Package: release.debian.org User: release.debian.org@packages.debian.org Usertags: unblock Severity: normal The 2.1.8 release is a security fix that addresses a vulnerability found in the previous release. Debdiff from the current version in testing 2.1.7-3 is attached. No other changes than addressing the vulnerability is part of the new release. The upstream changelog entry for the release (as can be seen in the attached debdiff) is: 2.1.8-1 - Security fix to verify certificates properly (EGI RT #12276): - Treat untrusted certificates properly in proxy_verify_cert_chain() - Override only openssl errors relevant to X.509 handling Mattias
diff -Nru canl-c-2.1.7/ChangeLog canl-c-2.1.8/ChangeLog
--- canl-c-2.1.7/ChangeLog 2016-08-19 10:20:47.000000000 +0200
+++ canl-c-2.1.8/ChangeLog 2017-02-23 22:16:26.000000000 +0100
@@ -135,3 +135,7 @@
2.1.7-1
- Quick fix to prevent RFC Proxy DN forgery (RT #11476)
+2.1.8-1
+- Security fix to verify certificates properly (EGI RT #12276):
+ - Treat untrusted certificates properly in proxy_verify_cert_chain()
+ - Override only openssl errors relevant to X.509 handling
diff -Nru canl-c-2.1.7/debian/changelog canl-c-2.1.8/debian/changelog
--- canl-c-2.1.7/debian/changelog 2016-12-23 15:14:18.000000000 +0100
+++ canl-c-2.1.8/debian/changelog 2017-03-22 15:56:11.000000000 +0100
@@ -1,3 +1,9 @@
+canl-c (2.1.8-1) unstable; urgency=medium
+
+ * Update to version 2.1.8
+
+ -- Mattias Ellert <mattias.ellert@physics.uu.se> Wed, 22 Mar 2017 15:56:11 +0100
+
canl-c (2.1.7-3) unstable; urgency=medium
* Reverse the order of conditional dependencies
diff -Nru canl-c-2.1.7/debian/control canl-c-2.1.8/debian/control
--- canl-c-2.1.7/debian/control 2016-12-23 15:13:43.000000000 +0100
+++ canl-c-2.1.8/debian/control 2017-03-22 15:56:11.000000000 +0100
@@ -4,7 +4,7 @@
Maintainer: Mattias Ellert <mattias.ellert@physics.uu.se>
Build-Depends: debhelper, bison, flex, libc-ares-dev, libkrb5-dev, libssl1.0-dev | libssl-dev (<< 1.1), libtool, libtool-bin, pkg-config, texlive-fonts-recommended, texlive-latex-extra, texlive-latex-recommended
Standards-Version: 3.9.8
-Homepage: http://www.eu-emi.eu/
+Homepage: https://github.com/CESNET/canl-c
Package: libcanl-c2
Section: libs
diff -Nru canl-c-2.1.7/debian/copyright canl-c-2.1.8/debian/copyright
--- canl-c-2.1.7/debian/copyright 2016-08-25 11:30:50.000000000 +0200
+++ canl-c-2.1.8/debian/copyright 2017-03-22 15:54:02.000000000 +0100
@@ -1,7 +1,7 @@
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: canl-c
Upstream-Contact: CESNET Product Teams <emi-lb@metacentrum.cz>
-Source: http://scientific.zcu.cz/emi/emi.canl.c/canl-c-2.1.7.tar.gz
+Source: http://scientific.zcu.cz/emi/emi.canl.c/canl-c-2.1.8.tar.gz
Files: *
Copyright: 2004-2011 Members of the EGEE Collaboration
@@ -26,7 +26,7 @@
PURPOSE.
Files: debian/*
-Copyright: 2013-2016 Mattias Ellert
+Copyright: 2013-2017 Mattias Ellert
License: Apache-2.0
License: Apache-2.0
diff -Nru canl-c-2.1.7/project/version.properties canl-c-2.1.8/project/version.properties
--- canl-c-2.1.7/project/version.properties 2016-08-19 10:20:47.000000000 +0200
+++ canl-c-2.1.8/project/version.properties 2017-02-23 22:16:26.000000000 +0100
@@ -1,3 +1,3 @@
# $Header:
-module.version=2.1.7
+module.version=2.1.8
module.age=1
diff -Nru canl-c-2.1.7/src/proxy/sslutils.c canl-c-2.1.8/src/proxy/sslutils.c
--- canl-c-2.1.7/src/proxy/sslutils.c 2016-08-19 10:20:46.000000000 +0200
+++ canl-c-2.1.8/src/proxy/sslutils.c 2017-02-23 22:16:26.000000000 +0100
@@ -1934,20 +1934,7 @@
}
#endif
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
- case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
- /*
- * OpenSSL 1.0 causes the cert to be added twice to
- * the store.
- */
- if (proxy_check_proxy_name(ctx->cert) &&
- !X509_cmp(ctx->cert, ctx->current_cert))
- ok = 1;
- break;
-#endif
-
case X509_V_ERR_INVALID_CA:
- case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
/*
* This may happen since proxy issuers are not CAs
*/
@@ -1966,14 +1953,6 @@
}
break;
- case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
- case X509_V_ERR_CERT_UNTRUSTED:
- if (proxy_check_proxy_name(ctx->current_cert) > 0) {
- /* Server side, needed to fully recognize a proxy. */
- ok = 1;
- }
- break;
-
#ifdef X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
/* Proxies ARE allowed */
@@ -2291,50 +2270,26 @@
X509_STORE * cert_store = NULL;
X509_LOOKUP * lookup = NULL;
X509_STORE_CTX csc;
- X509 * xcert = NULL;
- X509 * scert = NULL;
int cscinitialized = 0;
- scert = ucert;
+ if (cert_chain == NULL)
+ goto err;
+
+ if (ucert == NULL)
+ ucert = sk_X509_value(cert_chain, 0);
+
if(!(cert_store = X509_STORE_new())){
goto err;
}
X509_STORE_set_verify_cb_func(cert_store, proxy_verify_callback);
- if (cert_chain != NULL)
- {
- int i =0;
- for (i=0;i<sk_X509_num(cert_chain);i++)
- {
- xcert = sk_X509_value(cert_chain,i);
- if (!scert)
- {
- scert = xcert;
- }
- else
- {
- int j = X509_STORE_add_cert(cert_store, xcert);
- if (!j)
- {
- if ((ERR_GET_REASON(ERR_peek_error()) ==
- X509_R_CERT_ALREADY_IN_HASH_TABLE))
- {
- ERR_clear_error();
- break;
- }
- else
- {
- /*DEE need errprhere */
- goto err;
- }
- }
- }
- }
- }
- if ((lookup = X509_STORE_add_lookup(cert_store,
- X509_LOOKUP_hash_dir())))
+
+ lookup = X509_STORE_add_lookup(cert_store, X509_LOOKUP_hash_dir());
+ if (lookup == NULL)
+ goto err;
+
{
X509_LOOKUP_add_dir(lookup,pvd->pvxd->certdir,X509_FILETYPE_PEM);
- X509_STORE_CTX_init(&csc,cert_store,scert,NULL);
+ X509_STORE_CTX_init(&csc, cert_store, ucert, cert_chain);
cscinitialized = 1;
#if SSLEAY_VERSION_NUMBER >= 0x0090600fL
/* override the check_issued with our version */
Attachment:
signature.asc
Description: This is a digitally signed message part