Bug#862784: marked as done (unblock: debian-edu-config/1.927)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 17 May 2017 05:45:00 +0000
with message-id <04bf09a8-2c2a-7b0a-ba2b-0850a34385dd@thykier.net>
and subject line Re: Bug#862784: unblock: debian-edu-config/1.927
has caused the Debian Bug report #862784,
regarding unblock: debian-edu-config/1.927
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
862784: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862784
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: debian-edu-config/1.927
• From: Holger Levsen <holger@debian.org>
• Date: Tue, 16 May 2017 23:28:27 +0200
• Message-id: <[🔎] 20170516212827.GA4299@layer-acht.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
x-debbugs-cc: debian-edu@lists.debian.org

Please unblock package debian-edu-config to fix the serious bug #862652 which
is a broken exim4 configuration due the security update for CVE-2016-151 in
exim4. Additional changes are minor cleanups to our testsuite.

unblock debian-edu-config/1.927

The full changelog is:

debian-edu-config (1.927) unstable; urgency=medium

  [ Wolfgang Schweer ]
  * Fix broken exim4 configuration, enable security. (Closes: #862652).
    - Add usr/share/debian-edu-config/tools/exim4-create-cert.
    - Add usr/share/debian-edu-config/tools/exim4-create-environment.
    - Adjust cf/cf.exim to use both scripts.
    - Adjust etc/exim4/exim-ldap-server-v4.conf.
      + Make it work after the exim4 security fix for CVE-2016-1531.
      + Improve security: create certificate to enable TLS, re-enable
        identity check via Kerberos; now only system mail to postmaster
        is enabled unconditionally; see #794602.
  * Fix typo in testsuite/network to use the correct LTSP-Server profile name.
  * Drop ddcprobe and ddccontrol related code from testsuite/hardware.
    - ddcprobe is part of the package xresprobe, not available in stretch.
    - ddccontrol belongs to package ddccontrol (monitor database unmaintained
      since > 10 years) which isn't installed by default.

 -- Holger Levsen <holger@debian.org>  Mon, 15 May 2017 18:15:45 +0200

$ debdiff debian-edu-config_1.926.dsc debian-edu-config_1.927.dsc|diffstat
 cf/cf.exim                                             |    5 +++
 debian/changelog                                       |   20 ++++++++++++++
 etc/exim4/exim-ldap-server-v4.conf                     |   17 +++++++++++-
 share/debian-edu-config/tools/exim4-create-cert        |   23 +++++++++++++++++
 share/debian-edu-config/tools/exim4-create-environment |   18 +++++++++++++
 testsuite/hardware                                     |    8 -----
 testsuite/network                                      |    2 -
 7 files changed, 82 insertions(+), 11 deletions(-)

The full debdiff is attached.

Thanks for your work on Stretch!


-- 
cheers,
	Holger

diff -Nru debian-edu-config-1.926/cf/cf.exim debian-edu-config-1.927/cf/cf.exim
--- debian-edu-config-1.926/cf/cf.exim	2017-01-13 13:11:08.000000000 +0100
+++ debian-edu-config-1.927/cf/cf.exim	2017-05-15 12:24:33.000000000 +0200
@@ -16,6 +16,11 @@
 shellcommands:
 
 
+  debian.server.installation::
+
+  "/usr/share/debian-edu-config/tools/exim4-create-cert"
+  "/usr/share/debian-edu-config/tools/exim4-create-environment"
+
   debian.installation::
 
     "/usr/sbin/exim4 -qff"
diff -Nru debian-edu-config-1.926/debian/changelog debian-edu-config-1.927/debian/changelog
--- debian-edu-config-1.926/debian/changelog	2017-04-27 19:23:11.000000000 +0200
+++ debian-edu-config-1.927/debian/changelog	2017-05-15 18:15:45.000000000 +0200
@@ -1,3 +1,23 @@
+debian-edu-config (1.927) unstable; urgency=medium
+
+  [ Wolfgang Schweer ]
+  * Fix broken exim4 configuration, enable security. (Closes: #862652).
+    - Add usr/share/debian-edu-config/tools/exim4-create-cert.
+    - Add usr/share/debian-edu-config/tools/exim4-create-environment.
+    - Adjust cf/cf.exim to use both scripts.
+    - Adjust etc/exim4/exim-ldap-server-v4.conf.
+      + Make it work after the exim4 security fix for CVE-2016-1531.
+      + Improve security: create certificate to enable TLS, re-enable
+        identity check via Kerberos; now only system mail to postmaster
+        is enabled unconditionally; see #794602.
+  * Fix typo in testsuite/network to use the correct LTSP-Server profile name.
+  * Drop ddcprobe and ddccontrol related code from testsuite/hardware.
+    - ddcprobe is part of the package xresprobe, not available in stretch.
+    - ddccontrol belongs to package ddccontrol (monitor database unmaintained
+      since > 10 years) which isn't installed by default.
+
+ -- Holger Levsen <holger@debian.org>  Mon, 15 May 2017 18:15:45 +0200
+
 debian-edu-config (1.926) unstable; urgency=medium
 
   [ Holger Levsen ]
diff -Nru debian-edu-config-1.926/etc/exim4/exim-ldap-server-v4.conf debian-edu-config-1.927/etc/exim4/exim-ldap-server-v4.conf
--- debian-edu-config-1.926/etc/exim4/exim-ldap-server-v4.conf	2016-05-18 19:44:48.000000000 +0200
+++ debian-edu-config-1.927/etc/exim4/exim-ldap-server-v4.conf	2017-05-15 12:54:29.000000000 +0200
@@ -7,8 +7,20 @@
 # Upgrade from v3 version by Maximilian Wilhelm <max@rfc2324.org>
 #  -- Sat, 11 Jun 2005 02:44:08 +0200
 #
+# Adjusted to work after the exim4 security fix for CVE-2016-1531.
+# Also improve security some more: enable TLS, re-enable identity check;
+# only system mail to postmaster is enabled unconditionally; see #794602.
+# -- Wolfgang Schweer <wschweer@arcor.de>, 2017-05-13.
 
 ##
+keep_environment = KRB5_KTNAME : PWD : ^LDAP
+tls_advertise_hosts = *
+tls_certificate = /etc/exim4/exim.crt
+tls_privatekey = /etc/exim4/exim.key
+daemon_smtp_ports = 25 : 587
+
+KRB5_KTNAME= /etc/krb5.keytab.smtp
+
 # LDAP Server info
 LDAPBASE = dc=skole,dc=skolelinux,dc=no
 LDAPSERVER = ldap
@@ -185,6 +197,7 @@
 
 # ACL that is used after the RCPT command
 acl_check_rcpt:
+  accept local_parts = postmaster
   # Exim 3 had no checking on -bs messages, so for compatibility
   # we accept if the source is local SMTP (i.e. not over TCP/IP).
   # We do this by testing for an empty sending host field.
@@ -192,15 +205,15 @@
   # Make sure users can not fake sender address vis SMTP.  Reject
   # unauthenticated connections and check that the sender is the same
   # as the Kerberos ID.
-  accept  hosts = :
-  accept  hosts = +relay_hosts
 
   deny  !authenticated = *
         message = SMTP server requires authentication. Check your SMTP client configuration.
   deny condition = ${if eq{$authenticated_id}{$sender_address_local_part@INTERN}{false}{true}}
         message = Sender address $sender_address conflicts with authentication $authenticated_id.
 
+  accept  hosts = :
   accept  domains = +local_domains
+  accept  hosts = +relay_hosts
   deny    message = relay not permitted
 
 # ACL that is used after the DATA command
diff -Nru debian-edu-config-1.926/share/debian-edu-config/tools/exim4-create-cert debian-edu-config-1.927/share/debian-edu-config/tools/exim4-create-cert
--- debian-edu-config-1.926/share/debian-edu-config/tools/exim4-create-cert	1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-1.927/share/debian-edu-config/tools/exim4-create-cert	2017-05-15 12:54:29.000000000 +0200
@@ -0,0 +1,23 @@
+#!/bin/bash
+#
+# Create a self-signed certificate.
+# Taken in parts from a script by Andreas B. Mundt <andi@debian.org>.
+
+set -e
+
+TEMPLATE="/usr/share/ssl-cert/ssleay.cnf"
+CONF=$(mktemp)
+CERT="/etc/exim4/exim.crt"
+KEY="/etc/exim4/exim.key"
+
+if [ ! -f $CERT ] || [ ! -f $KEY ]; then
+    sed -e s#@HostName@#"postoffice.intern"# $TEMPLATE > $CONF
+    echo "subjectAltName=DNS:postoffice.intern,DNS:postoffice.intern" >> $CONF
+    openssl req -config $CONF -new -x509 -days 7000 -nodes -out $CERT -keyout $KEY
+    chmod 640 $KEY $CERT $CONF
+    chown root:Debian-exim $KEY $CERT
+else
+    echo "$CERT and $KEY already exist, skipping!"
+fi
+
+rm $CONF
diff -Nru debian-edu-config-1.926/share/debian-edu-config/tools/exim4-create-environment debian-edu-config-1.927/share/debian-edu-config/tools/exim4-create-environment
--- debian-edu-config-1.926/share/debian-edu-config/tools/exim4-create-environment	1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-1.927/share/debian-edu-config/tools/exim4-create-environment	2017-05-15 12:24:33.000000000 +0200
@@ -0,0 +1,18 @@
+#!/bin/bash
+#
+# Create Kerberos environment for exim4 chroot. This is needed
+# to cope with the exim4 security fix for CVE-2016-1531. 
+
+set -e
+
+DIR="/var/lib/exim4/etc"
+FILE="krb5.keytab.smtp"
+
+if [ ! -f $DIR/$FILE ]; then
+    if [ ! -d $DIR ] ; then
+	mkdir $DIR
+    fi
+fi
+cp /etc/$FILE $DIR
+chown Debian-exim:Debian-exim $DIR/$FILE
+echo "Successfully created the Exim4 environment."
diff -Nru debian-edu-config-1.926/testsuite/hardware debian-edu-config-1.927/testsuite/hardware
--- debian-edu-config-1.926/testsuite/hardware	2016-08-03 18:30:12.000000000 +0200
+++ debian-edu-config-1.927/testsuite/hardware	2017-05-14 10:42:56.000000000 +0200
@@ -44,13 +44,5 @@
     echo "error: $0: Unable to find /usr/sbin/dmidecode"
 fi
 
-if [ -x /usr/sbin/ddcprobe ] ; then
-    ddcprobe | sed "s%^%info: $0: ddcprobe: %"
-elif [ -x /usr/bin/ddccontrol ] ; then
-    ddccontrol -c -p | sed "s%^%info: $0: ddccontrol: %"
-else
-    echo "error: $0: Unable to find /usr/sbin/ddcprobe and /usr/bin/ddccontrol"
-fi
-
 isenkram-lookup | sed "s%^%info: $0: isenkram-lookup: %"
 isenkram-autoinstall-firmware -l | sed "s%^%info: $0: isenkram-autoinstall-firmware: %"
diff -Nru debian-edu-config-1.926/testsuite/network debian-edu-config-1.927/testsuite/network
--- debian-edu-config-1.926/testsuite/network	2017-01-13 13:11:08.000000000 +0100
+++ debian-edu-config-1.927/testsuite/network	2017-05-14 10:42:56.000000000 +0200
@@ -78,7 +78,7 @@
         networked=true
         workstation=true
         ;;
-      LTSP-server)
+      LTSP-Server)
         networked=true
         workstation=true
         ltspserver=true

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

• To: Holger Levsen <holger@debian.org>, 862784-done@bugs.debian.org
• Subject: Re: Bug#862784: unblock: debian-edu-config/1.927
• From: Niels Thykier <niels@thykier.net>
• Date: Wed, 17 May 2017 05:45:00 +0000
• Message-id: <04bf09a8-2c2a-7b0a-ba2b-0850a34385dd@thykier.net>
• In-reply-to: <[🔎] 20170516212827.GA4299@layer-acht.org>
• References: <[🔎] 20170516212827.GA4299@layer-acht.org>

Holger Levsen:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> x-debbugs-cc: debian-edu@lists.debian.org
> 
> Please unblock package debian-edu-config to fix the serious bug #862652 which
> is a broken exim4 configuration due the security update for CVE-2016-151 in
> exim4. Additional changes are minor cleanups to our testsuite.
> 
> unblock debian-edu-config/1.927
> 
> The full changelog is:
> 
> [...]
> 
> The full debdiff is attached.
> 
> Thanks for your work on Stretch!
> 
> 

Unblocked, thanks.

~Niels

--- End Message ---