Your message dated Thu, 30 Mar 2017 20:17:00 +0000 with message-id <25241973-4e4a-722d-228a-4c45e48bec60@thykier.net> and subject line Re: Bug#858907: unblock: canl-c/2.1.8-1 has caused the Debian Bug report #858907, regarding unblock: canl-c/2.1.8-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 858907: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858907 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: <submit@bugs.debian.org>
- Subject: unblock: canl-c/2.1.8-1
- From: Mattias Ellert <mattias.ellert@physics.uu.se>
- Date: Tue, 28 Mar 2017 15:18:51 +0200
- Message-id: <[🔎] 1490707131.10083.0.camel@physics.uu.se>
Package: release.debian.org User: release.debian.org@packages.debian.org Usertags: unblock Severity: normal The 2.1.8 release is a security fix that addresses a vulnerability found in the previous release. Debdiff from the current version in testing 2.1.7-3 is attached. No other changes than addressing the vulnerability is part of the new release. The upstream changelog entry for the release (as can be seen in the attached debdiff) is: 2.1.8-1 - Security fix to verify certificates properly (EGI RT #12276): - Treat untrusted certificates properly in proxy_verify_cert_chain() - Override only openssl errors relevant to X.509 handling Mattiasdiff -Nru canl-c-2.1.7/ChangeLog canl-c-2.1.8/ChangeLog --- canl-c-2.1.7/ChangeLog 2016-08-19 10:20:47.000000000 +0200 +++ canl-c-2.1.8/ChangeLog 2017-02-23 22:16:26.000000000 +0100 @@ -135,3 +135,7 @@ 2.1.7-1 - Quick fix to prevent RFC Proxy DN forgery (RT #11476) +2.1.8-1 +- Security fix to verify certificates properly (EGI RT #12276): + - Treat untrusted certificates properly in proxy_verify_cert_chain() + - Override only openssl errors relevant to X.509 handling diff -Nru canl-c-2.1.7/debian/changelog canl-c-2.1.8/debian/changelog --- canl-c-2.1.7/debian/changelog 2016-12-23 15:14:18.000000000 +0100 +++ canl-c-2.1.8/debian/changelog 2017-03-22 15:56:11.000000000 +0100 @@ -1,3 +1,9 @@ +canl-c (2.1.8-1) unstable; urgency=medium + + * Update to version 2.1.8 + + -- Mattias Ellert <mattias.ellert@physics.uu.se> Wed, 22 Mar 2017 15:56:11 +0100 + canl-c (2.1.7-3) unstable; urgency=medium * Reverse the order of conditional dependencies diff -Nru canl-c-2.1.7/debian/control canl-c-2.1.8/debian/control --- canl-c-2.1.7/debian/control 2016-12-23 15:13:43.000000000 +0100 +++ canl-c-2.1.8/debian/control 2017-03-22 15:56:11.000000000 +0100 @@ -4,7 +4,7 @@ Maintainer: Mattias Ellert <mattias.ellert@physics.uu.se> Build-Depends: debhelper, bison, flex, libc-ares-dev, libkrb5-dev, libssl1.0-dev | libssl-dev (<< 1.1), libtool, libtool-bin, pkg-config, texlive-fonts-recommended, texlive-latex-extra, texlive-latex-recommended Standards-Version: 3.9.8 -Homepage: http://www.eu-emi.eu/ +Homepage: https://github.com/CESNET/canl-c Package: libcanl-c2 Section: libs diff -Nru canl-c-2.1.7/debian/copyright canl-c-2.1.8/debian/copyright --- canl-c-2.1.7/debian/copyright 2016-08-25 11:30:50.000000000 +0200 +++ canl-c-2.1.8/debian/copyright 2017-03-22 15:54:02.000000000 +0100 @@ -1,7 +1,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: canl-c Upstream-Contact: CESNET Product Teams <emi-lb@metacentrum.cz> -Source: http://scientific.zcu.cz/emi/emi.canl.c/canl-c-2.1.7.tar.gz +Source: http://scientific.zcu.cz/emi/emi.canl.c/canl-c-2.1.8.tar.gz Files: * Copyright: 2004-2011 Members of the EGEE Collaboration @@ -26,7 +26,7 @@ PURPOSE. Files: debian/* -Copyright: 2013-2016 Mattias Ellert +Copyright: 2013-2017 Mattias Ellert License: Apache-2.0 License: Apache-2.0 diff -Nru canl-c-2.1.7/project/version.properties canl-c-2.1.8/project/version.properties --- canl-c-2.1.7/project/version.properties 2016-08-19 10:20:47.000000000 +0200 +++ canl-c-2.1.8/project/version.properties 2017-02-23 22:16:26.000000000 +0100 @@ -1,3 +1,3 @@ # $Header: -module.version=2.1.7 +module.version=2.1.8 module.age=1 diff -Nru canl-c-2.1.7/src/proxy/sslutils.c canl-c-2.1.8/src/proxy/sslutils.c --- canl-c-2.1.7/src/proxy/sslutils.c 2016-08-19 10:20:46.000000000 +0200 +++ canl-c-2.1.8/src/proxy/sslutils.c 2017-02-23 22:16:26.000000000 +0100 @@ -1934,20 +1934,7 @@ } #endif -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: - /* - * OpenSSL 1.0 causes the cert to be added twice to - * the store. - */ - if (proxy_check_proxy_name(ctx->cert) && - !X509_cmp(ctx->cert, ctx->current_cert)) - ok = 1; - break; -#endif - case X509_V_ERR_INVALID_CA: - case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: /* * This may happen since proxy issuers are not CAs */ @@ -1966,14 +1953,6 @@ } break; - case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: - case X509_V_ERR_CERT_UNTRUSTED: - if (proxy_check_proxy_name(ctx->current_cert) > 0) { - /* Server side, needed to fully recognize a proxy. */ - ok = 1; - } - break; - #ifdef X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: /* Proxies ARE allowed */ @@ -2291,50 +2270,26 @@ X509_STORE * cert_store = NULL; X509_LOOKUP * lookup = NULL; X509_STORE_CTX csc; - X509 * xcert = NULL; - X509 * scert = NULL; int cscinitialized = 0; - scert = ucert; + if (cert_chain == NULL) + goto err; + + if (ucert == NULL) + ucert = sk_X509_value(cert_chain, 0); + if(!(cert_store = X509_STORE_new())){ goto err; } X509_STORE_set_verify_cb_func(cert_store, proxy_verify_callback); - if (cert_chain != NULL) - { - int i =0; - for (i=0;i<sk_X509_num(cert_chain);i++) - { - xcert = sk_X509_value(cert_chain,i); - if (!scert) - { - scert = xcert; - } - else - { - int j = X509_STORE_add_cert(cert_store, xcert); - if (!j) - { - if ((ERR_GET_REASON(ERR_peek_error()) == - X509_R_CERT_ALREADY_IN_HASH_TABLE)) - { - ERR_clear_error(); - break; - } - else - { - /*DEE need errprhere */ - goto err; - } - } - } - } - } - if ((lookup = X509_STORE_add_lookup(cert_store, - X509_LOOKUP_hash_dir()))) + + lookup = X509_STORE_add_lookup(cert_store, X509_LOOKUP_hash_dir()); + if (lookup == NULL) + goto err; + { X509_LOOKUP_add_dir(lookup,pvd->pvxd->certdir,X509_FILETYPE_PEM); - X509_STORE_CTX_init(&csc,cert_store,scert,NULL); + X509_STORE_CTX_init(&csc, cert_store, ucert, cert_chain); cscinitialized = 1; #if SSLEAY_VERSION_NUMBER >= 0x0090600fL /* override the check_issued with our version */Attachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
- To: Mattias Ellert <mattias.ellert@physics.uu.se>, 858907-done@bugs.debian.org
- Subject: Re: Bug#858907: unblock: canl-c/2.1.8-1
- From: Niels Thykier <niels@thykier.net>
- Date: Thu, 30 Mar 2017 20:17:00 +0000
- Message-id: <25241973-4e4a-722d-228a-4c45e48bec60@thykier.net>
- In-reply-to: <[🔎] 1490707131.10083.0.camel@physics.uu.se>
- References: <[🔎] 1490707131.10083.0.camel@physics.uu.se>
Mattias Ellert: > Package: release.debian.org > User: release.debian.org@packages.debian.org > Usertags: unblock > Severity: normal > > The 2.1.8 release is a security fix that addresses a vulnerability > found in the previous release. > > Debdiff from the current version in testing 2.1.7-3 is attached. > > No other changes than addressing the vulnerability is part of the new > release. The upstream changelog entry for the release (as can be seen > in the attached debdiff) is: > > 2.1.8-1 > - Security fix to verify certificates properly (EGI RT #12276): > - Treat untrusted certificates properly in proxy_verify_cert_chain() > - Override only openssl errors relevant to X.509 handling > > Mattias > Unblocked, thanks. ~Niels
--- End Message ---