Your message dated Sat, 06 Feb 2021 10:39:26 +0000 with message-id <6425525e38201ecf9a2d3e0f1e63c0d3b08e0fc0.camel@adam-barratt.org.uk> and subject line Closing p-u bugs for updates in 10.8 has caused the Debian Bug report #979074, regarding buster-pu: package gnutls28/3.6.7-4+deb10u6 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 979074: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979074 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package gnutls28/3.6.7-4+deb10u6
- From: Andreas Metzler <ametzler@bebt.de>
- Date: Sat, 2 Jan 2021 15:17:38 +0100
- Message-id: <X/CAgsJHacPrCbHU@argenau.bebt.de>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu [ Reason ] The gnutls28 test tests/testpkcs11.sh uses a test certificate that expired in December 2020, which now causes a testsuite error and FTBFS. If this is not approved the patch will need to be included in case of another DSA for GnuTLS or a stable update. I would rather fix this now to make debian-security's life easier. [ Checklist ] [X] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The patch uses datefudge to avoid the timebomb. It is cherrypicked and adapted (older helper function) from upstream master. TIA, cu Andreasdiff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog --- gnutls28-3.6.7/debian/changelog 2020-06-07 07:45:55.000000000 +0200 +++ gnutls28-3.6.7/debian/changelog 2021-01-02 14:15:36.000000000 +0100 @@ -1,3 +1,11 @@ +gnutls28 (3.6.7-4+deb10u6) UNRELEASED; urgency=medium + + * 45_4.7.0plus-01_testpkcs11-use-datefudge-to-trick-certificate-expiry.patch + Fix test suite error caused by expired certificate. + Closes: #977552 + + -- Andreas Metzler <ametzler@debian.org> Sat, 02 Jan 2021 14:15:36 +0100 + gnutls28 (3.6.7-4+deb10u5) buster; urgency=medium * 42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch diff -Nru gnutls28-3.6.7/debian/patches/45_4.7.0plus-01_testpkcs11-use-datefudge-to-trick-certificate-expiry.patch gnutls28-3.6.7/debian/patches/45_4.7.0plus-01_testpkcs11-use-datefudge-to-trick-certificate-expiry.patch --- gnutls28-3.6.7/debian/patches/45_4.7.0plus-01_testpkcs11-use-datefudge-to-trick-certificate-expiry.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnutls28-3.6.7/debian/patches/45_4.7.0plus-01_testpkcs11-use-datefudge-to-trick-certificate-expiry.patch 2021-01-02 14:15:36.000000000 +0100 @@ -0,0 +1,73 @@ +From 2b0f6f3a2ff13153aaa70c764ba7a8b90aef794d Mon Sep 17 00:00:00 2001 +From: Daiki Ueno <ueno@gnu.org> +Date: Mon, 28 Dec 2020 16:16:53 +0100 +Subject: [PATCH 3/6] testpkcs11: use datefudge to trick certificate expiry +Origin: https://gitlab.com/gnutls/gnutls/-/commit/2b0f6f3a2ff13153aaa70c764ba7a8b90aef794d +Bug: https://gitlab.com/gnutls/gnutls/-/issues/1135 +Bug-Debian: https://bugs.debian.org/977552 + +The certificates stored in tests/testpkcs11-certs expired on +2020-12-13. To avoid verification failure due to that, use datefudge +to set custom date when calling gnutls-cli, gnutls-serv, and certtool. + +Based on the patch by Andreas Metzler: +https://gitlab.com/gnutls/gnutls/-/issues/1135#note_469682121 + +Signed-off-by: Daiki Ueno <ueno@gnu.org> +--- + tests/testpkcs11.sh | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/tests/testpkcs11.sh ++++ b/tests/testpkcs11.sh +@@ -67,6 +67,8 @@ have_ed25519=0 + P11TOOL="${VALGRIND} ${P11TOOL} --batch" + SERV="${SERV} -q" + ++TESTDATE=2020-12-01 ++ + . ${srcdir}/scripts/common.sh + + rm -f "${LOGFILE}" +@@ -79,6 +81,8 @@ exit_error () { + exit 1 + } + ++skip_if_no_datefudge ++ + # $1: token + # $2: PIN + # $3: filename +@@ -510,6 +514,7 @@ write_certificate_test () { + pubkey="$5" + + echo -n "* Generating client certificate... " ++ datefudge -s "$TESTDATE" \ + "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ + --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \ + --load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1 +@@ -887,6 +892,7 @@ use_certificate_test () { + echo -n "* Using PKCS #11 with gnutls-cli (${txt})... " + # start server + eval "${GETPORT}" ++ SERV="datefudge -s $TESTDATE $SERV" \ + launch_pkcs11_server $$ "${ADDITIONAL_PARAM}" --echo --priority NORMAL --x509certfile="${certfile}" \ + --x509keyfile="$keyfile" --x509cafile="${cafile}" \ + --verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1 +@@ -895,13 +901,16 @@ use_certificate_test () { + wait_server ${PID} + + # connect to server using SC ++ datefudge -s "$TESTDATE" \ + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 && \ + fail ${PID} "Connection should have failed!" + ++ datefudge -s "$TESTDATE" \ + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \ + --x509keyfile="$keyfile" --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Connection (with files) should have succeeded!" + ++ datefudge -s "$TESTDATE" \ + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \ + --x509keyfile="${token};object=gnutls-client;object-type=private" \ + --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \ diff -Nru gnutls28-3.6.7/debian/patches/series gnutls28-3.6.7/debian/patches/series --- gnutls28-3.6.7/debian/patches/series 2020-06-07 07:34:21.000000000 +0200 +++ gnutls28-3.6.7/debian/patches/series 2021-01-02 14:15:36.000000000 +0100 @@ -15,3 +15,4 @@ 44_rel3.6.14_16-x509-trigger-fallback-verification-path-when-cert-is.patch 44_rel3.6.14_17-tests-add-test-case-for-certificate-chain-supersedin.patch 44_rel3.6.14_90-stek-differentiate-initial-state-from-valid-time-win.patch +45_4.7.0plus-01_testpkcs11-use-datefudge-to-trick-certificate-expiry.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 955277-done@bugs.debian.org, 962152-done@bugs.debian.org, 962672-done@bugs.debian.org, 970745-done@bugs.debian.org, 972149-done@bugs.debian.org, 973342-done@bugs.debian.org, 973706-done@bugs.debian.org, 975932-done@bugs.debian.org, 976094-done@bugs.debian.org, 976392-done@bugs.debian.org, 976423-done@bugs.debian.org, 976432-done@bugs.debian.org, 977172-done@bugs.debian.org, 977511-done@bugs.debian.org, 977520-done@bugs.debian.org, 977735-done@bugs.debian.org, 977782-done@bugs.debian.org, 977895-done@bugs.debian.org, 977978-done@bugs.debian.org, 978091-done@bugs.debian.org, 978157-done@bugs.debian.org, 979072-done@bugs.debian.org, 979074-done@bugs.debian.org, 979724-done@bugs.debian.org, 979749-done@bugs.debian.org, 980133-done@bugs.debian.org, 980201-done@bugs.debian.org, 980259-done@bugs.debian.org, 980268-done@bugs.debian.org, 980453-done@bugs.debian.org, 980458-done@bugs.debian.org, 980491-done@bugs.debian.org, 980762-done@bugs.debian.org, 980799-done@bugs.debian.org, 980802-done@bugs.debian.org, 980835-done@bugs.debian.org, 980857-done@bugs.debian.org, 980919-done@bugs.debian.org, 980938-done@bugs.debian.org, 980962-done@bugs.debian.org, 981002-done@bugs.debian.org, 981035-done@bugs.debian.org, 981047-done@bugs.debian.org, 981059-done@bugs.debian.org, 981096-done@bugs.debian.org, 981239-done@bugs.debian.org, 981271-done@bugs.debian.org, 981292-done@bugs.debian.org, 981339-done@bugs.debian.org, 981345-done@bugs.debian.org
- Subject: Closing p-u bugs for updates in 10.8
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 06 Feb 2021 10:39:26 +0000
- Message-id: <6425525e38201ecf9a2d3e0f1e63c0d3b08e0fc0.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.8 Hi, Each of the updates referenced by these bugs was included in today's 10.8 point release. Regards, Adam
--- End Message ---