[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#772634: unblock: resiprocate/1.9.7-2

Package: release.debian.org
User: release.debian.org@packages.debian.org
UserTags: unblock


This is a proposed upload to testing-proposed-updates

It is a far more concise and targeted fix than the upstream 1.9.8
release discussed previously.

The main reason for this unblock request:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772632

based on the outcome of discussion on the debian-security list:

  https://lists.debian.org/debian-security/2014/12/msg00032.html

This update enables TLS v1.1 and v1.2 when acting as a server and
enables v1.1 when acting as a client.

This is achieved by using the generic SSLv23_method instead of the
discouraged TLSv1_method.  This approach ensures that if the OpenSSL
maintainers add or remove protocol versions because of future
vulnerabilities, this package will benefit from those changes without
needing to be patched further or recompiled.

The (much smaller) debdiff is attached, it was generated with filterdiff
to remove autotools stuff:


debdiff resiprocate_1.9.7-1.dsc resiprocate_1.9.7-2.dsc | filterdiff -x
'*/aclocal.m4' -x '*/config.*' -x '*/configure' -x '*/depcomp' -x
'*/*.in' -x '*/install-sh' -x '*/ltmain.sh' -x '*/m4/*' -x '*/missing'
 -x '*/resiprocate.spec'  > /tmp/resiprocate-1.9.7-2.debdiff



diff -Nru resiprocate-1.9.7/debian/changelog resiprocate-1.9.7/debian/changelog
--- resiprocate-1.9.7/debian/changelog	2014-05-31 12:51:11.000000000 +0200
+++ resiprocate-1.9.7/debian/changelog	2014-12-09 11:56:59.000000000 +0100
@@ -1,3 +1,10 @@
+resiprocate (1.9.7-2) testing-proposed-updates; urgency=medium
+
+  * Use SSLv23_method instead of TLSv1_method and
+    avoid TLS 1.2 when acting as client. (Closes: #772632)
+
+ -- Daniel Pocock <daniel@pocock.pro>  Tue, 09 Dec 2014 11:34:48 +0100
+
 resiprocate (1.9.7-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru resiprocate-1.9.7/debian/patches/0001-use-SSLv23_method.patch resiprocate-1.9.7/debian/patches/0001-use-SSLv23_method.patch
--- resiprocate-1.9.7/debian/patches/0001-use-SSLv23_method.patch	1970-01-01 01:00:00.000000000 +0100
+++ resiprocate-1.9.7/debian/patches/0001-use-SSLv23_method.patch	2014-12-09 11:30:51.000000000 +0100
@@ -0,0 +1,50 @@
+diff --git a/repro/ReproRunner.cxx b/repro/ReproRunner.cxx
+index 929392b..a2f09de 100644
+--- a/repro/ReproRunner.cxx
++++ b/repro/ReproRunner.cxx
+@@ -1338,6 +1338,7 @@ ReproRunner::addTransports(bool& allTransportsSpecifyRecordRoute)
+       wsCookieContextFactory.reset(new BasicWsCookieContextFactory(infoCookieName, extraCookieName, macCookieName));
+    }
+ 
++   SecurityTypes::SSLType defaultSSLType = SecurityTypes::SSLv23;
+    try
+    {
+       // Check if advanced transport settings are provided
+@@ -1448,7 +1449,7 @@ ReproRunner::addTransports(bool& allTransportsSpecifyRecordRoute)
+                                  ipAddr,       // interface to bind to
+                                  tlsDomain,
+                                  Data::Empty,  // private key passphrase - not currently used
+-                                 SecurityTypes::TLSv1, // sslType
++                                 defaultSSLType, // sslType
+                                  0,            // transport flags
+                                  tlsCertificate, tlsPrivateKey,
+                                  cvm,          // tls client verification mode
+@@ -1576,8 +1577,8 @@ ReproRunner::addTransports(bool& allTransportsSpecifyRecordRoute)
+          }
+          if (tlsPort)
+          {
+-            if (mUseV4) mSipStack->addTransport(TLS, tlsPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP);
+-            if (mUseV6) mSipStack->addTransport(TLS, tlsPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP);
++            if (mUseV4) mSipStack->addTransport(TLS, tlsPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP);
++            if (mUseV6) mSipStack->addTransport(TLS, tlsPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP);
+          }
+          if (wsPort)
+          {
+@@ -1586,13 +1587,13 @@ ReproRunner::addTransports(bool& allTransportsSpecifyRecordRoute)
+          }
+          if (wssPort)
+          {
+-            if (mUseV4) mSipStack->addTransport(WSS, wssPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, wsCookieContextFactory);
+-            if (mUseV6) mSipStack->addTransport(WSS, wssPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, wsCookieContextFactory);
++            if (mUseV4) mSipStack->addTransport(WSS, wssPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, wsCookieContextFactory);
++            if (mUseV6) mSipStack->addTransport(WSS, wssPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, wsCookieContextFactory);
+          }
+          if (dtlsPort)
+          {
+-            if (mUseV4) mSipStack->addTransport(DTLS, dtlsPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey);
+-            if (mUseV6) mSipStack->addTransport(DTLS, dtlsPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey);
++            if (mUseV4) mSipStack->addTransport(DTLS, dtlsPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey);
++            if (mUseV6) mSipStack->addTransport(DTLS, dtlsPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey);
+          }
+       }
+    }
diff -Nru resiprocate-1.9.7/debian/patches/0002-client-avoid-TLSv1_2.patch resiprocate-1.9.7/debian/patches/0002-client-avoid-TLSv1_2.patch
--- resiprocate-1.9.7/debian/patches/0002-client-avoid-TLSv1_2.patch	1970-01-01 01:00:00.000000000 +0100
+++ resiprocate-1.9.7/debian/patches/0002-client-avoid-TLSv1_2.patch	2014-12-09 11:33:41.000000000 +0100
@@ -0,0 +1,16 @@
+diff --git a/resip/stack/ssl/TlsConnection.cxx b/resip/stack/ssl/TlsConnection.cxx
+index c3537aa..145d089 100644
+--- a/resip/stack/ssl/TlsConnection.cxx
++++ b/resip/stack/ssl/TlsConnection.cxx
+@@ -122,6 +122,11 @@ TlsConnection::TlsConnection( Transport* transport, const Tuple& tuple,
+       }
+       SSL_set_verify(mSsl, verify_mode, 0);
+    }
++   else
++   {
++      // some TLS v1.2 servers have been troublesome
++      SSL_set_options(mSsl, SSL_OP_NO_TLSv1_2);
++   }
+ 
+    mBio = BIO_new_socket((int)fd,0/*close flag*/);
+    assert( mBio );
diff -Nru resiprocate-1.9.7/debian/patches/series resiprocate-1.9.7/debian/patches/series
--- resiprocate-1.9.7/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ resiprocate-1.9.7/debian/patches/series	2014-12-09 11:33:48.000000000 +0100
@@ -0,0 +1,2 @@
+0001-use-SSLv23_method.patch
+0002-client-avoid-TLSv1_2.patch
Reply to: