Bug#767775: wheezy-pu: package evolution-data-server/3.4.4-3+deb7u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#767775: wheezy-pu: package evolution-data-server/3.4.4-3+deb7u1
From: Iain Lane <iain@orangesquash.org.uk>
Date: Sun, 02 Nov 2014 17:22:26 +0000
Message-id: <[🔎] 20141102172226.7586.64865.reportbug@iota>
Reply-to: Iain Lane <iain@orangesquash.org.uk>, 767775@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

evolution-data-server in wheezy doesn't enable all encryption algorithms
(TLSv1+) when connecting securely to IMAP servers. This means that when
servers disable SSLv3 due to POODLE, users are unable to connect in
evolution, receiving a message like

  Could not connect to 'server:993': Cannot communicate securely with
  peer: no common encryption algorithm(s).

Some links:

Debian bug.

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765838

Ubuntu bug in which the same (modulo wrangling the patch to apply on
3.4.4) fix was issued.

  https://bugs.launchpad.net/ubuntu/+source/evolution-data-server/+bug/1382133

Upstream mail providing the patch + details.

  https://mail.gnome.org/archives/evolution-list/2014-October/msg00113.html

Redhat bug fixing the issue in Fedora.

  https://bugzilla.redhat.com/show_bug.cgi?id=1153052

I'd like to upload the attached diff to wheezy to fix the issue.

Cheers,

-- 
Iain Lane                                  [ iain@orangesquash.org.uk ]
Debian Developer                                   [ laney@debian.org ]
Ubuntu Developer                                   [ laney@ubuntu.com ]

diff -Nru evolution-data-server-3.4.4/debian/changelog evolution-data-server-3.4.4/debian/changelog
--- evolution-data-server-3.4.4/debian/changelog	2013-02-10 18:16:56.000000000 +0000
+++ evolution-data-server-3.4.4/debian/changelog	2014-11-02 17:13:18.000000000 +0000
@@ -1,3 +1,10 @@
+evolution-data-server (3.4.4-3+deb7u1) UNRELEASED; urgency=medium
+
+  * debian/patches/evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch:
+    Enable all SSL/TLS versions supported by NSS (Closes: #765838)
+
+ -- Iain Lane <laney@debian.org>  Sun, 02 Nov 2014 16:48:55 +0000
+
 evolution-data-server (3.4.4-3) unstable; urgency=low
 
   * 04_mbox_index.patch: patch from upstream git. Correctly display 
diff -Nru evolution-data-server-3.4.4/debian/patches/evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch evolution-data-server-3.4.4/debian/patches/evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch
--- evolution-data-server-3.4.4/debian/patches/evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch	1970-01-01 01:00:00.000000000 +0100
+++ evolution-data-server-3.4.4/debian/patches/evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch	2014-11-02 17:13:34.000000000 +0000
@@ -0,0 +1,107 @@
+Description: Enable all SSL/TLS versions supported by NSS
+Origin: vendor, http://pkgs.fedoraproject.org/cgit/evolution-data-server.git/tree/evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch?h=f20
+Author: Milan Crha <mcrha@redhat.com>
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/evolution-data-server/+bug/1382133
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765838
+
+--- a/camel/camel-network-service.c
++++ b/camel/camel-network-service.c
+@@ -87,7 +87,8 @@
+ 			stream = camel_tcp_stream_ssl_new (
+ 				session, host,
+ 				CAMEL_TCP_STREAM_SSL_ENABLE_SSL2 |
+-				CAMEL_TCP_STREAM_SSL_ENABLE_SSL3);
++				CAMEL_TCP_STREAM_SSL_ENABLE_SSL3 |
++				CAMEL_TCP_STREAM_SSL_ENABLE_TLS);
+ 			break;
+ 
+ 		default:
+--- a/camel/camel-tcp-stream-ssl.c
++++ b/camel/camel-tcp-stream-ssl.c
+@@ -43,6 +43,8 @@
+ #include <sslerr.h>
+ #include "nss.h"    /* Don't use <> here or it will include the system nss.h instead */
+ #include <ssl.h>
++#include <sslt.h>
++#include <sslproto.h>
+ #include <cert.h>
+ #include <certdb.h>
+ #include <pk11func.h>
+@@ -662,6 +664,9 @@
+             PRFileDesc *fd)
+ {
+ 	PRFileDesc *ssl_fd;
++#if NSS_VMAJOR > 3 || (NSS_VMAJOR == 3 && NSS_VMINOR >= 14)
++	SSLVersionRange versionStreamSup, versionStream;
++#endif
+ 
+ 	g_assert (fd != NULL);
+ 
+@@ -679,6 +684,7 @@
+ 		SSL_OptionSet (ssl_fd, SSL_V2_COMPATIBLE_HELLO, PR_FALSE);
+ 	}
+ 
++#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 14)
+ 	if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_SSL3)
+ 		SSL_OptionSet (ssl_fd, SSL_ENABLE_SSL3, PR_TRUE);
+ 	else
+@@ -689,6 +695,29 @@
+ 	else
+ 		SSL_OptionSet (ssl_fd, SSL_ENABLE_TLS, PR_FALSE);
+ 
++#else
++	SSL_VersionRangeGetSupported (ssl_variant_stream, &versionStreamSup);
++
++	if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_SSL3)
++		versionStream.min = SSL_LIBRARY_VERSION_3_0;
++	else
++		versionStream.min = SSL_LIBRARY_VERSION_TLS_1_0;
++
++	if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_TLS)
++		versionStream.max = versionStreamSup.max;
++	else
++		versionStream.max = SSL_LIBRARY_VERSION_3_0;
++
++	if (versionStream.max < versionStream.min) {
++		PRUint16 tmp;
++
++		tmp = versionStream.max;
++		versionStream.max = versionStream.min;
++		versionStream.min = tmp;
++	}
++
++	SSL_VersionRangeSet (ssl_fd, &versionStream);
++#endif
+ 	SSL_SetURL (ssl_fd, ssl->priv->expected_host);
+ 
+ 	/* NSS provides a default implementation for the SSL_GetClientAuthDataHook callback
+--- a/camel/camel.c
++++ b/camel/camel.c
+@@ -99,6 +99,9 @@
+ 		gchar *nss_sql_configdir = NULL;
+ 		SECStatus status = SECFailure;
+ 		PRUint16 indx;
++#if NSS_VMAJOR > 3 || (NSS_VMAJOR == 3 && NSS_VMINOR >= 14)
++		SSLVersionRange versionStream;
++#endif
+ 
+ 		if (nss_initlock == NULL) {
+ 			PR_Init (PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 10);
+@@ -189,9 +192,15 @@
+ 		}
+ 
+ 		SSL_OptionSetDefault (SSL_ENABLE_SSL2, PR_TRUE);
+-		SSL_OptionSetDefault (SSL_ENABLE_SSL3, PR_TRUE);
+-		SSL_OptionSetDefault (SSL_ENABLE_TLS, PR_TRUE);
+ 		SSL_OptionSetDefault (SSL_V2_COMPATIBLE_HELLO, PR_TRUE /* maybe? */);
++#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 14)
++ 		SSL_OptionSetDefault (SSL_ENABLE_SSL3, PR_TRUE);
++		SSL_OptionSetDefault (SSL_ENABLE_TLS, PR_TRUE); /* Enable TLSv1.0 */
++#else
++		/* Enable all SSL/TLS versions supported by NSS (this API is for SSLv3 and newer). */
++		SSL_VersionRangeGetSupported (ssl_variant_stream, &versionStream);
++		SSL_VersionRangeSetDefault (ssl_variant_stream, &versionStream);
++#endif
+ 
+ 		g_free (nss_configdir);
+ 		g_free (nss_sql_configdir);
diff -Nru evolution-data-server-3.4.4/debian/patches/series evolution-data-server-3.4.4/debian/patches/series
--- evolution-data-server-3.4.4/debian/patches/series	2013-02-10 18:16:56.000000000 +0000
+++ evolution-data-server-3.4.4/debian/patches/series	2014-11-02 16:43:47.000000000 +0000
@@ -3,3 +3,4 @@
 03_EBookBackendSqliteDB_Escape_SQL_strings.patch
 04_mbox_index.patch
 20_gettext_intltool.patch
+evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch

Reply to:

Follow-Ups:
- Bug#767775: wheezy-pu: package evolution-data-server/3.4.4-3+deb7u1
  - From: Jonathan Wiltshire <jmw@debian.org>
- Processed: Re: Bug#767775: wheezy-pu: package evolution-data-server/3.4.4-3+deb7u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#767775: wheezy-pu: package evolution-data-server/3.4.4-3+deb7u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#767775: wheezy-pu: package evolution-data-server/3.4.4-3+deb7u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Re: binNMUs for dpkg-buildflags / -fstack-protector-strong
Next by Date: Bug#767778: unblock: astroid/1.2.1-1
Previous by thread: Re: binNMUs for dpkg-buildflags / -fstack-protector-strong
Next by thread: Bug#767775: wheezy-pu: package evolution-data-server/3.4.4-3+deb7u1
Index(es):
- Date
- Thread