Bug#767775: wheezy-pu: package evolution-data-server/3.4.4-3+deb7u1
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
evolution-data-server in wheezy doesn't enable all encryption algorithms
(TLSv1+) when connecting securely to IMAP servers. This means that when
servers disable SSLv3 due to POODLE, users are unable to connect in
evolution, receiving a message like
Could not connect to 'server:993': Cannot communicate securely with
peer: no common encryption algorithm(s).
Some links:
Debian bug.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765838
Ubuntu bug in which the same (modulo wrangling the patch to apply on
3.4.4) fix was issued.
https://bugs.launchpad.net/ubuntu/+source/evolution-data-server/+bug/1382133
Upstream mail providing the patch + details.
https://mail.gnome.org/archives/evolution-list/2014-October/msg00113.html
Redhat bug fixing the issue in Fedora.
https://bugzilla.redhat.com/show_bug.cgi?id=1153052
I'd like to upload the attached diff to wheezy to fix the issue.
Cheers,
--
Iain Lane [ iain@orangesquash.org.uk ]
Debian Developer [ laney@debian.org ]
Ubuntu Developer [ laney@ubuntu.com ]
diff -Nru evolution-data-server-3.4.4/debian/changelog evolution-data-server-3.4.4/debian/changelog
--- evolution-data-server-3.4.4/debian/changelog 2013-02-10 18:16:56.000000000 +0000
+++ evolution-data-server-3.4.4/debian/changelog 2014-11-02 17:13:18.000000000 +0000
@@ -1,3 +1,10 @@
+evolution-data-server (3.4.4-3+deb7u1) UNRELEASED; urgency=medium
+
+ * debian/patches/evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch:
+ Enable all SSL/TLS versions supported by NSS (Closes: #765838)
+
+ -- Iain Lane <laney@debian.org> Sun, 02 Nov 2014 16:48:55 +0000
+
evolution-data-server (3.4.4-3) unstable; urgency=low
* 04_mbox_index.patch: patch from upstream git. Correctly display
diff -Nru evolution-data-server-3.4.4/debian/patches/evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch evolution-data-server-3.4.4/debian/patches/evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch
--- evolution-data-server-3.4.4/debian/patches/evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch 1970-01-01 01:00:00.000000000 +0100
+++ evolution-data-server-3.4.4/debian/patches/evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch 2014-11-02 17:13:34.000000000 +0000
@@ -0,0 +1,107 @@
+Description: Enable all SSL/TLS versions supported by NSS
+Origin: vendor, http://pkgs.fedoraproject.org/cgit/evolution-data-server.git/tree/evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch?h=f20
+Author: Milan Crha <mcrha@redhat.com>
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/evolution-data-server/+bug/1382133
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765838
+
+--- a/camel/camel-network-service.c
++++ b/camel/camel-network-service.c
+@@ -87,7 +87,8 @@
+ stream = camel_tcp_stream_ssl_new (
+ session, host,
+ CAMEL_TCP_STREAM_SSL_ENABLE_SSL2 |
+- CAMEL_TCP_STREAM_SSL_ENABLE_SSL3);
++ CAMEL_TCP_STREAM_SSL_ENABLE_SSL3 |
++ CAMEL_TCP_STREAM_SSL_ENABLE_TLS);
+ break;
+
+ default:
+--- a/camel/camel-tcp-stream-ssl.c
++++ b/camel/camel-tcp-stream-ssl.c
+@@ -43,6 +43,8 @@
+ #include <sslerr.h>
+ #include "nss.h" /* Don't use <> here or it will include the system nss.h instead */
+ #include <ssl.h>
++#include <sslt.h>
++#include <sslproto.h>
+ #include <cert.h>
+ #include <certdb.h>
+ #include <pk11func.h>
+@@ -662,6 +664,9 @@
+ PRFileDesc *fd)
+ {
+ PRFileDesc *ssl_fd;
++#if NSS_VMAJOR > 3 || (NSS_VMAJOR == 3 && NSS_VMINOR >= 14)
++ SSLVersionRange versionStreamSup, versionStream;
++#endif
+
+ g_assert (fd != NULL);
+
+@@ -679,6 +684,7 @@
+ SSL_OptionSet (ssl_fd, SSL_V2_COMPATIBLE_HELLO, PR_FALSE);
+ }
+
++#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 14)
+ if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_SSL3)
+ SSL_OptionSet (ssl_fd, SSL_ENABLE_SSL3, PR_TRUE);
+ else
+@@ -689,6 +695,29 @@
+ else
+ SSL_OptionSet (ssl_fd, SSL_ENABLE_TLS, PR_FALSE);
+
++#else
++ SSL_VersionRangeGetSupported (ssl_variant_stream, &versionStreamSup);
++
++ if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_SSL3)
++ versionStream.min = SSL_LIBRARY_VERSION_3_0;
++ else
++ versionStream.min = SSL_LIBRARY_VERSION_TLS_1_0;
++
++ if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_TLS)
++ versionStream.max = versionStreamSup.max;
++ else
++ versionStream.max = SSL_LIBRARY_VERSION_3_0;
++
++ if (versionStream.max < versionStream.min) {
++ PRUint16 tmp;
++
++ tmp = versionStream.max;
++ versionStream.max = versionStream.min;
++ versionStream.min = tmp;
++ }
++
++ SSL_VersionRangeSet (ssl_fd, &versionStream);
++#endif
+ SSL_SetURL (ssl_fd, ssl->priv->expected_host);
+
+ /* NSS provides a default implementation for the SSL_GetClientAuthDataHook callback
+--- a/camel/camel.c
++++ b/camel/camel.c
+@@ -99,6 +99,9 @@
+ gchar *nss_sql_configdir = NULL;
+ SECStatus status = SECFailure;
+ PRUint16 indx;
++#if NSS_VMAJOR > 3 || (NSS_VMAJOR == 3 && NSS_VMINOR >= 14)
++ SSLVersionRange versionStream;
++#endif
+
+ if (nss_initlock == NULL) {
+ PR_Init (PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 10);
+@@ -189,9 +192,15 @@
+ }
+
+ SSL_OptionSetDefault (SSL_ENABLE_SSL2, PR_TRUE);
+- SSL_OptionSetDefault (SSL_ENABLE_SSL3, PR_TRUE);
+- SSL_OptionSetDefault (SSL_ENABLE_TLS, PR_TRUE);
+ SSL_OptionSetDefault (SSL_V2_COMPATIBLE_HELLO, PR_TRUE /* maybe? */);
++#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 14)
++ SSL_OptionSetDefault (SSL_ENABLE_SSL3, PR_TRUE);
++ SSL_OptionSetDefault (SSL_ENABLE_TLS, PR_TRUE); /* Enable TLSv1.0 */
++#else
++ /* Enable all SSL/TLS versions supported by NSS (this API is for SSLv3 and newer). */
++ SSL_VersionRangeGetSupported (ssl_variant_stream, &versionStream);
++ SSL_VersionRangeSetDefault (ssl_variant_stream, &versionStream);
++#endif
+
+ g_free (nss_configdir);
+ g_free (nss_sql_configdir);
diff -Nru evolution-data-server-3.4.4/debian/patches/series evolution-data-server-3.4.4/debian/patches/series
--- evolution-data-server-3.4.4/debian/patches/series 2013-02-10 18:16:56.000000000 +0000
+++ evolution-data-server-3.4.4/debian/patches/series 2014-11-02 16:43:47.000000000 +0000
@@ -3,3 +3,4 @@
03_EBookBackendSqliteDB_Escape_SQL_strings.patch
04_mbox_index.patch
20_gettext_intltool.patch
+evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch
Reply to: