Debian Bug report logs - #722055
python-openssl: CVE-2013-4314: hostname check bypassing vulnerability

version graph

Package: python-openssl; Maintainer for python-openssl is Sandro Tosi <morph@debian.org>; Source for python-openssl is src:pyopenssl.

Reported by: Henri Salo <henri@nerv.fi>

Date: Sat, 7 Sep 2013 06:06:01 UTC

Severity: important

Tags: fixed-upstream, patch, security

Found in version pyopenssl/0.13-2

Fixed in versions pyopenssl/0.13-2.1, pyopenssl/0.13-3.1, pyopenssl/0.13-2+deb7u1, pyopenssl/0.10-1+squeeze1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#722055; Package python-openssl. (Sat, 07 Sep 2013 06:06:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Sat, 07 Sep 2013 06:06:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: python-openssl: CVE-2013-4314: hostname check bypassing vulnerability
Date: Sat, 7 Sep 2013 09:04:20 +0300
[Message part 1 (text/plain, inline)]
Package: python-openssl
Version: 0.13-2+b2
Severity: important
Tags: security, fixed-upstream

https://mail.python.org/pipermail/pyopenssl-users/2013-September/000478.html

In all prior releases, the string formatting of subjectAltName
X509Extension instances incorrectly truncated fields of the name when
encountering NUL.  String formatting of this extension will now include
the NUL byte (escaped) and any following bytes.

Additionally, a bug causing memory to be leaked for each call to
X509.get_extension has been fixed.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1005325

Please adjust affected version numbers accordingly.

---
Henri Salo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#722055; Package python-openssl. (Sun, 08 Sep 2013 03:54:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Sun, 08 Sep 2013 03:54:04 GMT) Full text and rfc822 format available.

Message #10 received at 722055@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 722055@bugs.debian.org
Subject: Re: Bug#722055: python-openssl: CVE-2013-4314: hostname check bypassing vulnerability
Date: Sun, 8 Sep 2013 05:51:45 +0200
Hi

The reference to upstream diff:

 http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/revision/169

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#722055; Package python-openssl. (Thu, 12 Sep 2013 18:21:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Thu, 12 Sep 2013 18:21:08 GMT) Full text and rfc822 format available.

Message #15 received at 722055@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Henri Salo <henri@nerv.fi>, 722055@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#722055: python-openssl: CVE-2013-4314: hostname check bypassing vulnerability
Date: Thu, 12 Sep 2013 20:17:56 +0200
Hello Sandro

Are you working on the updates for this issues? The Security Team also
has pyopenssl on the "needs DSA" list: Could you also prepare packages
targetting squeeze-security and wheezy-security?

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#722055; Package python-openssl. (Sun, 15 Sep 2013 20:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Sun, 15 Sep 2013 20:15:04 GMT) Full text and rfc822 format available.

Message #20 received at 722055@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 722055@bugs.debian.org
Subject: pyopenssl: diff for NMU version 0.13-2.1
Date: Sun, 15 Sep 2013 22:10:49 +0200
[Message part 1 (text/plain, inline)]
tags 722055 + patch
tags 722055 + pending
thanks

Dear maintainer,

I've prepared an NMU for pyopenssl (versioned as 0.13-2.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore
[pyopenssl-0.13-2.1-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Added tag(s) patch. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 15 Sep 2013 20:15:07 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 15 Sep 2013 20:15:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#722055; Package python-openssl. (Sun, 15 Sep 2013 20:24:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Sun, 15 Sep 2013 20:24:04 GMT) Full text and rfc822 format available.

Message #29 received at 722055@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 722055@bugs.debian.org
Subject: pyopenssl: diff for NMU version 0.13-3.1
Date: Sun, 15 Sep 2013 22:20:49 +0200
[Message part 1 (text/plain, inline)]
Dear maintainer,

I've prepared an NMU for pyopenssl (versioned as 0.13-3.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

p.s.: this is the package targetting experimental.

Regards,
Salvatore
[pyopenssl-0.13-3.1-nmu.diff (text/x-diff, attachment)]

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Fri, 20 Sep 2013 21:09:05 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Fri, 20 Sep 2013 21:09:05 GMT) Full text and rfc822 format available.

Message #34 received at 722055-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 722055-close@bugs.debian.org
Subject: Bug#722055: fixed in pyopenssl 0.13-2.1
Date: Fri, 20 Sep 2013 21:06:50 +0000
Source: pyopenssl
Source-Version: 0.13-2.1

We believe that the bug you reported is fixed in the latest version of
pyopenssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 722055@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated pyopenssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 14 Sep 2013 11:07:42 +0200
Source: pyopenssl
Binary: python-openssl python-openssl-doc python-openssl-dbg python3-openssl python3-openssl-dbg
Architecture: source all amd64
Version: 0.13-2.1
Distribution: unstable
Urgency: low
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 python-openssl - Python 2 wrapper around the OpenSSL library
 python-openssl-dbg - Python 2 wrapper around the OpenSSL library (debug extension)
 python-openssl-doc - Python wrapper around the OpenSSL library (documentation package)
 python3-openssl - Python 3 wrapper around the OpenSSL library
 python3-openssl-dbg - Python 3 wrapper around the OpenSSL library (debug extension)
Closes: 722055
Changes: 
 pyopenssl (0.13-2.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Add CVE-2013-4314.patch patch.
     CVE-2013-4314: Fix hostname check bypassing vulnerability with server
     certificates that have a null byte in the subjectAltName. (Closes: #722055)
Checksums-Sha1: 
 e552acfc5fc6035b5199be5f071786ba26acbaea 2430 pyopenssl_0.13-2.1.dsc
 28581c63f2379030f9e4b1012def1800df9a47e9 13466 pyopenssl_0.13-2.1.debian.tar.gz
 76210186695af9d98ee9a4661d4ba1bf5576576e 139210 python-openssl-doc_0.13-2.1_all.deb
 8805e1738bfc323f7024ce0edc98c0a95e996cc6 92442 python-openssl_0.13-2.1_amd64.deb
 06cb0dc62acbbc9140daa3a2abb4b777d732633d 209042 python-openssl-dbg_0.13-2.1_amd64.deb
 5001ff3a46fc3af4af947dabff59010d7d2ee57d 92088 python3-openssl_0.13-2.1_amd64.deb
 2dc7f2cb3d6240176e2ca9c0451b7d968f5c2df2 223898 python3-openssl-dbg_0.13-2.1_amd64.deb
Checksums-Sha256: 
 926f8199fafd34e9959ad2295fad3fec09e0ba67c0fa2f14dac334474645a3f0 2430 pyopenssl_0.13-2.1.dsc
 44b6d186636c18251beb783fe3a2694462a16e9b63e126e7c388b364d200cb47 13466 pyopenssl_0.13-2.1.debian.tar.gz
 455fde5fec75196e4534171d62061a2116c0f362f3a0478413ca7075033b81c7 139210 python-openssl-doc_0.13-2.1_all.deb
 043df34733b125ea0953f39418c14385694f77bfefab2f2b6b4e470179087e12 92442 python-openssl_0.13-2.1_amd64.deb
 a15bb1aa0927f46ccdcd541e2f7d0a74de3edc199950298fb75096bc2c90a4d9 209042 python-openssl-dbg_0.13-2.1_amd64.deb
 ca438b784578a1d157c4db8a6a6d944f992a119ff96db37798a0ace05d69d7da 92088 python3-openssl_0.13-2.1_amd64.deb
 0055b5d7bada450dfc4054644784634fe12ef55deb4fdd9aef5d08c0d6b532b3 223898 python3-openssl-dbg_0.13-2.1_amd64.deb
Files: 
 91663e679867a194acd89d6e2943d2f5 2430 python optional pyopenssl_0.13-2.1.dsc
 71f2ad69e321aa247c9290a979eb23c0 13466 python optional pyopenssl_0.13-2.1.debian.tar.gz
 8e4853c0462d0fda85831b788374d9f0 139210 doc optional python-openssl-doc_0.13-2.1_all.deb
 23f03e823f865e62e74e972e66d2f386 92442 python optional python-openssl_0.13-2.1_amd64.deb
 43de8aa6179aaebf1ee606ebef4cd58e 209042 debug extra python-openssl-dbg_0.13-2.1_amd64.deb
 62e2ae4bbb1a8baccfb812bbd898de53 92088 python optional python3-openssl_0.13-2.1_amd64.deb
 3e00a36d3fa4565f3f63ab7d3b786203 223898 debug extra python3-openssl-dbg_0.13-2.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBCgAGBQJSNhOWAAoJEHidbwV/2GP+AAoQAMWsRiUqM2sSWXw/NlaaXGwO
g6vmIVhpPg+nanW0tIDjkJfly3vNlDWzVoHkFoy/Rl+HyS+7nfn8mffnum0uuIPG
m3+dUlQ9nJv0eUjgxqr2NUJCy1Naa/v5EDx2qhkiadbnR6jLrBFGbjP0rkMSsKY+
juh+waKo9p4EvPNV63O3kxBQcygQvPho/PgNIWDK+ZaMhM3OQQw71l4WmQ3lurj8
Qp2wHPy0Frf/TqQeDd5ROPuWgd8HMvTo8wxpcjqqmc1berhEKGGIEGxwLre4w1kd
5HRacWEZyFAVcCk7mb3mDSCm74N1wUA/V7NUzYlAVoyFCFVMTtQc3f3YNnYtCH6w
84qIZE9601uXlz0OWObgjgvxm/koDOkI8kJNGjxPSnKyPFHmkqiZm7LBs6aIaFSO
Iq6hJAG1PwVfoDn+4EVg6nkdGI0m0VKBLWKTsMonzyc3oQWZjsiDZPsOTlYSxS4+
7tAmWWlnQOxgR54H+4HSGVOmKMLDzUajrPPHY5Qwczioz/eGZrUaMfARkNvtcsEt
6YbROwnk8xmMZj5yUSe4Mu4rjUhDveWIh73O48c3BnGS1jok+sc8xejr+reIbusQ
+8T1N4UXgzcEOsEIkDZMNb5BE0F5d16HwAp1BJK/7DsNhoE3CFH9Bh00OgfwgqLT
Fraq/Hs2ffaEctwr2G61
=IYsT
-----END PGP SIGNATURE-----




Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Fri, 20 Sep 2013 21:09:08 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Fri, 20 Sep 2013 21:09:08 GMT) Full text and rfc822 format available.

Message #39 received at 722055-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 722055-close@bugs.debian.org
Subject: Bug#722055: fixed in pyopenssl 0.13-3.1
Date: Fri, 20 Sep 2013 21:07:01 +0000
Source: pyopenssl
Source-Version: 0.13-3.1

We believe that the bug you reported is fixed in the latest version of
pyopenssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 722055@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated pyopenssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 15 Sep 2013 16:59:07 +0200
Source: pyopenssl
Binary: python-openssl python-openssl-doc python-openssl-dbg python3-openssl python3-openssl-dbg
Architecture: source amd64 all
Version: 0.13-3.1
Distribution: experimental
Urgency: low
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 python-openssl - Python 2 wrapper around the OpenSSL library
 python-openssl-dbg - Python 2 wrapper around the OpenSSL library (debug extension)
 python-openssl-doc - Python wrapper around the OpenSSL library (documentation package)
 python3-openssl - Python 3 wrapper around the OpenSSL library
 python3-openssl-dbg - Python 3 wrapper around the OpenSSL library (debug extension)
Closes: 722055
Changes: 
 pyopenssl (0.13-3.1) experimental; urgency=low
 .
   * Non-maintainer upload.
   * Add CVE-2013-4314.patch patch.
     CVE-2013-4314: Fix hostname check bypassing vulnerability with server
     certificates that have a null byte in the subjectAltName. (Closes: #722055)
Checksums-Sha1: 
 b8703cf5069584de4133fb9e3afdcbd1b3e5c6b3 2429 pyopenssl_0.13-3.1.dsc
 effe54f335f87880beb701a438eca5614d0b0d51 13487 pyopenssl_0.13-3.1.debian.tar.gz
 788c9771aa32039e675779d0730840656f26ba86 92288 python-openssl_0.13-3.1_amd64.deb
 8de1b5ed2969215e0c61b88d6884ee657a458adb 139250 python-openssl-doc_0.13-3.1_all.deb
 6a8cf02a7dd3646c9576beaf754ce3adfd94f76f 208936 python-openssl-dbg_0.13-3.1_amd64.deb
 3f064c2764186b85e35e767d80cb5327d5284825 91982 python3-openssl_0.13-3.1_amd64.deb
 538c8ddf4b36bcdfb1c9be776cc5778c8f9001ac 223814 python3-openssl-dbg_0.13-3.1_amd64.deb
Checksums-Sha256: 
 9971d668cf4b42eb79e7a12bdf7f803974dea5e04e9bd21820dbc86990fbab51 2429 pyopenssl_0.13-3.1.dsc
 600870f969269a2c5bac0faf186e5fffae4f4031a9e3ec260715c2ed61c3f9d4 13487 pyopenssl_0.13-3.1.debian.tar.gz
 7e3ecab18333deecbe59d9bbbf62cf13efd7600b2bd99ae7a2678e2b5be74bf4 92288 python-openssl_0.13-3.1_amd64.deb
 e2935115af18775fa0df9a7f9f96bde92f95ac89d299e963c558bb4e373c496d 139250 python-openssl-doc_0.13-3.1_all.deb
 9b16d09393e20d4f7525e1253ec1defa8c52567ee45f585136e8edc924d9474a 208936 python-openssl-dbg_0.13-3.1_amd64.deb
 e3d00cbc66aff742911dfe6fa4238e04eae8b6fafbd445572993455e90611c1e 91982 python3-openssl_0.13-3.1_amd64.deb
 136cdc1bdcd86cffdbe166279201025ccdc8aaf777afc005fc10505978d3a4ab 223814 python3-openssl-dbg_0.13-3.1_amd64.deb
Files: 
 954459a85c057db4bbda9fe33cc5d40f 2429 python optional pyopenssl_0.13-3.1.dsc
 588afec1e88a143ecf355e5d53503211 13487 python optional pyopenssl_0.13-3.1.debian.tar.gz
 dc2a3ae1271bbb357a00f65647330f72 92288 python optional python-openssl_0.13-3.1_amd64.deb
 ac66334d43b6e7cfc7a359e8bfa1802e 139250 doc optional python-openssl-doc_0.13-3.1_all.deb
 318af4853e6f95ceea4f8997285da348 208936 debug extra python-openssl-dbg_0.13-3.1_amd64.deb
 8541d7b9ae791765a4ccdbf8478ff174 91982 python optional python3-openssl_0.13-3.1_amd64.deb
 366a0aecccb8a9990cdde41296911fed 223814 debug extra python3-openssl-dbg_0.13-3.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBCgAGBQJSNhVrAAoJEHidbwV/2GP+XycQANoYJyBvOukE6zMcafrD7JkS
A6s8hKuUed6ldQKRzxcLIhrxwhsRFamxEPwuhB1QYpUVBMcb9dCcRQ+JYP7FNJDc
2TXLCEBups74RJWBmkaaT4Vf0EA2YD86KKOtuzRM786g0q7kSOK1t08i7gfjuPWN
EYdlGBWQlJtuunZHmAShGAoxuKvLYiRlzCMxM1FJqKq5r5uKWuDRLn3EI71CZU/z
t+IAnM+8tVvjJ+NPjiOblsxjBUode1DP1cPgaUF+NyJ2o2sU7iCokRTDzW2w9PuK
DAAEX1g9iR2fCEcYqBtQTl0mo4j4jJPkdRbbBcCQSNU0VOzdR0PQPovKyc8BSAbe
1B8DQEGxTbE9hll+9EH+tHpl8sNfVUCRoY3kgRsygutpqdKHqjys4Od0YE06xQUW
uMFvXL8qcnnypd8LXGJzRI5BOVSJ2RUy8WIyYTOhTDH8aHE5qIhbUbkAEv7njh0F
wwFcHdAoirGWSeRMANTH4KLfGSrwMnKBtKJEfCuidp4V2hSJwqwvqhmVXoKrN8CR
5HlDsow9wfjXSGMhm/P/tomJ7At8oFSbXkOeVQM9eMMa+oUZxNsuB2iV+K825/x1
uctm72EGEccbUJUGtq4aELldkfDn3wF1Ng3QXCEx59JI8Ib5NlL+wqwQqHQJvQNg
KQp3+9QcLydWyPuxA95/
=oLSq
-----END PGP SIGNATURE-----




Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Tue, 24 Sep 2013 21:51:05 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Tue, 24 Sep 2013 21:51:05 GMT) Full text and rfc822 format available.

Message #44 received at 722055-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 722055-close@bugs.debian.org
Subject: Bug#722055: fixed in pyopenssl 0.13-2+deb7u1
Date: Tue, 24 Sep 2013 21:47:06 +0000
Source: pyopenssl
Source-Version: 0.13-2+deb7u1

We believe that the bug you reported is fixed in the latest version of
pyopenssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 722055@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated pyopenssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 16 Sep 2013 19:20:53 +0200
Source: pyopenssl
Binary: python-openssl python-openssl-doc python-openssl-dbg python3-openssl python3-openssl-dbg
Architecture: source all amd64
Version: 0.13-2+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 python-openssl - Python 2 wrapper around the OpenSSL library
 python-openssl-dbg - Python 2 wrapper around the OpenSSL library (debug extension)
 python-openssl-doc - Python wrapper around the OpenSSL library (documentation package)
 python3-openssl - Python 3 wrapper around the OpenSSL library
 python3-openssl-dbg - Python 3 wrapper around the OpenSSL library (debug extension)
Closes: 722055
Changes: 
 pyopenssl (0.13-2+deb7u1) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add CVE-2013-4314.patch patch.
     CVE-2013-4314: Fix hostname check bypassing vulnerability with server
     certificates that have a null byte in the subjectAltName. (Closes: #722055)
Checksums-Sha1: 
 a8f14997710d936a2e267580188d978f263ce199 2450 pyopenssl_0.13-2+deb7u1.dsc
 b4de25c5e4e9d9bc375c419071efc45fa96d5597 250489 pyopenssl_0.13.orig.tar.gz
 b74cd7fdcb4d1ccd23518acb5d07932f082dc8e3 13566 pyopenssl_0.13-2+deb7u1.debian.tar.gz
 3368aff9d3b1590f0b88136c624dd22e8c3b1618 144954 python-openssl-doc_0.13-2+deb7u1_all.deb
 9fc01b3fb1d8ecb56bc6d9ec9eb0afefad62637d 175298 python-openssl_0.13-2+deb7u1_amd64.deb
 b73d866f0f9d8f7865481c65a171064b832e8e64 781714 python-openssl-dbg_0.13-2+deb7u1_amd64.deb
 95df8fee9beceadfe67c2e80ac0acb0a91281caa 117126 python3-openssl_0.13-2+deb7u1_amd64.deb
 6e152b0dddcd187ab3000bba06f8c855e40e684d 398044 python3-openssl-dbg_0.13-2+deb7u1_amd64.deb
Checksums-Sha256: 
 b1c9ca7f20e38ae681ba8738be827afd8afb736f2ef865f87fae8e6fb00dace7 2450 pyopenssl_0.13-2+deb7u1.dsc
 21e12b03abaa0e04ecc8cd9c251598f71bae11c9f385304234e4ea5618c6163b 250489 pyopenssl_0.13.orig.tar.gz
 c900b8e2623f628d3e1a96378a8b7849b34adb698b86aadbcb7657ec0852e4c9 13566 pyopenssl_0.13-2+deb7u1.debian.tar.gz
 060391cb124b60cbcec301b00c27bd3c550eb2689f6ee54de5e3a11a5c9fec33 144954 python-openssl-doc_0.13-2+deb7u1_all.deb
 06bcb8875ee7ced036faddad0babdce1459d477de7f228a52941914fdd9c0d59 175298 python-openssl_0.13-2+deb7u1_amd64.deb
 4af43fa965f8b8c6b8768b1e19722be7ff63c27239ce723313a7e2cdaa4468e5 781714 python-openssl-dbg_0.13-2+deb7u1_amd64.deb
 dfae6dec125f8a51576809465da495ff984643c9600f8c5d2ccde401064c19ab 117126 python3-openssl_0.13-2+deb7u1_amd64.deb
 98cd276dad62516ff553bccc033e5421229038454ecb47f463dfa9aba24ec35b 398044 python3-openssl-dbg_0.13-2+deb7u1_amd64.deb
Files: 
 96078564b3a50e645a18c0c6f98896f1 2450 python optional pyopenssl_0.13-2+deb7u1.dsc
 767bca18a71178ca353dff9e10941929 250489 python optional pyopenssl_0.13.orig.tar.gz
 e63ea2ac0706072040d58d96cc97084a 13566 python optional pyopenssl_0.13-2+deb7u1.debian.tar.gz
 c5f0074140d84587a395132fe8c79aca 144954 doc optional python-openssl-doc_0.13-2+deb7u1_all.deb
 a8e486b2d854e62ccfacdb076de85485 175298 python optional python-openssl_0.13-2+deb7u1_amd64.deb
 8825a668d698b307bdd2357a582fd189 781714 debug extra python-openssl-dbg_0.13-2+deb7u1_amd64.deb
 2d211c1790b49719246cfd2a919968a0 117126 python optional python3-openssl_0.13-2+deb7u1_amd64.deb
 46fb1d92e91bd8f112ade20e0fc03b17 398044 debug extra python3-openssl-dbg_0.13-2+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBCgAGBQJSPV0/AAoJEHidbwV/2GP+aFAQAO72fSkDv2JF/xJ7EzEApHWn
avcDfUdjAz/lDeSXMBqTBSjavxFS9p/qGrqS2gTFylRAckS+rbRUA0HfsU/VAQDy
DrddNwqvtHwUdTzaq6HCcfF6leo/+e6PjNzKfjcbQWD6AiQgfNOhgoBDf1X3CJFG
CCu1BASMk2iHnzraJioksWiajjy2ffcXI0uD6GjERUcQfLzl8Qj8t4UGNqm4flQ7
Hbyvb16n2sw3M6o9WK58UzNaI2wdFGUQGbkgD0qXfnX3Ix6dz2FmmtAzUaEYWm+f
2FKmYBQFPfqEvgAd01uB+NH8HzlRQ6OTz0N9j1aGZh9PNZvp0YLWTOLUIQB2bDv1
bGJQdiJaj3QY/NNB7RLtMUyzQB7UMQUvnDEY+t6ezOMNlFfcVBd2S+JB+ytj1CIc
Sr2Auuja6va4VW4jXpzhZg8S2OiodpmlLXL+EdblxSeJM5DYsbemN68Uo6AbgqZb
CuY8c8VrJCz7HDaK5CX6ak8i3z6lbGc1KAcT9HAYMol2n/QzmokbSHSfy4DkZINs
6zoGoV1hi9w40SU+RnoeKNmB3VIEgNSoOQ9h5uJOzc3yym7V03iQadVj0oqV3iIz
vzyOB4I7WIHJawQtuYcU7rjzSz2vq3rwRSGZ5rqPxnZLX226de6KE4fpeCgKWGFw
jbOB7t9HcafYsLM7ZidR
=pGkf
-----END PGP SIGNATURE-----




Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Tue, 24 Sep 2013 21:51:09 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Tue, 24 Sep 2013 21:51:09 GMT) Full text and rfc822 format available.

Message #49 received at 722055-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 722055-close@bugs.debian.org
Subject: Bug#722055: fixed in pyopenssl 0.10-1+squeeze1
Date: Tue, 24 Sep 2013 21:47:51 +0000
Source: pyopenssl
Source-Version: 0.10-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
pyopenssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 722055@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated pyopenssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 21 Sep 2013 17:58:58 +0200
Source: pyopenssl
Binary: python-openssl python-openssl-doc python-openssl-dbg
Architecture: source all amd64
Version: 0.10-1+squeeze1
Distribution: squeeze-security
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 python-openssl - Python wrapper around the OpenSSL library
 python-openssl-dbg - Python wrapper around the OpenSSL library (debug extension)
 python-openssl-doc - Python wrapper around the OpenSSL library (documentation package)
Closes: 722055
Changes: 
 pyopenssl (0.10-1+squeeze1) squeeze-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add 30_CVE-2013-4314.dpatch.
     CVE-2013-4314: Fix hostname check bypassing vulnerability with server
     certificates that have a null byte in the subjectAltName. (Closes: #722055)
Checksums-Sha1: 
 f956768a77337868f23c51df0f7eb77d09b7b0b0 2160 pyopenssl_0.10-1+squeeze1.dsc
 11c956d317ab2b1628937a2681acc31f4b890fe8 222169 pyopenssl_0.10.orig.tar.gz
 6812b4f9f7b21ff41505242d955bba358fe574cf 10395 pyopenssl_0.10-1+squeeze1.diff.gz
 8bd204eeb99d09247f3a35d166a86c9fdae08178 131916 python-openssl-doc_0.10-1+squeeze1_all.deb
 091a3e8790743696441b51f86c5f766583310f9d 136714 python-openssl_0.10-1+squeeze1_amd64.deb
 f3f2b15e2846cf3ab6e448e9a4e13af09b95e886 592476 python-openssl-dbg_0.10-1+squeeze1_amd64.deb
Checksums-Sha256: 
 e633a72dd0e101bf704f4a869847005e2d6498e7fe35268a7584b87b0d9aae29 2160 pyopenssl_0.10-1+squeeze1.dsc
 4514f8960389042ca2587f9cb801a13f7990387753fc678680b0c084719b5b60 222169 pyopenssl_0.10.orig.tar.gz
 1c4a090599d04ec030a5d32445c66699d6ed3f774135b27b5fea9a5cf8457a8d 10395 pyopenssl_0.10-1+squeeze1.diff.gz
 7ca62127b1de71605c25cb6c9ffe839e33aae31bd383e3b7cc713ae3bbc5cc87 131916 python-openssl-doc_0.10-1+squeeze1_all.deb
 c809e04d4ac5255007455e4f8a88fe97c74084e81aef3cc3b717087ff565938c 136714 python-openssl_0.10-1+squeeze1_amd64.deb
 a65b94813f4fe644ff50cb3efcfa3cec4cdbc7b532f3b40d1a8771f65c72a487 592476 python-openssl-dbg_0.10-1+squeeze1_amd64.deb
Files: 
 9e8bebe5c8b94de38b518388ab03829c 2160 python optional pyopenssl_0.10-1+squeeze1.dsc
 34db8056ec53ce80c7f5fc58bee9f093 222169 python optional pyopenssl_0.10.orig.tar.gz
 224a97b2a41eb6ceed6bd4a8ec6a343c 10395 python optional pyopenssl_0.10-1+squeeze1.diff.gz
 cc4f2016b6c12e60d29ef3b889fa038b 131916 doc optional python-openssl-doc_0.10-1+squeeze1_all.deb
 e87516d3538914c74b225a07a4cf6fc3 136714 python optional python-openssl_0.10-1+squeeze1_amd64.deb
 0f0e24e68a9782de9468d14278be7d7a 592476 debug extra python-openssl-dbg_0.10-1+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBCgAGBQJSQFMlAAoJEHidbwV/2GP+IPAQAIrLWX47klQjfZIf9G/5q3IQ
kOVBnNCxR8y9a2CWIZwiyEG/T991j1/jAWRLyHrl33s64y5XPfNFyxRxx/Ansc8e
mZ5qECXpR//Oyt7SuAO2Z7BxGRzyb6JZwVd9bjgwaZHydFbrTOIDlum7v6R0KxmW
S0Mq5D6suo4hpKqpwRaapDwmkYAqBbQ6+fuV6AvyXX8lyE5oClR5JlPnFzQjsQuy
2Og1UneuAmTjh/PsaAB6HO3pphKInLXG6sfy2O6aoFCZus6+w6uVzO5tx61BXXVD
NIYUCFcp64z48GVI+EtWEVnBvS7VpHs+G0e001B4E11xDuE8bBdSuw7vhu8d+Ikn
EwaFfB+6C6WKMdKT59P7yNkQQSMv27U4Cj3Inho1DJKbJwmszGTKiqQbez3olveG
LMVqutD3LTLfPRDe+HN98UoZQ1nzE7ph5EYFQJYDm+pykj1dqO5O3NDSNnAg8MXI
V+zgSojJGjtEKOxy9txjYKrf++TadCfhzyQQ9mrzj5T/mVTthTofQ/JUdp1qLznL
HvxJr4tDjsmfm74HvUfhK8AtwJHYhogmkk6HbwTCuBhSvdLP2j3SkLaumFolr/s9
MaFcdPUPLGqKxb+KvHnhtF/YiXmpBeBt4FtcWP6xrL31irTsHL96FVGSjTNylARF
mMn9SZ9Re11pjPlaOwAY
=p9N4
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 23 Oct 2013 07:33:39 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 13:12:39 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.