aug 2009 21:45:10 GMT) Full text and rfc822 format available.

Message #20 received at 541439-submitter@bugs.debian.org (full text, mbox):

From: Michael S Gilbert <michael.s.gilbert@gmail.com>
To: 541439-submitter@bugs.debian.org
Subject: ubuntu patches in progress
Date: Fri, 14 Aug 2009 17:43:06 -0400
fyi, ubuntu has patches in progess for older versions, which may be
useful for backports to the stable releases:

http://lists.gnu.org/archive/html/help-gnutls/2009-08/msg00011.html
http://git.savannah.gnu.org/cgit/gnutls.git/patch/?id=177e7ddb761999cd8b439e14a2bf43590756e230




Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#541439; Package gnutls26. (Sat, 15 Aug 2009 12:24:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Metzler <ametzler@downhill.at.eu.org>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Sat, 15 Aug 2009 12:24:03 GMT) Full text and rfc822 format available.

Message #25 received at 541439@bugs.debian.org (full text, mbox):

From: Andreas Metzler <ametzler@downhill.at.eu.org>
To: Giuseppe Iuculano <giuseppe@iuculano.it>, 541439@bugs.debian.org
Subject: Re: Bug#541439: CVE-2009-2730: does not properly handle a '\0' character
Date: Sat, 15 Aug 2009 14:20:56 +0200
On 2009-08-14 Giuseppe Iuculano <giuseppe@iuculano.it> wrote:
> Package: gnutls26
> Severity: serious
> Tags: security

> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for gnutls26.

> CVE-2009-2730[0]:
> | libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0'
> | character in a domain name in the subject's (1) Common Name (CN) or
> | (2) Subject Alternative Name (SAN) field of an X.509 certificate,
> | which allows man-in-the-middle attackers to spoof arbitrary SSL
> | servers via a crafted certificate issued by a legitimate Certification
> | Authority.

> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.

> Could you check if gnutls13 is affected please?

> For further information see:

> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2730
>     http://security-tracker.debian.net/tracker/CVE-2009-2730

> Cheers,
> Giuseppe.

Jamie Strandboge has generated patches for older versions of gnutls
and posted them in 
http://lists.gnu.org/archive/html/gnutls-devel/2009-08/msg00065.html

The patch for 2.4.x applies cleanly to the lenny release and seems to
fix the issue. - None of these apply to the etch-version, though.
cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'




Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Sat, 05 Dec 2009 22:15:15 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Sat, 05 Dec 2009 22:15:15 GMT) Full text and rfc822 format available.

Message #30 received at 541439-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 541439-close@bugs.debian.org
Subject: Bug#541439: fixed in gnutls13 1.4.4-3+etch5
Date: Sat, 05 Dec 2009 22:12:22 +0000
Source: gnutls13
Source-Version: 1.4.4-3+etch5

We believe that the bug you reported is fixed in the latest version of
gnutls13, which is due to be installed in the Debian FTP archive:

gnutls-bin_1.4.4-3+etch5_i386.deb
  to main/g/gnutls13/gnutls-bin_1.4.4-3+etch5_i386.deb
gnutls-doc_1.4.4-3+etch5_all.deb
  to main/g/gnutls13/gnutls-doc_1.4.4-3+etch5_all.deb
gnutls13_1.4.4-3+etch5.diff.gz
  to main/g/gnutls13/gnutls13_1.4.4-3+etch5.diff.gz
gnutls13_1.4.4-3+etch5.dsc
  to main/g/gnutls13/gnutls13_1.4.4-3+etch5.dsc
libgnutls-dev_1.4.4-3+etch5_i386.deb
  to main/g/gnutls13/libgnutls-dev_1.4.4-3+etch5_i386.deb
libgnutls13-dbg_1.4.4-3+etch5_i386.deb
  to main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch5_i386.deb
libgnutls13_1.4.4-3+etch5_i386.deb
  to main/g/gnutls13/libgnutls13_1.4.4-3+etch5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 541439@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated gnutls13 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 13 Nov 2009 15:09:55 +0100
Source: gnutls13
Binary: libgnutls-dev libgnutls13 gnutls-bin gnutls-doc libgnutls13-dbg
Architecture: source i386 all
Version: 1.4.4-3+etch5
Distribution: oldstable-security
Urgency: high
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 gnutls-bin - the GNU TLS library - commandline utilities
 gnutls-doc - the GNU TLS library - documentation and examples
 libgnutls-dev - the GNU TLS library - development files
 libgnutls13 - the GNU TLS library - runtime library
 libgnutls13-dbg - GNU TLS library - debugger symbols
Closes: 541439
Changes: 
 gnutls13 (1.4.4-3+etch5) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-2730, a vulnerability related to NUL bytes in X.509
     certificate name fields. Closes: #541439  (GNUTLS-SA-2009-4)
   * Deprecate X.509 validation chains using MD5 and MD2 signatures
     (CVE-2009-2409)
Files: 
 0d1e0d44616d6f6a53b6c1f567849f56 968 devel optional gnutls13_1.4.4-3+etch5.dsc
 f6ddd230b956dec89fccf43ea9f64c20 22775 devel optional gnutls13_1.4.4-3+etch5.diff.gz
 d29321b23395f3bd314b9eee58f351e3 2320326 doc optional gnutls-doc_1.4.4-3+etch5_all.deb
 cebc5c072963706a77e1de7a4e3007ff 361204 libdevel optional libgnutls-dev_1.4.4-3+etch5_i386.deb
 e631928f6b98dfb87101c95a3ef05d5b 283234 libs important libgnutls13_1.4.4-3+etch5_i386.deb
 fc875479e7073f653d1861466b161c4f 526762 devel extra libgnutls13-dbg_1.4.4-3+etch5_i386.deb
 3452c95f32e6385391700792ad29f178 173680 net optional gnutls-bin_1.4.4-3+etch5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEUEARECAAYFAkr9akwACgkQNxpp46476arrdgCfdEiR2/QCtlvlM8vlSOfDELMy
HnsAmK+Cdnn4Uo+7TSN6JX/I7gWckas=
=seBu
-----END PGP SIGNATURE-----





Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Wed, 16 Dec 2009 23:54:05 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Wed, 16 Dec 2009 23:54:05 GMT) Full text and rfc822 format available.

Message #35 received at 541439-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 541439-close@bugs.debian.org
Subject: Bug#541439: fixed in gnutls26 2.4.2-6+lenny2
Date: Wed, 16 Dec 2009 23:52:57 +0000
Source: gnutls26
Source-Version: 2.4.2-6+lenny2

We believe that the bug you reported is fixed in the latest version of
gnutls26, which is due to be installed in the Debian FTP archive:

gnutls-bin_2.4.2-6+lenny2_i386.deb
  to main/g/gnutls26/gnutls-bin_2.4.2-6+lenny2_i386.deb
gnutls-doc_2.4.2-6+lenny2_all.deb
  to main/g/gnutls26/gnutls-doc_2.4.2-6+lenny2_all.deb
gnutls26_2.4.2-6+lenny2.diff.gz
  to main/g/gnutls26/gnutls26_2.4.2-6+lenny2.diff.gz
gnutls26_2.4.2-6+lenny2.dsc
  to main/g/gnutls26/gnutls26_2.4.2-6+lenny2.dsc
guile-gnutls_2.4.2-6+lenny2_i386.deb
  to main/g/gnutls26/guile-gnutls_2.4.2-6+lenny2_i386.deb
libgnutls-dev_2.4.2-6+lenny2_i386.deb
  to main/g/gnutls26/libgnutls-dev_2.4.2-6+lenny2_i386.deb
libgnutls26-dbg_2.4.2-6+lenny2_i386.deb
  to main/g/gnutls26/libgnutls26-dbg_2.4.2-6+lenny2_i386.deb
libgnutls26_2.4.2-6+lenny2_i386.deb
  to main/g/gnutls26/libgnutls26_2.4.2-6+lenny2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 541439@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated gnutls26 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 01 Nov 2009 21:29:06 +0100
Source: gnutls26
Binary: libgnutls-dev libgnutls26 libgnutls26-dbg gnutls-bin gnutls-doc guile-gnutls
Architecture: source all i386
Version: 2.4.2-6+lenny2
Distribution: stable-security
Urgency: high
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 gnutls-bin - the GNU TLS library - commandline utilities
 gnutls-doc - the GNU TLS library - documentation and examples
 guile-gnutls - the GNU TLS library - GNU Guile bindings
 libgnutls-dev - the GNU TLS library - development files
 libgnutls26 - the GNU TLS library - runtime library
 libgnutls26-dbg - GNU TLS library - debugger symbols
Closes: 541439
Changes: 
 gnutls26 (2.4.2-6+lenny2) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-2730: a vulnerability related to NUL bytes in X.509
     certificate name fields. (Closes: #541439) GNUTLS-SA-2009-4
Checksums-Sha1: 
 a5561bdbf9480167d90e739767575c09e5f07772 1613 gnutls26_2.4.2-6+lenny2.dsc
 cfa3e9575f288c7a6733e92c462768e46cfc97aa 22541 gnutls26_2.4.2-6+lenny2.diff.gz
 f27561cea01ec0faf61ef295f57b6ea67a9cd706 2761832 gnutls-doc_2.4.2-6+lenny2_all.deb
 3ccc2c428d75612cb974d558c4ebf3a388689abe 538716 libgnutls-dev_2.4.2-6+lenny2_i386.deb
 03506912c3708837280d01b39b01d1e1fc437791 464294 libgnutls26_2.4.2-6+lenny2_i386.deb
 6e97409d6827aba6d20e14afede5762c43843532 1091520 libgnutls26-dbg_2.4.2-6+lenny2_i386.deb
 b3e41e8062e30b92f76a209e936429184bbb0f3b 269416 gnutls-bin_2.4.2-6+lenny2_i386.deb
 9ddcd4a680d2c943606f38c5dabff82b3a17a043 211260 guile-gnutls_2.4.2-6+lenny2_i386.deb
Checksums-Sha256: 
 fa1cb577d80fabad3565135f91f5e30e6ad4a85c1cb6a8fb498aa8b9bf2159a8 1613 gnutls26_2.4.2-6+lenny2.dsc
 ba3da7ad61a4e5ee241984d52c5c8dd7dff462b1528e65b966c2b8559c411e26 22541 gnutls26_2.4.2-6+lenny2.diff.gz
 0a4206df7b57cc189486ba181516018b077d3bd9fee4b75956e482261203b3f6 2761832 gnutls-doc_2.4.2-6+lenny2_all.deb
 625a5561512062f0df5e12a2ff8e95185ae7cae312f946f7a279b5fcbf3e24b1 538716 libgnutls-dev_2.4.2-6+lenny2_i386.deb
 2a7c676665cf858043a1b6d9c8cc9e5291c0f97cff850d7faa2e10189965513b 464294 libgnutls26_2.4.2-6+lenny2_i386.deb
 dd6b83d8d435529bf879ba387aa34e63672b194d56563975ae6889cf92334c26 1091520 libgnutls26-dbg_2.4.2-6+lenny2_i386.deb
 669d1129bae77dce6d89764cce4d12e2895c2b95bcf09eed54d1cc5494ebe44f 269416 gnutls-bin_2.4.2-6+lenny2_i386.deb
 08aad06b274d64e28b7832909c7220eae03019dea7e0af86eef722e6db943c05 211260 guile-gnutls_2.4.2-6+lenny2_i386.deb
Files: 
 11f849268b5a2eaa380f9ead0adfb115 1613 devel optional gnutls26_2.4.2-6+lenny2.dsc
 cf40d750533c71674457d06009bb0782 22541 devel optional gnutls26_2.4.2-6+lenny2.diff.gz
 515f3fe721d0ff35dd94d213f6a63c1d 2761832 doc optional gnutls-doc_2.4.2-6+lenny2_all.deb
 afe8584d673272b885a933aeb474b57a 538716 libdevel optional libgnutls-dev_2.4.2-6+lenny2_i386.deb
 e7c49812fe0f7e30ef2b161586afcb9e 464294 libs important libgnutls26_2.4.2-6+lenny2_i386.deb
 5d34ba25dbce51d201bd5a59e1a7be1d 1091520 devel extra libgnutls26-dbg_2.4.2-6+lenny2_i386.deb
 f6131b2bb1ed2cfda08e12a5d2ff7924 269416 net optional gnutls-bin_2.4.2-6+lenny2_i386.deb
 d66a4b3d2c9b16ae10e22e187f6f49d4 211260 libs optional guile-gnutls_2.4.2-6+lenny2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrt9kUACgkQNxpp46476aqBZgCgjNLcZ0JTv6Fa7a7fO3QTbiiF
n2kAmweeFPvFZUE3vy1sRFqEMou693aA
=W+vL
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 31 Jan 2010 07:34:05 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 03:53:32 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.