Debian Bug report logs - #541991
CVE-2009-2417: OpenSSL NULL Character Spoofing Vulnerability

version graph

Package: curl; Maintainer for curl is Alessandro Ghedini <ghedo@debian.org>; Source for curl is src:curl.

Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>

Date: Mon, 17 Aug 2009 08:39:02 UTC

Severity: serious

Tags: patch, security

Fixed in versions curl/7.15.5-1etch3, curl/7.19.5-1.1, curl/7.18.2-8lenny3

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Domenico Andreoli <cavok@debian.org>:
Bug#541991; Package curl. (Mon, 17 Aug 2009 08:39:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Domenico Andreoli <cavok@debian.org>. (Mon, 17 Aug 2009 08:39:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2009-2417: OpenSSL NULL Character Spoofing Vulnerability
Date: Mon, 17 Aug 2009 10:33:28 +0200
Package: curl
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for curl.

CVE-2009-2417[0]:
A vulnerability has been reported in cURL, which can be exploited by
malicious people to conduct spoofing attacks.

The vulnerability is caused due to an error when processing
certificate fields containing NULL ('\0') characters. This can be
exploited to e.g. conduct Man-in-the-Middle (MitM) attacks via
specially crafted certificates.

The vulnerability is reported in versions prior to 7.19.6.

Note: This only affects cURL versions with enabled OpenSSL support.


Upstream advisory:
http://curl.haxx.se/docs/adv_20090812.txt

Backported patches for various curl versions:
http://curl.haxx.se/CVE-2009-2417/

Upstream bug report:
http://curl.haxx.se/bug/view.cgi?id=2829955

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417
    http://security-tracker.debian.net/tracker/CVE-2009-2417

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqJFdUACgkQNxpp46476aqVdQCgiWQZqdcHchwCtte8vJrz5zqS
mo8Ani2XAt4EZk1AhPC+0+JX+MbGVVty
=fEKN
-----END PGP SIGNATURE-----




Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Tue, 25 Aug 2009 02:30:07 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Tue, 25 Aug 2009 02:30:07 GMT) Full text and rfc822 format available.

Message #10 received at 541991-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 541991-close@bugs.debian.org
Subject: Bug#541991: fixed in curl 7.15.5-1etch3
Date: Tue, 25 Aug 2009 02:08:15 +0000
Source: curl
Source-Version: 7.15.5-1etch3

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive:

curl_7.15.5-1etch3.diff.gz
  to pool/main/c/curl/curl_7.15.5-1etch3.diff.gz
curl_7.15.5-1etch3.dsc
  to pool/main/c/curl/curl_7.15.5-1etch3.dsc
curl_7.15.5-1etch3_amd64.deb
  to pool/main/c/curl/curl_7.15.5-1etch3_amd64.deb
libcurl3-dbg_7.15.5-1etch3_amd64.deb
  to pool/main/c/curl/libcurl3-dbg_7.15.5-1etch3_amd64.deb
libcurl3-dev_7.15.5-1etch3_all.deb
  to pool/main/c/curl/libcurl3-dev_7.15.5-1etch3_all.deb
libcurl3-gnutls-dev_7.15.5-1etch3_amd64.deb
  to pool/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch3_amd64.deb
libcurl3-gnutls_7.15.5-1etch3_amd64.deb
  to pool/main/c/curl/libcurl3-gnutls_7.15.5-1etch3_amd64.deb
libcurl3-openssl-dev_7.15.5-1etch3_amd64.deb
  to pool/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch3_amd64.deb
libcurl3_7.15.5-1etch3_amd64.deb
  to pool/main/c/curl/libcurl3_7.15.5-1etch3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 541991@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 18 Aug 2009 00:55:12 +0000
Source: curl
Binary: libcurl3-dbg libcurl3 libcurl3-dev libcurl3-gnutls-dev libcurl3-openssl-dev libcurl3-gnutls curl
Architecture: source amd64 all
Version: 7.15.5-1etch3
Distribution: oldstable-security
Urgency: high
Maintainer: Domenico Andreoli <cavok@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 curl       - Get a file from an HTTP, HTTPS, FTP or GOPHER server
 libcurl3   - Multi-protocol file transfer library
 libcurl3-dbg - libcurl compiled with debug symbols
 libcurl3-dev - Transitional package to libcurl3-openssl-dev
 libcurl3-gnutls - Multi-protocol file transfer library
 libcurl3-gnutls-dev - Development files and documentation for libcurl
 libcurl3-openssl-dev - Development files and documentation for libcurl
Closes: 541991
Changes: 
 curl (7.15.5-1etch3) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the security team.
   * Fix possible mitm via injected null byte (CVE-2009-2417; Closes: #541991).
Files: 
 4f03313c10cd1ec65210f1100a131e9f 956 web optional curl_7.15.5-1etch3.dsc
 22dce2fb112906acd2e76df82944f142 20848 web optional curl_7.15.5-1etch3.diff.gz
 1c79712071486c997e73fd35a4eb0336 163976 web optional curl_7.15.5-1etch3_amd64.deb
 eadeb465edb9926433190a908690b826 171372 libs optional libcurl3_7.15.5-1etch3_amd64.deb
 13e4041382c7e0020ce5b8899aea849e 165714 libs optional libcurl3-gnutls_7.15.5-1etch3_amd64.deb
 e153b2bd7dce8074f567ed33e1ef216c 778648 libdevel optional libcurl3-openssl-dev_7.15.5-1etch3_amd64.deb
 09f1f1c8c5bf1131f283489eb19bea86 771278 libdevel optional libcurl3-gnutls-dev_7.15.5-1etch3_amd64.deb
 7619264c8f7e53dc59a7e69230c676b5 22324 libdevel optional libcurl3-dev_7.15.5-1etch3_all.deb
 3492a7bd3567e3e67aff98be386f3a7a 824510 libdevel extra libcurl3-dbg_7.15.5-1etch3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqKAKgACgkQHYflSXNkfP85/ACfXLrLN2kHwTB02xM5r2Veuk0w
tPQAni+qtWOH7f5SDhskWWbi4JRg8JH1
=eEwc
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Domenico Andreoli <cavok@debian.org>:
Bug#541991; Package curl. (Thu, 27 Aug 2009 18:24:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Domenico Andreoli <cavok@debian.org>. (Thu, 27 Aug 2009 18:24:07 GMT) Full text and rfc822 format available.

Message #15 received at 541991@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 541991@bugs.debian.org
Subject: intent to NMU
Date: Thu, 27 Aug 2009 20:17:40 +0200
[Message part 1 (text/plain, inline)]
Hi,
I intent to upload a 0-day NMU to fix this bug.

debdiff available on:
http://people.debian.org/~nion/nmu-diff/curl-7.19.5-1_7.19.5-1.1.patch

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Thu, 27 Aug 2009 19:06:06 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Thu, 27 Aug 2009 19:06:06 GMT) Full text and rfc822 format available.

Message #20 received at 541991-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 541991-close@bugs.debian.org
Subject: Bug#541991: fixed in curl 7.19.5-1.1
Date: Thu, 27 Aug 2009 18:47:16 +0000
Source: curl
Source-Version: 7.19.5-1.1

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive:

curl_7.19.5-1.1.diff.gz
  to pool/main/c/curl/curl_7.19.5-1.1.diff.gz
curl_7.19.5-1.1.dsc
  to pool/main/c/curl/curl_7.19.5-1.1.dsc
curl_7.19.5-1.1_amd64.deb
  to pool/main/c/curl/curl_7.19.5-1.1_amd64.deb
libcurl3-dbg_7.19.5-1.1_amd64.deb
  to pool/main/c/curl/libcurl3-dbg_7.19.5-1.1_amd64.deb
libcurl3-gnutls_7.19.5-1.1_amd64.deb
  to pool/main/c/curl/libcurl3-gnutls_7.19.5-1.1_amd64.deb
libcurl3_7.19.5-1.1_amd64.deb
  to pool/main/c/curl/libcurl3_7.19.5-1.1_amd64.deb
libcurl4-gnutls-dev_7.19.5-1.1_amd64.deb
  to pool/main/c/curl/libcurl4-gnutls-dev_7.19.5-1.1_amd64.deb
libcurl4-openssl-dev_7.19.5-1.1_amd64.deb
  to pool/main/c/curl/libcurl4-openssl-dev_7.19.5-1.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 541991@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 27 Aug 2009 20:10:51 +0200
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl4-openssl-dev libcurl4-gnutls-dev libcurl3-dbg
Architecture: source amd64
Version: 7.19.5-1.1
Distribution: unstable
Urgency: high
Maintainer: Domenico Andreoli <cavok@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 curl       - Get a file from an HTTP, HTTPS or FTP server
 libcurl3   - Multi-protocol file transfer library (OpenSSL)
 libcurl3-dbg - libcurl compiled with debug symbols
 libcurl3-gnutls - Multi-protocol file transfer library (GnuTLS)
 libcurl4-gnutls-dev - Development files and documentation for libcurl (GnuTLS)
 libcurl4-openssl-dev - Development files and documentation for libcurl (OpenSSL)
Closes: 541991
Changes: 
 curl (7.19.5-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix possible mitm via injected null byte (CVE-2009-2417; Closes: #541991).
Checksums-Sha1: 
