Bug#294270: marked as done (IDN support allows domain spoofing)

Debian Bug Tracking System owner@bugs.debian.org
Thu, 24 Mar 2005 13:05:00 -0800 

Your message dated Thu, 24 Mar 2005 15:47:07 -0500
with message-id <E1DEZER-0000gP-00@newraff.debian.org>
and subject line Bug#294270: fixed in epiphany-browser 1.4.8-2
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 8 Feb 2005 21:03:03 +0000
>From joey@kitenet.net Tue Feb 08 13:03:03 2005
Return-path: <joey@kitenet.net>
Received: from kitenet.net [64.62.161.42] (postfix)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CycVj-0008WU-00; Tue, 08 Feb 2005 13:03:03 -0800
Received: from dragon.kitenet.net (unknown [66.168.94.144])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
	by kitenet.net (Postfix) with ESMTP id 00A7217F17
	for <submit@bugs.debian.org>; Tue,  8 Feb 2005 21:02:43 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
	id 20D5B6E20E; Tue,  8 Feb 2005 16:04:23 -0500 (EST)
Date: Tue, 8 Feb 2005 16:04:23 -0500
From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: IDN support allows domain spoofing
Message-ID: <20050208210423.GA30761@kitenet.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="qDbXVdCdHGoSgWSk"
Content-Disposition: inline
X-Reportbug-Version: 3.7.1
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 


--qDbXVdCdHGoSgWSk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: epiphany-browser
Severity: normal
Tags: security

Epiphany and other browsers which support IDN are vulnerable to domain
spoofing via homograph characters in domain names. Please see
http://lists.netsys.com/pipermail/full-disclosure/2005-February/031459.html
for details, and note that this is CAN-2005-0238.

This bug is filed upstream:
https://bugzilla.mozilla.org/show_bug.cgi?id=3D281381

Note: I have not marked this bug as releae critical, because it's not
clear to me if spoofing attacks qualify.

--=20
see shy jo

--qDbXVdCdHGoSgWSk
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCCSlXd8HHehbQuO8RAt+0AJ41BXAciikgkAH0tgHfBBc1fVhxzwCfTIxc
0nPX87lW2KAWyH59G9MLWr0=
=v/jP
-----END PGP SIGNATURE-----

--qDbXVdCdHGoSgWSk--

---------------------------------------
Received: (at 294270-close) by bugs.debian.org; 24 Mar 2005 20:58:16 +0000
>From katie@ftp-master.debian.org Thu Mar 24 12:58:15 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DEZPC-0004i1-00; Thu, 24 Mar 2005 12:58:14 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1DEZER-0000gP-00; Thu, 24 Mar 2005 15:47:07 -0500
From: Jordi Mallach <jordi@debian.org>
To: 294270-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#294270: fixed in epiphany-browser 1.4.8-2
Message-Id: <E1DEZER-0000gP-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Thu, 24 Mar 2005 15:47:07 -0500
Delivered-To: 294270-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Source: epiphany-browser
Source-Version: 1.4.8-2

We believe that the bug you reported is fixed in the latest version of
epiphany-browser, which is due to be installed in the Debian FTP archive:

epiphany-browser-dev_1.4.8-2_all.deb
  to pool/main/e/epiphany-browser/epiphany-browser-dev_1.4.8-2_all.deb
epiphany-browser_1.4.8-2.diff.gz
  to pool/main/e/epiphany-browser/epiphany-browser_1.4.8-2.diff.gz
epiphany-browser_1.4.8-2.dsc
  to pool/main/e/epiphany-browser/epiphany-browser_1.4.8-2.dsc
epiphany-browser_1.4.8-2_i386.deb
  to pool/main/e/epiphany-browser/epiphany-browser_1.4.8-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 294270@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jordi Mallach <jordi@debian.org> (supplier of updated epiphany-browser package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 24 Mar 2005 17:54:16 +0100
Source: epiphany-browser
Binary: epiphany-browser epiphany-browser-dev
Architecture: source i386 all
Version: 1.4.8-2
Distribution: unstable
Urgency: low
Maintainer: Jordi Mallach <jordi@debian.org>
Changed-By: Jordi Mallach <jordi@debian.org>
Description: 
 epiphany-browser - Intuitive GNOME web browser
 epiphany-browser-dev - Development files for Epiphany web browser
Closes: 294270
Changes: 
 epiphany-browser (1.4.8-2) unstable; urgency=low
 .
   * debian/control.in: bump mozilla requirements to >= 1.7.6 to fix the
     IDN domain spoofing security issue (CAN-2005-0238, closes: #294270).
Files: 
 ea1a5f8107ea8cb98af7f4a6fd48c028 1879 gnome optional epiphany-browser_1.4.8-2.dsc
 a903b5f14d4c49a4bb7f81fd95be5df2 9078 gnome optional epiphany-browser_1.4.8-2.diff.gz
 1587dc85f0a061fcdf2bf8c746a70276 168668 devel optional epiphany-browser-dev_1.4.8-2_all.deb
 269e1f7839822a607e71c9ce98b16e7c 3030888 gnome optional epiphany-browser_1.4.8-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCQxgLJYSUupF6Il4RAkFnAJ9M8G/kvAp/dl2qY/Wh9MEFF9nGfQCfdYnP
uvKrhOLfDXR23dBFg7IonmQ=
=rW2R
-----END PGP SIGNATURE-----