--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package proxytunnel
This fixes Debian bug #767301, severity important.
This bug notes that due to CVE-2014-3566, SSLv3 is no longer available
in openssl, so I have patched proxytunnel to use TLSv1 instead of
SSLv3. This may mean that some proxies which still use SSLv3
exclusively will no longer be accessible, but the absence of SSLv3 in
libssl would prevent this anyway.
I have just uploaded version -4 of proxytunnel - it should hit
unstable shortly.
The debdiff is attached: I have patched one line in one file via a new
quilt patch.
Thanks!
Julian
unblock proxytunnel/1.9.0+svn250-4
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru proxytunnel-1.9.0+svn250/debian/changelog proxytunnel-1.9.0+svn250/debian/changelog
--- proxytunnel-1.9.0+svn250/debian/changelog 2014-01-28 20:15:30.000000000 +0000
+++ proxytunnel-1.9.0+svn250/debian/changelog 2014-11-07 10:21:54.000000000 +0000
@@ -1,3 +1,10 @@
+proxytunnel (1.9.0+svn250-4) unstable; urgency=medium
+
+ * Replace SSLv3 usage with TLSv1 to respond to CVE-2014-3566 removal of
+ SSLv3 from openssl package (Closes: #767301)
+
+ -- Julian Gilbey <jdg@debian.org> Fri, 07 Nov 2014 10:06:38 +0000
+
proxytunnel (1.9.0+svn250-3) unstable; urgency=low
* Fix regression: FTBFS on some systems (Closes: #664470)
diff -Nru proxytunnel-1.9.0+svn250/debian/patches/06_migrate_from_SSLv3 proxytunnel-1.9.0+svn250/debian/patches/06_migrate_from_SSLv3
--- proxytunnel-1.9.0+svn250/debian/patches/06_migrate_from_SSLv3 1970-01-01 01:00:00.000000000 +0100
+++ proxytunnel-1.9.0+svn250/debian/patches/06_migrate_from_SSLv3 2014-11-07 10:17:50.000000000 +0000
@@ -0,0 +1,11 @@
+--- a/ptstream.c
++++ b/ptstream.c
+@@ -167,7 +167,7 @@
+ SSLeay_add_ssl_algorithms();
+ SSL_load_error_strings();
+
+- ctx = SSL_CTX_new (SSLv3_client_method());
++ ctx = SSL_CTX_new (TLSv1_client_method());
+ ssl = SSL_new (ctx);
+
+ if (args_info.verbose_flag) {
diff -Nru proxytunnel-1.9.0+svn250/debian/patches/series proxytunnel-1.9.0+svn250/debian/patches/series
--- proxytunnel-1.9.0+svn250/debian/patches/series 2014-01-28 20:17:27.000000000 +0000
+++ proxytunnel-1.9.0+svn250/debian/patches/series 2014-11-07 10:05:26.000000000 +0000
@@ -3,3 +3,4 @@
003_socket_write_loop
004_remove_warnings
005_sni
+06_migrate_from_SSLv3
--- End Message ---
--- Begin Message ---
On 2014-11-07 10:32, Julian Gilbey wrote:
This fixes Debian bug #767301, severity important.
This bug notes that due to CVE-2014-3566, SSLv3 is no longer available
in openssl, so I have patched proxytunnel to use TLSv1 instead of
SSLv3. This may mean that some proxies which still use SSLv3
exclusively will no longer be accessible, but the absence of SSLv3 in
libssl would prevent this anyway.
I have just uploaded version -4 of proxytunnel - it should hit
unstable shortly.
The debdiff is attached: I have patched one line in one file via a new
quilt patch.
Unblocked, thanks,
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
<directhex> i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits
--- End Message ---