 5c8997da0b5bba91bfd0761d9f46a903683bb7b6 1419 curl_7.19.5-1.1.dsc
 52e60de2f2eec0e941cfdb7eefc75ce5d58ed6ff 87406 curl_7.19.5-1.1.diff.gz
 80fbc19281a6da44d5ac8d266df540d9d05900de 196140 curl_7.19.5-1.1_amd64.deb
 4d9236f75f37f483f6c5c236443da34fc8cac75f 222268 libcurl3_7.19.5-1.1_amd64.deb
 ca970ccc5d1bcd88c6f7d5ea6c723b3adda2ef0c 204120 libcurl3-gnutls_7.19.5-1.1_amd64.deb
 897c8c5a07e652e355782c7867860d83912731a7 1000172 libcurl4-openssl-dev_7.19.5-1.1_amd64.deb
 4036383f66d90b33f816b5ffc458cf1020a136b6 977030 libcurl4-gnutls-dev_7.19.5-1.1_amd64.deb
 bd9b03de14acdb5c8826fa5e63ca1067fd1af960 75860 libcurl3-dbg_7.19.5-1.1_amd64.deb
Checksums-Sha256: 
 755ceffe58b371bb3ee689862b1a6149f6c3c21747b4ade952b7751483144450 1419 curl_7.19.5-1.1.dsc
 a686d672b129a37b454c0228cb173f3286db0c214f1fb22ce68d220208ae540a 87406 curl_7.19.5-1.1.diff.gz
 d4730d2cf0b9248a16a4c971041731cb2a50070423869d60c97866e10c4d710f 196140 curl_7.19.5-1.1_amd64.deb
 1fff6f4f6a4e77b5640a21c1f0901df98a72a3bcff6797eb6f751cdb217493e5 222268 libcurl3_7.19.5-1.1_amd64.deb
 2261ba204677f2ab9b6d833fe2e9c2f756aee916877f638943dad17a21797158 204120 libcurl3-gnutls_7.19.5-1.1_amd64.deb
 86dde0448f86a12c7abd21296d609800730ae8c92a8d89d0e25b43d9cb6f72b0 1000172 libcurl4-openssl-dev_7.19.5-1.1_amd64.deb
 c28f3b7da7631f8f7347bb7e33691569d9d35ad9b74656892f008f1116578788 977030 libcurl4-gnutls-dev_7.19.5-1.1_amd64.deb
 5784f3abe3c058e978fd9f217b8813ef67719a81759bb10e864d3df219ed9ea4 75860 libcurl3-dbg_7.19.5-1.1_amd64.deb
Files: 
 5155a5ec2d1c39152d348c2321915d45 1419 web optional curl_7.19.5-1.1.dsc
 429794d635a801c74478978b027fb1e4 87406 web optional curl_7.19.5-1.1.diff.gz
 02f127932ebce206ee8d6edf0c6260f5 196140 web optional curl_7.19.5-1.1_amd64.deb
 115a2881d9963d6e4eb5db2d1b8e46ba 222268 libs optional libcurl3_7.19.5-1.1_amd64.deb
 e00eb15b2245e1c7f86092eb47ee73cc 204120 libs optional libcurl3-gnutls_7.19.5-1.1_amd64.deb
 dfdfb52caba8e69f14d6b4c986fcc26b 1000172 libdevel optional libcurl4-openssl-dev_7.19.5-1.1_amd64.deb
 f09063f005edb3eb6222b3b9057a2843 977030 libdevel optional libcurl4-gnutls-dev_7.19.5-1.1_amd64.deb
 e9ad00d65ff689ffd910898e63e29d58 75860 debug extra libcurl3-dbg_7.19.5-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqW0n8ACgkQHYflSXNkfP9TcQCcDWb0AilIn1gmuC2QjFCpH5Hf
G14AmwW3f9+GJk0ZHEVTPXrAhSaAr4y4
=k8R1
-----END PGP SIGNATURE-----





Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Sat, 29 Aug 2009 08:36:10 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Sat, 29 Aug 2009 08:36:11 GMT) Full text and rfc822 format available.

