2016-09-07 9:30 GMT+02:00 Adam D. Barratt <adam@adam-barratt.org.uk>: > Thanks for caring about fixing this in jessie. > > In order to okay an upload, however, we'd need to see a source debdiff for > the proposed package, built and tested on a jessie system. Sure. Before: dpkg -l | grep kamailio ii kamailio 4.2.0-2+deb8u1 amd64 very fast and configurable SIP proxy ii kamailio-tls-modules:amd64 4.2.0-2+deb8u1 amd64 contains the TLS kamailio transport module root@debian-jessie-plain:/etc/kamailio# systemctl status kamailio -l ● kamailio.service - LSB: Start the Kamailio SIP proxy server Loaded: loaded (/etc/init.d/kamailio) Active: active (exited) since Wed 2016-09-07 11:36:47 CEST; 44s ago Process: 16399 ExecStop=/etc/init.d/kamailio stop (code=exited, status=0/SUCCESS) Process: 16410 ExecStart=/etc/init.d/kamailio start (code=exited, status=0/SUCCESS) Sep 07 11:36:47 debian-jessie-plain kamailio[16410]: udp: localhost:5060 Sep 07 11:36:47 debian-jessie-plain /usr/sbin/kamailio[16426]: INFO: rr [../outbound/api.h:54]: ob_load_api(): Failed to import bind_ob Sep 07 11:36:47 debian-jessie-plain /usr/sbin/kamailio[16426]: INFO: rr [rr_mod.c:160]: mod_init(): outbound module not available Sep 07 11:36:47 debian-jessie-plain /usr/sbin/kamailio[16426]: INFO: usrloc [hslot.c:53]: ul_init_locks(): locks array size 1024 Sep 07 11:36:47 debian-jessie-plain /usr/sbin/kamailio[16426]: INFO: tls [tls_mod.c:346]: mod_init(): With ECDH-Support! Sep 07 11:36:47 debian-jessie-plain /usr/sbin/kamailio[16426]: INFO: tls [tls_mod.c:349]: mod_init(): With Diffie Hellman Sep 07 11:36:47 debian-jessie-plain /usr/sbin/kamailio[16426]: : tls [tls_init.c:515]: init_tls_h(): ERROR: tls: init_tls_h: installed openssl library version is too different from the library the ser tls module was compiled with: installed "OpenSSL 1.0.1t 3 May 2016" (0x1000114f), compiled "OpenSSL 1.0.1k 8 Jan 2015" (0x100010bf). Please make sure a compatible version is used (tls_force_run in ser.cfg will override this check) Sep 07 11:36:47 debian-jessie-plain /usr/sbin/kamailio[16426]: CRITICAL: <core> [main.c:2521]: main(): could not initialize tls, exiting... Sep 07 11:36:47 debian-jessie-plain kamailio[16410]: already running ... failed! Sep 07 11:36:47 debian-jessie-plain kamailio[16410]: . $ dpkg -l | grep openssl ii libgnutls-openssl27:amd64 3.3.8-6+deb8u3 amd64 GNU TLS library - OpenSSL wrapper ii openssl 1.0.1k-3+deb8u5 amd64 Secure Sockets Layer toolkit - cryptographic utility After: $ dpkg -l | grep kamailio ii kamailio 4.2.0-2+deb8u2 amd64 very fast and configurable SIP proxy ii kamailio-tls-modules:amd64 4.2.0-2+deb8u2 amd64 contains the TLS kamailio transport module $ systemctl status kamailio -l ● kamailio.service - LSB: Start the Kamailio SIP proxy server Loaded: loaded (/etc/init.d/kamailio) Active: active (running) since Wed 2016-09-07 11:45:11 CEST; 7s ago CGroup: /system.slice/kamailio.service Installing previous openssl version has no effect, so fix works properly
