[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#827054: marked as done (jessie-pu: package openssl/1.0.1t-1+deb8u3)

Your message dated Sat, 17 Sep 2016 13:08:06 +0100
with message-id <1474114086.2011.126.camel@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 8.6
has caused the Debian Bug report #827054,
regarding jessie-pu: package openssl/1.0.1t-1+deb8u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
827054: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827054
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I'd like to update the version in stable for openssl.  See the
debdiff below.

The SSLv2 methods actually didn't exist in jessie, but some
defaults where changed and the SSLv2 methods now in jessie just
return NULL.  This removes the symbols again.  Exposing the
symbols in the headers actually seems to have broken something,
so this removes them again.  It was actually never the intention
to introduce those symbols again.

The other fix is a regression.

There are also some open CVEs in upstream git, but I'll wait with
those until there is actually a new release.


Kurt

diff -Nru openssl-1.0.1t/debian/changelog openssl-1.0.1t/debian/changelog
--- openssl-1.0.1t/debian/changelog	2016-05-15 21:16:55.000000000 +0200
+++ openssl-1.0.1t/debian/changelog	2016-06-11 19:20:02.000000000 +0200
@@ -1,3 +1,11 @@
+openssl (1.0.1t-1+deb8u3) jessie; urgency=medium
+
+  * Disable SSLv2 methods again, changes upstream has split no-ssl2 into
+    no-ssl2 and no-ssl2-method
+  * Fix length check for CRLs. (Closes: #826552)
+
+ -- Kurt Roeckx <kurt@roeckx.be>  Sat, 11 Jun 2016 19:18:11 +0200
+
 openssl (1.0.1t-1+deb8u2) jessie; urgency=medium
 
   * add Update-S-MIME-certificates.patch to update expired certificates to
diff -Nru openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch
--- openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch	2016-06-11 19:16:05.000000000 +0200
@@ -0,0 +1,40 @@
+From b583c1bd069f6928c3973dc6d6864930f6c4bb3e Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Wed, 4 May 2016 16:09:06 +0100
+Subject: [PATCH] Fix name length limit check.
+
+The name length limit check in x509_name_ex_d2i() includes
+the containing structure as well as the actual X509_NAME. This will
+cause large CRLs to be rejected.
+
+Fix by limiting the length passed to ASN1_item_ex_d2i() which will
+then return an error if the passed X509_NAME exceeds the length.
+
+RT#4531
+
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+(cherry picked from commit 4e0d184ac1dde845ba9574872e2ae5c903c81dff)
+---
+ crypto/asn1/x_name.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c
+index a858c29..26378fd 100644
+--- a/crypto/asn1/x_name.c
++++ b/crypto/asn1/x_name.c
+@@ -199,10 +199,8 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
+     int i, j, ret;
+     STACK_OF(X509_NAME_ENTRY) *entries;
+     X509_NAME_ENTRY *entry;
+-    if (len > X509_NAME_MAX) {
+-        ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
+-        return 0;
+-    }
++    if (len > X509_NAME_MAX)
++        len = X509_NAME_MAX;
+     q = p;
+ 
+     /* Get internal representation of Name */
+-- 
+2.8.1
+
diff -Nru openssl-1.0.1t/debian/patches/series openssl-1.0.1t/debian/patches/series
--- openssl-1.0.1t/debian/patches/series	2016-05-15 21:16:55.000000000 +0200
+++ openssl-1.0.1t/debian/patches/series	2016-06-11 19:19:06.000000000 +0200
@@ -20,3 +20,4 @@
 openssl_fix_for_x32.patch
 ppc64el.patch
 Update-S-MIME-certificates.patch
+Fix-name-length-limit-check.patch
diff -Nru openssl-1.0.1t/debian/rules openssl-1.0.1t/debian/rules
--- openssl-1.0.1t/debian/rules	2016-05-06 14:16:42.000000000 +0200
+++ openssl-1.0.1t/debian/rules	2016-06-11 19:18:36.000000000 +0200
@@ -26,7 +26,7 @@
 	export CROSS_COMPILE ?= $(DEB_HOST_GNU_TYPE)-
 endif
 
-CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib  enable-tlsext no-ssl2 no-ssl3
+CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib enable-tlsext no-ssl2 no-ssl2-method no-ssl3
 OPT_alpha = ev4 ev5
 OPT_i386  = i586 i686/cmov
 ARCHOPTS  = OPT_$(DEB_HOST_ARCH)

--- End Message ---
--- Begin Message --- 
Version: 8.6

The updates referred to in each of these bugs were included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: