[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#770611: marked as done (unblock: gnutls28/3.3.8-5)

Your message dated Sun, 23 Nov 2014 09:49:09 +0100
with message-id <54719F85.1040802@thykier.net>
and subject line Re: Bug#770611: unblock: gnutls28/3.3.8-5
has caused the Debian Bug report #770611,
regarding unblock: gnutls28/3.3.8-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
770611: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770611
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package gnutls28. The only change is a patch from upstream
to disable the obsolete protocol SSLv3. OpenSSL in jessie also has SSLv3
disabled.

unblock gnutls28/3.3.8-5


Thanks,
Thijs

diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog
--- gnutls28-3.3.8/debian/changelog	2014-11-12 19:31:53.000000000 +0100
+++ gnutls28-3.3.8/debian/changelog	2014-11-20 19:25:24.000000000 +0100
@@ -1,3 +1,10 @@
+gnutls28 (3.3.8-5) unstable; urgency=medium
+
+  * Remove SSL 3.0 from default priorities list.
+    Closes: #769904
+
+ -- Andreas Metzler <ametzler@debian.org>  Thu, 20 Nov 2014 19:25:20 +0100
+
 gnutls28 (3.3.8-4) unstable; urgency=high
 
   * Drop 31_fallback_to_RUSAGE_SELF.diff.
diff -Nru gnutls28-3.3.8/debian/patches/40_no_more_ssl3.diff gnutls28-3.3.8/debian/patches/40_no_more_ssl3.diff
--- gnutls28-3.3.8/debian/patches/40_no_more_ssl3.diff	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/40_no_more_ssl3.diff	2014-11-20 19:20:46.000000000 +0100
@@ -0,0 +1,64 @@
+Description: Remove SSL 3.0 from default priorities list.
+ .
+ This cherry-picks 0e75ac18627f8e92a2186cc7769df4851415ae4f (code change)
+ and ee83078f806d5ca6eccdbfd84371179589a37570 (doc update) from upstream
+ master branch.
+ .
+ Requested by Debian security for consistency with OpenSSL in jessie.
+Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Origin: upstream
+Bug-Debian: https://bugs.debian.org/769904
+Last-Update: 2014-11-19
+
+--- gnutls28-3.3.10.orig/doc/cha-gtls-app.texi
++++ gnutls28-3.3.10/doc/cha-gtls-app.texi
+@@ -992,7 +992,7 @@ algorithms to be enabled.
+ @end float
+ 
+ Unless the initial keyword is "NONE" the defaults (in preference
+-order) are for TLS protocols TLS 1.2, TLS1.1, TLS1.0, SSL3.0; for
++order) are for TLS protocols TLS 1.2, TLS1.1, TLS1.0; for
+ compression NULL; for certificate types X.509.
+ In key exchange algorithms when in NORMAL or SECURE levels the
+ perfect forward secrecy algorithms take precedence of the other
+@@ -1054,8 +1054,8 @@ GCM ciphers only). All algorithms from N
+ COMP-NULL, COMP-DEFLATE. Catch all is COMP-ALL.
+ 
+ @item TLS versions @tab
+-VERS-SSL3.0, VERS-TLS1.0, VERS-TLS1.1,
+-VERS-TLS1.2, VERS-DTLS1.2, VERS-DTLS1.0. 
++VERS-TLS1.0, VERS-TLS1.1, VERS-TLS1.2,
++VERS-DTLS1.0, VERS-DTLS1.2. 
+ Catch all is VERS-TLS-ALL and VERS-DTLS-ALL.
+ 
+ @item Signature algorithms @tab
+@@ -1199,8 +1199,8 @@ Specifying RSA with AES-128-CBC:
+ Specifying the defaults except ARCFOUR-128:
+     "NORMAL:-ARCFOUR-128"
+ 
+-Enabling the 128-bit secure ciphers, while disabling SSL 3.0 and enabling compression:
+-    "SECURE128:-VERS-SSL3.0:+COMP-DEFLATE"
++Enabling the 128-bit secure ciphers, while disabling TLS 1.0 and enabling compression:
++    "SECURE128:-VERS-TLS1.0:+COMP-DEFLATE"
+ 
+ Enabling the 128-bit and 192-bit secure ciphers, while disabling all TLS versions 
+ except TLS 1.2:
+@@ -1593,7 +1593,7 @@ options that are known to cause compatib
+ NORMAL:%COMPAT
+ @end verbatim
+ 
+-For broken peers that do not tolerate TLS version numbers over TLS 1.0
++For very old broken peers that do not tolerate TLS version numbers over TLS 1.0
+ another priority string is:
+ @verbatim
+ NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT
+--- gnutls28-3.3.10.orig/lib/gnutls_priority.c
++++ gnutls28-3.3.10/lib/gnutls_priority.c
+@@ -273,7 +273,6 @@ static const int protocol_priority[] = {
+ 	GNUTLS_TLS1_2,
+ 	GNUTLS_TLS1_1,
+ 	GNUTLS_TLS1_0,
+-	GNUTLS_SSL3,
+ 	GNUTLS_DTLS1_2,
+ 	GNUTLS_DTLS1_0,
+ 	0
diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series
--- gnutls28-3.3.8/debian/patches/series	2014-11-12 19:16:31.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/series	2014-11-20 19:20:49.000000000 +0100
@@ -5,3 +5,4 @@
 36_less_refresh-rnd-state.diff
 37_X9.63_sanity_check.diff
 38_testforsanitycheck.diff
+40_no_more_ssl3.diff

--- End Message ---
--- Begin Message --- 
On 2014-11-22 17:33, Thijs Kinkhorst wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package gnutls28. The only change is a patch from upstream
> to disable the obsolete protocol SSLv3. OpenSSL in jessie also has SSLv3
> disabled.
> 
> unblock gnutls28/3.3.8-5
> 
> 
> Thanks,
> Thijs
> 

Unblocked, thanks.

~Niels

--- End Message ---
Reply to: