Your message dated Sat, 05 Sep 2015 14:33:54 +0100 with message-id <1441460034.2151.33.camel@adam-barratt.org.uk> and subject line Closing bugs for 7.9 has caused the Debian Bug report #781965, regarding wheezy-pu: package ircd-hybrid/1:7.2.2.dfsg.2-10 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 781965: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781965 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: wheezy-pu: package ircd-hybrid/1:7.2.2.dfsg.2-10
- From: Dominic Hargreaves <dom@earth.li>
- Date: Sun, 05 Apr 2015 19:08:27 +0100
- Message-id: <20150405180827.535.1986.reportbug@callisto.larted.org.uk>
Package: release.debian.org Severity: normal Tags: wheezy User: release.debian.org@packages.debian.org Usertags: pu As per #779082, ircd-hybrid in wheezy (when recompiled to support SSL) currently listens on SSLv3, which could be exposing a risk of a POODLE attack. The patch to disable SSLv3 is simple, and I've attached a tested package diff. The Debian security team treats this as a no-dsa issue. Please let me know if it's okay to upload. Thanks, Dominic. -- System Information: Debian Release: 8.0 APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: sysvinit (via /sbin/init)diff --git a/debian/changelog b/debian/changelog index eeaac9d..8d038f2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +ircd-hybrid (1:7.2.2.dfsg.2-10+deb7u1) stable; urgency=medium + + * Disable SSLv3 to mitigate against the POODLE vulnerability + (Closes: #767026) + + -- Dominic Hargreaves <dom@earth.li> Sun, 05 Apr 2015 18:33:33 +0100 + ircd-hybrid (1:7.2.2.dfsg.2-10) unstable; urgency=high * [CVE-2013-0238] fix DoS in hostmask.c:try_parse_v4_netmask() diff --git a/debian/patches/00list b/debian/patches/00list index 0bae9d0..a358c33 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -20,4 +20,5 @@ 21-dpkg-buildflags 22-getopt.dpatch 23-netmask-dos.dpatch +24-disable-sslv3.dpatch 98_patchlevel_debian diff --git a/debian/patches/24-disable-sslv3.dpatch b/debian/patches/24-disable-sslv3.dpatch new file mode 100755 index 0000000..78427f9 --- /dev/null +++ b/debian/patches/24-disable-sslv3.dpatch @@ -0,0 +1,25 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 24-disable-sslv3.dpatch by Sebastian Andrzej Siewior <sebastian@breakpoint.cc> +## +## DP: Disable SSLv3 to mitigate against the POODLE attack +## +## All lines beginning with `## DP:' are a description of the patch. + +diff --git a/src/ircd.c b/src/ircd.c +--- a/src/ircd.c ++++ b/src/ircd.c +@@ -512,7 +512,7 @@ init_ssl(void) + ilog(L_CRIT, "ERROR: Could not initialize the SSL context -- %s\n", s); + } + +- SSL_CTX_set_options(ServerInfo.ctx, SSL_OP_NO_SSLv2); ++ SSL_CTX_set_options(ServerInfo.ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + SSL_CTX_set_options(ServerInfo.ctx, SSL_OP_TLS_ROLLBACK_BUG|SSL_OP_ALL); + SSL_CTX_set_verify(ServerInfo.ctx, SSL_VERIFY_NONE, NULL); + +-- +1.7.10.4 + + +Sebastian +
--- End Message ---
--- Begin Message ---
- To: 725661-done@bugs.debian.org, 770955-done@bugs.debian.org, 773796-done@bugs.debian.org, 774773-done@bugs.debian.org, 774820-done@bugs.debian.org, 774850-done@bugs.debian.org, 774921-done@bugs.debian.org, 775380-done@bugs.debian.org, 775603-done@bugs.debian.org, 775664-done@bugs.debian.org, 775825-done@bugs.debian.org, 776095-done@bugs.debian.org, 776734-done@bugs.debian.org, 776781-done@bugs.debian.org, 776884-done@bugs.debian.org, 777046-done@bugs.debian.org, 777047-done@bugs.debian.org, 777372-done@bugs.debian.org, 777553-done@bugs.debian.org, 778622-done@bugs.debian.org, 779083-done@bugs.debian.org, 779622-done@bugs.debian.org, 779926-done@bugs.debian.org, 780191-done@bugs.debian.org, 780471-done@bugs.debian.org, 780798-done@bugs.debian.org, 780924-done@bugs.debian.org, 781281-done@bugs.debian.org, 781406-done@bugs.debian.org, 781542-done@bugs.debian.org, 781885-done@bugs.debian.org, 781965-done@bugs.debian.org, 782042-done@bugs.debian.org, 782165-done@bugs.debian.org, 782409-done@bugs.debian.org, 782600-done@bugs.debian.org, 782663-done@bugs.debian.org, 782848-done@bugs.debian.org, 783659-done@bugs.debian.org, 783749-done@bugs.debian.org, 784102-done@bugs.debian.org, 785155-done@bugs.debian.org, 785348-done@bugs.debian.org, 785735-done@bugs.debian.org, 786691-done@bugs.debian.org, 786830-done@bugs.debian.org, 786919-done@bugs.debian.org, 787076-done@bugs.debian.org, 787403-done@bugs.debian.org, 787933-done@bugs.debian.org, 787947-done@bugs.debian.org, 788064-done@bugs.debian.org, 788242-done@bugs.debian.org, 788558-done@bugs.debian.org, 788664-done@bugs.debian.org, 790692-done@bugs.debian.org, 790940-done@bugs.debian.org, 793028-done@bugs.debian.org, 794962-done@bugs.debian.org, 795166-done@bugs.debian.org, 795892-done@bugs.debian.org, 797079-done@bugs.debian.org, 797213-done@bugs.debian.org
- Subject: Closing bugs for 7.9
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 05 Sep 2015 14:33:54 +0100
- Message-id: <1441460034.2151.33.camel@adam-barratt.org.uk>
Version: 7.9 Hi, These bugs relate to updates which were included in the 7.9 point release. Regards, Adam
--- End Message ---