diff -Nru kamailio-4.2.0/debian/changelog kamailio-4.2.0/debian/changelog --- kamailio-4.2.0/debian/changelog 2016-03-21 00:24:40.000000000 +0100 +++ kamailio-4.2.0/debian/changelog 2016-09-07 10:00:32.000000000 +0200 @@ -1,3 +1,12 @@ +kamailio (4.2.0-2+deb8u2) stable-proposed-updates; urgency=medium + + * use my DD account \o/ + * add upstream fix for: + proper check of libssl versions used for compilation + and available on system (Closes: #833973) + + -- Victor Seva <vseva@debian.org> Wed, 07 Sep 2016 10:00:32 +0200 + kamailio (4.2.0-2+deb8u1) jessie-security; urgency=medium * CVE-2016-2385 diff -Nru kamailio-4.2.0/debian/control kamailio-4.2.0/debian/control --- kamailio-4.2.0/debian/control 2015-01-28 20:48:03.000000000 +0100 +++ kamailio-4.2.0/debian/control 2016-09-07 10:00:32.000000000 +0200 @@ -2,7 +2,7 @@ Section: net Priority: optional Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org> -Uploaders: Victor Seva <linuxmaniac@torreviejawireless.org>, +Uploaders: Victor Seva <vseva@debian.org>, Tzafrir Cohen <tzafrir@debian.org> Build-Depends: bison, debhelper (>= 9), diff -Nru kamailio-4.2.0/debian/patches/fix_tls.patch kamailio-4.2.0/debian/patches/fix_tls.patch --- kamailio-4.2.0/debian/patches/fix_tls.patch 1970-01-01 01:00:00.000000000 +0100 +++ kamailio-4.2.0/debian/patches/fix_tls.patch 2016-09-07 10:00:32.000000000 +0200 @@ -0,0 +1,34 @@ +From 0a5f99b28d01d79cf2675df6d2a6220167e2476e Mon Sep 17 00:00:00 2001 +From: Daniel-Constantin Mierla <miconda@gmail.com> +Date: Tue, 7 Jun 2016 15:21:06 +0200 +Subject: [PATCH] tls: proper check of libssl versions used for compilation and + available on system + +- shift out the last 12bits, being the patch version and status (see man + SSLeay) +- reported by Victor Seva, GH #662 + +(cherry picked from commit c38b4c7345a6806f48a0cdb07841e10bc962e1bf) +(cherry picked from commit 253909bf673c0a59e7adf578bb5df73eb157d0f2) +(cherry picked from commit 5632abc108bf8ed8157a77806ea80b962db3fa4f) +--- + modules/tls/tls_init.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/modules/tls/tls_init.c b/modules/tls/tls_init.c +index a381be1..7bfc10f 100644 +--- a/modules/tls/tls_init.c ++++ b/modules/tls/tls_init.c +@@ -543,8 +543,10 @@ int init_tls_h(void) + #endif + ssl_version=SSLeay(); + /* check if version have the same major minor and fix level +- * (e.g. 0.9.8a & 0.9.8c are ok, but 0.9.8 and 0.9.9x are not) */ +- if ((ssl_version>>8)!=(OPENSSL_VERSION_NUMBER>>8)){ ++ * (e.g. 0.9.8a & 0.9.8c are ok, but 0.9.8 and 0.9.9x are not) ++ * - values is represented as 0xMMNNFFPPS: major minor fix patch status ++ * 0x00090705f == 0.9.7e release */ ++ if ((ssl_version>>12)!=(OPENSSL_VERSION_NUMBER>>12)){ + LOG(L_CRIT, "ERROR: tls: init_tls_h: installed openssl library " + "version is too different from the library the ser tls module " + "was compiled with: installed \"%s\" (0x%08lx), compiled " diff -Nru kamailio-4.2.0/debian/patches/series kamailio-4.2.0/debian/patches/series --- kamailio-4.2.0/debian/patches/series 2016-03-21 00:23:37.000000000 +0100 +++ kamailio-4.2.0/debian/patches/series 2016-09-07 10:00:32.000000000 +0200 @@ -6,3 +6,4 @@ default_ctl.patch fix-mips.patch CVE-2016-2385.patch +fix_tls.patch
Attachment:
kamailio_4.2.0-2+deb8u2_amd64.build.bz2
Description: BZip2 compressed data