Message #25 received at 541991-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 541991-close@bugs.debian.org
Subject: Bug#541991: fixed in curl 7.18.2-8lenny3
Date: Sat, 29 Aug 2009 07:57:59 +0000
Source: curl
Source-Version: 7.18.2-8lenny3

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive:

curl_7.18.2-8lenny3.diff.gz
  to pool/main/c/curl/curl_7.18.2-8lenny3.diff.gz
curl_7.18.2-8lenny3.dsc
  to pool/main/c/curl/curl_7.18.2-8lenny3.dsc
curl_7.18.2-8lenny3_amd64.deb
  to pool/main/c/curl/curl_7.18.2-8lenny3_amd64.deb
libcurl3-dbg_7.18.2-8lenny3_amd64.deb
  to pool/main/c/curl/libcurl3-dbg_7.18.2-8lenny3_amd64.deb
libcurl3-gnutls_7.18.2-8lenny3_amd64.deb
  to pool/main/c/curl/libcurl3-gnutls_7.18.2-8lenny3_amd64.deb
libcurl3_7.18.2-8lenny3_amd64.deb
  to pool/main/c/curl/libcurl3_7.18.2-8lenny3_amd64.deb
libcurl4-gnutls-dev_7.18.2-8lenny3_amd64.deb
  to pool/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny3_amd64.deb
libcurl4-openssl-dev_7.18.2-8lenny3_amd64.deb
  to pool/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 541991@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 18 Aug 2009 00:57:34 +0000
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl4-openssl-dev libcurl4-gnutls-dev libcurl3-dbg
Architecture: source amd64
Version: 7.18.2-8lenny3
Distribution: stable-security
Urgency: high
Maintainer: Domenico Andreoli <cavok@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 curl       - Get a file from an HTTP, HTTPS or FTP server
 libcurl3   - Multi-protocol file transfer library (OpenSSL)
 libcurl3-dbg - libcurl compiled with debug symbols
 libcurl3-gnutls - Multi-protocol file transfer library (GnuTLS)
 libcurl4-gnutls-dev - Development files and documentation for libcurl (GnuTLS)
 libcurl4-openssl-dev - Development files and documentation for libcurl (OpenSSL)
Closes: 541991
Changes: 
 curl (7.18.2-8lenny3) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix possible midm attack via injected null bytes in the
     certificate (CVE-2009-2417; Closes: #541991).
Checksums-Sha1: 
 d98954b3858b7511539c0fea14a27102a4fae02a 1418 curl_7.18.2-8lenny3.dsc
 a1a2c6839a22ed2f7c0c1dc8208fb05c99d94331 28454 curl_7.18.2-8lenny3.diff.gz
 6bf893c530f1cba51e4dc041f26a1ea13bdf8f46 209390 curl_7.18.2-8lenny3_amd64.deb
 3dd6aff192272acb1c83f05154739f132410e31f 231304 libcurl3_7.18.2-8lenny3_amd64.deb
 0a935c76971a9fa7eb4ded2ecd17299755bf8eb5 214794 libcurl3-gnutls_7.18.2-8lenny3_amd64.deb
 9e9944d9987866f3de20e0dd403ba797ca895963 951970 libcurl4-openssl-dev_7.18.2-8lenny3_amd64.deb
 ef0ec28fd6d48c4a4aa0e94ff115f7b4e9d38edc 931502 libcurl4-gnutls-dev_7.18.2-8lenny3_amd64.deb
 e48b91969add5d8250d056f27f58d0b95d6ad695 1180282 libcurl3-dbg_7.18.2-8lenny3_amd64.deb
Checksums-Sha256: 
 0b3facc5386dce07d086e67d95b9cb2b798ea12d70b95dcb9d41d31aa23299fe 1418 curl_7.18.2-8lenny3.dsc
 f152b4f4a553a2d455ef1d375277c1b4a5f8d9f445686f45268747a617669c5f 28454 curl_7.18.2-8lenny3.diff.gz
 053e6c2bddd3ecee8a62eb085295bdb4954b7f537b63f98a87f19b2189af97fd 209390 curl_7.18.2-8lenny3_amd64.deb
 2fd4bcc1da6ae9fb9d960a072c795c1b6718168624ead3998a2667e7e98ee4af 231304 libcurl3_7.18.2-8lenny3_amd64.deb
 cd2543e62f36c899862abef9b69e00e0a0e6db112c217b1f6d821963a33b15d6 214794 libcurl3-gnutls_7.18.2-8lenny3_amd64.deb
 5322b6fca3dd34c4dfc5fc8064dd6b9b3a2c90a2317bb4052d82c248f2dfe2fe 951970 libcurl4-openssl-dev_7.18.2-8lenny3_amd64.deb
 a805ea97d8ec3a8b533a3370f3909498b29063c328fcbf0ddb26080074494571 931502 libcurl4-gnutls-dev_7.18.2-8lenny3_amd64.deb
 d00527c7bc860755dec25c266ed50f64aefed8988ae7378b9785591751548f29 1180282 libcurl3-dbg_7.18.2-8lenny3_amd64.deb
Files: 
 3e5ef96b6eb6a82f64e1cf64e1875993 1418 web optional curl_7.18.2-8lenny3.dsc
 487521b6a73326007edf8fc4c9d78237 28454 web optional curl_7.18.2-8lenny3.diff.gz
 ca551875a2c6b5da345a975026fab4bb 209390 web optional curl_7.18.2-8lenny3_amd64.deb
 4388ed20c067994e775435a981afc5e4 231304 libs optional libcurl3_7.18.2-8lenny3_amd64.deb
 4bfea4f769972eada3bf7a28871351a9 214794 libs optional libcurl3-gnutls_7.18.2-8lenny3_amd64.deb
 1c49faf2e628f2c336be48beb5188afa 951970 libdevel optional libcurl4-openssl-dev_7.18.2-8lenny3_amd64.deb
 6e677616ca0e25dd94e710380ed99082 931502 libdevel optional libcurl4-gnutls-dev_7.18.2-8lenny3_amd64.deb
 678d1e653eeb162ca227ff3c2edf8bc1 1180282 libdevel extra libcurl3-dbg_7.18.2-8lenny3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqKANkACgkQHYflSXNkfP9X8wCfamQpUL7bij1GojAnK9kfnbn3
t/kAn3eHpIj16j5AspUIuvQqrtnyewDV
=mwux
-----END PGP SIGNATURE-----





Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Fri, 04 Sep 2009 19:21:35 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Fri, 04 Sep 2009 19:21:35 GMT) Full text and rfc822 format available.

Message #30 received at 541991-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 541991-close@bugs.debian.org
Subject: Bug#541991: fixed in curl 7.18.2-8lenny3
Date: Fri, 04 Sep 2009 18:31:47 +0000
Source: curl
Source-Version: 7.18.2-8lenny3

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive:

curl_7.18.2-8lenny3.diff.gz
  to pool/main/c/curl/curl_7.18.2-8lenny3.diff.gz
curl_7.18.2-8lenny3.dsc
  to pool/main/c/curl/curl_7.18.2-8lenny3.dsc
curl_7.18.2-8lenny3_amd64.deb
  to pool/main/c/curl/curl_7.18.2-8lenny3_amd64.deb
libcurl3-dbg_7.18.2-8lenny3_amd64.deb
  to pool/main/c/curl/libcurl3-dbg_7.18.2-8lenny3_amd64.deb
libcurl3-gnutls_7.18.2-8lenny3_amd64.deb
  to pool/main/c/curl/libcurl3-gnutls_7.18.2-8lenny3_amd64.deb
libcurl3_7.18.2-8lenny3_amd64.deb
  to pool/main/c/curl/libcurl3_7.18.2-8lenny3_amd64.deb
libcurl4-gnutls-dev_7.18.2-8lenny3_amd64.deb
  to pool/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny3_amd64.deb
libcurl4-openssl-dev_7.18.2-8lenny3_amd64.deb
  to pool/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 541991@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 18 Aug 2009 00:57:34 +0000
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl4-openssl-dev libcurl4-gnutls-dev libcurl3-dbg
Architecture: source amd64
Version: 7.18.2-8lenny3
Distribution: stable-security
Urgency: high
Maintainer: Domenico Andreoli <cavok@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 curl       - Get a file from an HTTP, HTTPS or FTP server
 libcurl3   - Multi-protocol file transfer library (OpenSSL)
 libcurl3-dbg - libcurl compiled with debug symbols
 libcurl3-gnutls - Multi-protocol file transfer library (GnuTLS)
 libcurl4-gnutls-dev - Development files and documentation for libcurl (GnuTLS)
 libcurl4-openssl-dev - Development files and documentation for libcurl (OpenSSL)
Closes: 541991
Changes: 
 curl (7.18.2-8lenny3) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix possible midm attack via injected null bytes in the
     certificate (CVE-2009-2417; Closes: #541991).
Checksums-Sha1: 
 d98954b3858b7511539c0fea14a27102a4fae02a 1418 curl_7.18.2-8lenny3.dsc
 a1a2c6839a22ed2f7c0c1dc8208fb05c99d94331 28454 curl_7.18.2-8lenny3.diff.gz
 6bf893c530f1cba51e4dc041f26a1ea13bdf8f46 209390 curl_7.18.2-8lenny3_amd64.deb
 3dd6aff192272acb1c83f05154739f132410e31f 231304 libcurl3_7.18.2-8lenny3_amd64.deb
 0a935c76971a9fa7eb4ded2ecd17299755bf8eb5 214794 libcurl3-gnutls_7.18.2-8lenny3_amd64.deb
 9e9944d9987866f3de20e0dd403ba797ca895963 951970 libcurl4-openssl-dev_7.18.2-8lenny3_amd64.deb
 ef0ec28fd6d48c4a4aa0e94ff115f7b4e9d38edc 931502 libcurl4-gnutls-dev_7.18.2-8lenny3_amd64.deb
 e48b91969add5d8250d056f27f58d0b95d6ad695 1180282 libcurl3-dbg_7.18.2-8lenny3_amd64.deb
Checksums-Sha256: 
 0b3facc5386dce07d086e67d95b9cb2b798ea12d70b95dcb9d41d31aa23299fe 1418 curl_7.18.2-8lenny3.dsc
 f152b4f4a553a2d455ef1d375277c1b4a5f8d9f445686f45268747a617669c5f 28454 curl_7.18.2-8lenny3.diff.gz
 053e6c2bddd3ecee8a62eb085295bdb4954b7f537b63f98a87f19b2189af97fd 209390 curl_7.18.2-8lenny3_amd64.deb
 2fd4bcc1da6ae9fb9d960a072c795c1b6718168624ead3998a2667e7e98ee4af 231304 libcurl3_7.18.2-8lenny3_amd64.deb
 cd2543e62f36c899862abef9b69e00e0a0e6db112c217b1f6d821963a33b15d6 214794 libcurl3-gnutls_7.18.2-8lenny3_amd64.deb
 5322b6fca3dd34c4dfc5fc8064dd6b9b3a2c90a2317bb4052d82c248f2dfe2fe 951970 libcurl4-openssl-dev_7.18.2-8lenny3_amd64.deb
 a805ea97d8ec3a8b533a3370f3909498b29063c328fcbf0ddb26080074494571 931502 libcurl4-gnutls-dev_7.18.2-8lenny3_amd64.deb
 d00527c7bc860755dec25c266ed50f64aefed8988ae7378b9785591751548f29 1180282 libcurl3-dbg_7.18.2-8lenny3_amd64.deb
Files: 
 3e5ef96b6eb6a82f64e1cf64e1875993 1418 web optional curl_7.18.2-8lenny3.dsc
 487521b6a73326007edf8fc4c9d78237 28454 web optional curl_7.18.2-8lenny3.diff.gz
 ca551875a2c6b5da345a975026fab4bb 209390 web optional curl_7.18.2-8lenny3_amd64.deb
 4388ed20c067994e775435a981afc5e4 231304 libs optional libcurl3_7.18.2-8lenny3_amd64.deb
 4bfea4f769972eada3bf7a28871351a9 214794 libs optional libcurl3-gnutls_7.18.2-8lenny3_amd64.deb
 1c49faf2e628f2c336be48beb5188afa 951970 libdevel optional libcurl4-openssl-dev_7.18.2-8lenny3_amd64.deb
 6e677616ca0e25dd94e710380ed99082 931502 libdevel optional libcurl4-gnutls-dev_7.18.2-8lenny3_amd64.deb
 678d1e653eeb162ca227ff3c2edf8bc1 1180282 libdevel extra libcurl3-dbg_7.18.2-8lenny3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqKANkACgkQHYflSXNkfP9X8wCfamQpUL7bij1GojAnK9kfnbn3
t/kAn3eHpIj16j5AspUIuvQqrtnyewDV
=mwux
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 03 Oct 2009 07:48:40 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 16:13:17 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.