[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#772634: marked as done (unblock: resiprocate/1.9.7-2)

Your message dated Wed, 10 Dec 2014 23:57:17 +0100
with message-id <20141210225717.GC14607@ugent.be>
and subject line Re: Bug#772634: resiprocate_1.9.7-2_amd64.changes REJECTED
has caused the Debian Bug report #772634,
regarding unblock: resiprocate/1.9.7-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
772634: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772634
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
UserTags: unblock


This is a proposed upload to testing-proposed-updates

It is a far more concise and targeted fix than the upstream 1.9.8
release discussed previously.

The main reason for this unblock request:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772632

based on the outcome of discussion on the debian-security list:

  https://lists.debian.org/debian-security/2014/12/msg00032.html

This update enables TLS v1.1 and v1.2 when acting as a server and
enables v1.1 when acting as a client.

This is achieved by using the generic SSLv23_method instead of the
discouraged TLSv1_method.  This approach ensures that if the OpenSSL
maintainers add or remove protocol versions because of future
vulnerabilities, this package will benefit from those changes without
needing to be patched further or recompiled.

The (much smaller) debdiff is attached, it was generated with filterdiff
to remove autotools stuff:


debdiff resiprocate_1.9.7-1.dsc resiprocate_1.9.7-2.dsc | filterdiff -x
'*/aclocal.m4' -x '*/config.*' -x '*/configure' -x '*/depcomp' -x
'*/*.in' -x '*/install-sh' -x '*/ltmain.sh' -x '*/m4/*' -x '*/missing'
 -x '*/resiprocate.spec'  > /tmp/resiprocate-1.9.7-2.debdiff



diff -Nru resiprocate-1.9.7/debian/changelog resiprocate-1.9.7/debian/changelog
--- resiprocate-1.9.7/debian/changelog	2014-05-31 12:51:11.000000000 +0200
+++ resiprocate-1.9.7/debian/changelog	2014-12-09 11:56:59.000000000 +0100
@@ -1,3 +1,10 @@
+resiprocate (1.9.7-2) testing-proposed-updates; urgency=medium
+
+  * Use SSLv23_method instead of TLSv1_method and
+    avoid TLS 1.2 when acting as client. (Closes: #772632)
+
+ -- Daniel Pocock <daniel@pocock.pro>  Tue, 09 Dec 2014 11:34:48 +0100
+
 resiprocate (1.9.7-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru resiprocate-1.9.7/debian/patches/0001-use-SSLv23_method.patch resiprocate-1.9.7/debian/patches/0001-use-SSLv23_method.patch
--- resiprocate-1.9.7/debian/patches/0001-use-SSLv23_method.patch	1970-01-01 01:00:00.000000000 +0100
+++ resiprocate-1.9.7/debian/patches/0001-use-SSLv23_method.patch	2014-12-09 11:30:51.000000000 +0100
@@ -0,0 +1,50 @@
+diff --git a/repro/ReproRunner.cxx b/repro/ReproRunner.cxx
+index 929392b..a2f09de 100644
+--- a/repro/ReproRunner.cxx
++++ b/repro/ReproRunner.cxx
+@@ -1338,6 +1338,7 @@ ReproRunner::addTransports(bool& allTransportsSpecifyRecordRoute)
+       wsCookieContextFactory.reset(new BasicWsCookieContextFactory(infoCookieName, extraCookieName, macCookieName));
+    }
+ 
++   SecurityTypes::SSLType defaultSSLType = SecurityTypes::SSLv23;
+    try
+    {
+       // Check if advanced transport settings are provided
+@@ -1448,7 +1449,7 @@ ReproRunner::addTransports(bool& allTransportsSpecifyRecordRoute)
+                                  ipAddr,       // interface to bind to
+                                  tlsDomain,
+                                  Data::Empty,  // private key passphrase - not currently used
+-                                 SecurityTypes::TLSv1, // sslType
++                                 defaultSSLType, // sslType
+                                  0,            // transport flags
+                                  tlsCertificate, tlsPrivateKey,
+                                  cvm,          // tls client verification mode
+@@ -1576,8 +1577,8 @@ ReproRunner::addTransports(bool& allTransportsSpecifyRecordRoute)
+          }
+          if (tlsPort)
+          {
+-            if (mUseV4) mSipStack->addTransport(TLS, tlsPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP);
+-            if (mUseV6) mSipStack->addTransport(TLS, tlsPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP);
++            if (mUseV4) mSipStack->addTransport(TLS, tlsPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP);
++            if (mUseV6) mSipStack->addTransport(TLS, tlsPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP);
+          }
+          if (wsPort)
+          {
+@@ -1586,13 +1587,13 @@ ReproRunner::addTransports(bool& allTransportsSpecifyRecordRoute)
+          }
+          if (wssPort)
+          {
+-            if (mUseV4) mSipStack->addTransport(WSS, wssPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, wsCookieContextFactory);
+-            if (mUseV6) mSipStack->addTransport(WSS, wssPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, wsCookieContextFactory);
++            if (mUseV4) mSipStack->addTransport(WSS, wssPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, wsCookieContextFactory);
++            if (mUseV6) mSipStack->addTransport(WSS, wssPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, wsCookieContextFactory);
+          }
+          if (dtlsPort)
+          {
+-            if (mUseV4) mSipStack->addTransport(DTLS, dtlsPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey);
+-            if (mUseV6) mSipStack->addTransport(DTLS, dtlsPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey);
++            if (mUseV4) mSipStack->addTransport(DTLS, dtlsPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey);
++            if (mUseV6) mSipStack->addTransport(DTLS, dtlsPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey);
+          }
+       }
+    }
diff -Nru resiprocate-1.9.7/debian/patches/0002-client-avoid-TLSv1_2.patch resiprocate-1.9.7/debian/patches/0002-client-avoid-TLSv1_2.patch
--- resiprocate-1.9.7/debian/patches/0002-client-avoid-TLSv1_2.patch	1970-01-01 01:00:00.000000000 +0100
+++ resiprocate-1.9.7/debian/patches/0002-client-avoid-TLSv1_2.patch	2014-12-09 11:33:41.000000000 +0100
@@ -0,0 +1,16 @@
+diff --git a/resip/stack/ssl/TlsConnection.cxx b/resip/stack/ssl/TlsConnection.cxx
+index c3537aa..145d089 100644
+--- a/resip/stack/ssl/TlsConnection.cxx
++++ b/resip/stack/ssl/TlsConnection.cxx
+@@ -122,6 +122,11 @@ TlsConnection::TlsConnection( Transport* transport, const Tuple& tuple,
+       }
+       SSL_set_verify(mSsl, verify_mode, 0);
+    }
++   else
++   {
++      // some TLS v1.2 servers have been troublesome
++      SSL_set_options(mSsl, SSL_OP_NO_TLSv1_2);
++   }
+ 
+    mBio = BIO_new_socket((int)fd,0/*close flag*/);
+    assert( mBio );
diff -Nru resiprocate-1.9.7/debian/patches/series resiprocate-1.9.7/debian/patches/series
--- resiprocate-1.9.7/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ resiprocate-1.9.7/debian/patches/series	2014-12-09 11:33:48.000000000 +0100
@@ -0,0 +1,2 @@
+0001-use-SSLv23_method.patch
+0002-client-avoid-TLSv1_2.patch

--- End Message ---
--- Begin Message --- 
Hi Daniel,

On Tue, Dec 09, 2014 at 09:15:25PM +0100, Daniel Pocock wrote:
> Ok, thanks for the feedback, 1:1.9.7-3 has been uploaded signed by the
> other key and I've pushed the subkey with the extended expiry.

Unblocked resiprocate/1:1.9.7-4 (which finally built on mips).

Cheers,

Ivo

--- End Message ---
Reply to: