Bug#768421: marked as done (unblock: proxytunnel/1.9.0+svn250-4)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 07 Nov 2014 11:09:41 +0000
with message-id <d01d068febd70032f0f078aa661f3043@hogwarts.powdarrmonkey.net>
and subject line Re: Bug#768421: unblock: proxytunnel/1.9.0+svn250-4
has caused the Debian Bug report #768421,
regarding unblock: proxytunnel/1.9.0+svn250-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
768421: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768421
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: proxytunnel/1.9.0+svn250-4
• From: Julian Gilbey <jdg@debian.org>
• Date: Fri, 07 Nov 2014 10:32:12 +0000
• Message-id: <[🔎] 20141107103212.24922.78241.reportbug@erdos.d-and-j.net>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package proxytunnel

This fixes Debian bug #767301, severity important.

This bug notes that due to CVE-2014-3566, SSLv3 is no longer available
in openssl, so I have patched proxytunnel to use TLSv1 instead of
SSLv3.  This may mean that some proxies which still use SSLv3
exclusively will no longer be accessible, but the absence of SSLv3 in
libssl would prevent this anyway.

I have just uploaded version -4 of proxytunnel - it should hit
unstable shortly.

The debdiff is attached: I have patched one line in one file via a new
quilt patch.

Thanks!

   Julian

unblock proxytunnel/1.9.0+svn250-4

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru proxytunnel-1.9.0+svn250/debian/changelog proxytunnel-1.9.0+svn250/debian/changelog
--- proxytunnel-1.9.0+svn250/debian/changelog	2014-01-28 20:15:30.000000000 +0000
+++ proxytunnel-1.9.0+svn250/debian/changelog	2014-11-07 10:21:54.000000000 +0000
@@ -1,3 +1,10 @@
+proxytunnel (1.9.0+svn250-4) unstable; urgency=medium
+
+  * Replace SSLv3 usage with TLSv1 to respond to CVE-2014-3566 removal of
+    SSLv3 from openssl package (Closes: #767301)
+
+ -- Julian Gilbey <jdg@debian.org>  Fri, 07 Nov 2014 10:06:38 +0000
+
 proxytunnel (1.9.0+svn250-3) unstable; urgency=low
 
   * Fix regression: FTBFS on some systems (Closes: #664470)
diff -Nru proxytunnel-1.9.0+svn250/debian/patches/06_migrate_from_SSLv3 proxytunnel-1.9.0+svn250/debian/patches/06_migrate_from_SSLv3
--- proxytunnel-1.9.0+svn250/debian/patches/06_migrate_from_SSLv3	1970-01-01 01:00:00.000000000 +0100
+++ proxytunnel-1.9.0+svn250/debian/patches/06_migrate_from_SSLv3	2014-11-07 10:17:50.000000000 +0000
@@ -0,0 +1,11 @@
+--- a/ptstream.c
++++ b/ptstream.c
+@@ -167,7 +167,7 @@
+ 	SSLeay_add_ssl_algorithms();
+ 	SSL_load_error_strings();
+ 
+-	ctx = SSL_CTX_new (SSLv3_client_method());
++	ctx = SSL_CTX_new (TLSv1_client_method());
+ 	ssl = SSL_new (ctx);
+ 
+ 	if (args_info.verbose_flag) {
diff -Nru proxytunnel-1.9.0+svn250/debian/patches/series proxytunnel-1.9.0+svn250/debian/patches/series
--- proxytunnel-1.9.0+svn250/debian/patches/series	2014-01-28 20:17:27.000000000 +0000
+++ proxytunnel-1.9.0+svn250/debian/patches/series	2014-11-07 10:05:26.000000000 +0000
@@ -3,3 +3,4 @@
 003_socket_write_loop
 004_remove_warnings
 005_sni
+06_migrate_from_SSLv3

--- End Message ---

--- Begin Message ---

• To: Julian Gilbey <jdg@debian.org>, 768421-done@bugs.debian.org
• Subject: Re: Bug#768421: unblock: proxytunnel/1.9.0+svn250-4
• From: Jonathan Wiltshire <jmw@debian.org>
• Date: Fri, 07 Nov 2014 11:09:41 +0000
• Message-id: <d01d068febd70032f0f078aa661f3043@hogwarts.powdarrmonkey.net>
• In-reply-to: <[🔎] 20141107103212.24922.78241.reportbug@erdos.d-and-j.net>
• References: <[🔎] 20141107103212.24922.78241.reportbug@erdos.d-and-j.net>

On 2014-11-07 10:32, Julian Gilbey wrote:

This fixes Debian bug #767301, severity important.

This bug notes that due to CVE-2014-3566, SSLv3 is no longer available
in openssl, so I have patched proxytunnel to use TLSv1 instead of
SSLv3.  This may mean that some proxies which still use SSLv3
exclusively will no longer be accessible, but the absence of SSLv3 in
libssl would prevent this anyway.

I have just uploaded version -4 of proxytunnel - it should hit
unstable shortly.

The debdiff is attached: I have patched one line in one file via a new
quilt patch.

Unblocked, thanks,

--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits

--- End Message ---