Bug#917880: stretch-pu: package kamailio/4.4.4-2+deb9u3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#917880: stretch-pu: package kamailio/4.4.4-2+deb9u3
From: Victor Seva <linuxmaniac@torreviejawireless.org>
Date: Mon, 31 Dec 2018 11:22:19 +0100
Message-id: <[🔎] 154625173996.28678.9304043691832309368.reportbug@slim.torreviejawireless.org>
Reply-to: Victor Seva <linuxmaniac@torreviejawireless.org>, 917880@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

version in stable can't be used with TLS enabled due to #902452 with
severity grave. If user enables TLS kamailio fails to start.

Upstream fix was included on 4.4.6 version[0]. Proposed update only include that fix.

[0] https://github.com/kamailio/kamailio/commit/406c02f7b76ada56d6e1f73e763fecb05c1f51c5

- -- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEjxnK3NQqQtRVY3MMUaCbGM9aUGgFAlwp7dUACgkQUaCbGM9a
UGj1SBAAmh+N9LaAj/MNe/X1R1bjFLnYQC8JNxn+zJ9q69MUpOUXqPuSVfqn7G7V
wsRhNW1498bVLu5rATfm4zxxzcaWF+TjsVzfjGye3NDBWQ1N3ukb/t8t0BtecYgw
m/rEMF+ekE8w1x0w/NlAqlsbIYr7elQomx31HaS6vCac0a2sxqJ5T5U6G2s1j5fR
zmeKOkjwlvrWdg7/Ad/MwJj7SkpZiqGzEEK7bwe/wBvxg5FE7mGbfYXe4QH9TA6c
ssVLWjQ26juJ5U7cCJhrA/bh/n0uiMns+w6So7NWJ/VttgfKBAa48CnNHe+pYTn3
WbwMfa0oq9GnAXlph+/8xqzkJBDscxT5EeCflzpjP/5ilsFKiLfTWKdivTNSxW4a
+qU28etGpAfF4amz34xe9KAhLhGcnwHEPSgNCgjzjWtgmk9Mf59Whzm15Rs7n/1y
x/oDJbv7KOqoMpfz4/dvCPDJE2NrQruC9Y+SIRRO6Xzm1cWyPgxmrTknu+OPC44l
4EwF8Zupl84LC/lVuQ3SvT11Q65xo7cZe8APYfdqeJjqji8W9ErsJOKX6RMRtHgh
pQr0aSktlyrRdxAjwUZMeQ+WasNGnB47DB+gKEWvc2eSfKPLMrttPuFIf+9Z/9vK
vDUzx3ZdZItC5xqGEisS5aai7PEPz+k8749ZN3GetPDn/53fNf8=
=u1vf
-----END PGP SIGNATURE-----

diff -Nru kamailio-4.4.4/debian/changelog kamailio-4.4.4/debian/changelog
--- kamailio-4.4.4/debian/changelog	2018-09-07 23:15:42.000000000 +0200
+++ kamailio-4.4.4/debian/changelog	2018-12-31 10:28:23.000000000 +0100
@@ -1,3 +1,10 @@
+kamailio (4.4.4-2+deb9u4) stretch; urgency=medium
+
+  * fix kerberos and zlib check (Closes: #902452)
+    so TLS can be used again via kamailio-tls-modules
+
+ -- Victor Seva <vseva@debian.org>  Mon, 31 Dec 2018 10:28:23 +0100
+
 kamailio (4.4.4-2+deb9u3) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru kamailio-4.4.4/debian/patches/series kamailio-4.4.4/debian/patches/series
--- kamailio-4.4.4/debian/patches/series	2018-09-07 23:15:42.000000000 +0200
+++ kamailio-4.4.4/debian/patches/series	2018-12-31 10:28:23.000000000 +0100
@@ -3,6 +3,7 @@
 upstream/0001-tmx-allocate-space-to-store-ending-0-for-branch-valu.patch
 upstream/0002-core-improve-to-header-check-guards-str-consists-of-.patch
 upstream/0001-core-improve-header-safe-guards-for-Via-handling.patch
+upstream/0001-tls-do-kerberos-and-zlib-init-checks-only-for-libssl.patch
 #
 no_lib64_on_64_bits.patch
 no_INSTALL_file.patch
diff -Nru kamailio-4.4.4/debian/patches/upstream/0001-tls-do-kerberos-and-zlib-init-checks-only-for-libssl.patch kamailio-4.4.4/debian/patches/upstream/0001-tls-do-kerberos-and-zlib-init-checks-only-for-libssl.patch
--- kamailio-4.4.4/debian/patches/upstream/0001-tls-do-kerberos-and-zlib-init-checks-only-for-libssl.patch	1970-01-01 01:00:00.000000000 +0100
+++ kamailio-4.4.4/debian/patches/upstream/0001-tls-do-kerberos-and-zlib-init-checks-only-for-libssl.patch	2018-12-31 10:28:23.000000000 +0100
@@ -0,0 +1,57 @@
+From 406c02f7b76ada56d6e1f73e763fecb05c1f51c5 Mon Sep 17 00:00:00 2001
+From: Daniel-Constantin Mierla <miconda@gmail.com>
+Date: Fri, 31 Mar 2017 12:56:52 +0200
+Subject: [PATCH] tls: do kerberos and zlib init checks only for libssl < 1.1.0
+
+- using string matching inside libssl compile flags is no longer
+  reliable
+- reported by GH #1050
+
+(cherry picked from commit e59fa823b7b9513d3d1adb958d5e8ec055082d83)
+(cherry picked from commit b12ac4ea9efae41b83a2664ea4f25b1d59bc2032)
+---
+ modules/tls/tls_init.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/modules/tls/tls_init.c b/modules/tls/tls_init.c
+index af2d4c54e..133bc7fc8 100644
+--- a/modules/tls/tls_init.c
++++ b/modules/tls/tls_init.c
+@@ -563,11 +563,13 @@ int init_tls_h(void)
+ {
+ 	/*struct socket_info* si;*/
+ 	long ssl_version;
++#if OPENSSL_VERSION_NUMBER < 0x010100000L
+ 	int lib_kerberos;
+ 	int lib_zlib;
+ 	int kerberos_support;
+ 	int comp_support;
+ 	const char* lib_cflags;
++#endif
+ 	int low_mem_threshold1;
+ 	int low_mem_threshold2;
+ 	str tls_grp;
+@@ -603,6 +605,10 @@ int init_tls_h(void)
+ 		else
+ 			return -1; /* safer to exit */
+ 	}
++
++/* check kerberos support using compile flags only for version < 1.1.0 */
++#if OPENSSL_VERSION_NUMBER < 0x010100000L
++
+ #ifdef TLS_KERBEROS_SUPPORT
+ 	kerberos_support=1;
+ #else
+@@ -672,6 +678,9 @@ int init_tls_h(void)
+ 			" kerberos support will be disabled...\n");
+ 	}
+ 	#endif
++
++#endif /* libssl version < 1.1.0 (OPENSSL_VERSION_NUMBER < 0x010100000L) */
++
+ 	/* set free memory threshold for openssl bug #1491 workaround */
+ 	low_mem_threshold1 = cfg_get(tls, tls_cfg, low_mem_threshold1);
+ 	low_mem_threshold2 = cfg_get(tls, tls_cfg, low_mem_threshold2);
+-- 
+2.19.2
+

Reply to:

Prev by Date: Bug#915721: transition: opencv
Next by Date: Re: Proposal: Repository for fast-paced package backports
Previous by thread: [britney]: Do you use --control-files or the "legacy package layout" in your derivative?
Next by thread: Bug#917888: nmu: mustache-d_0.1.3-3 [armel]
Index(es):
- Date
- Thread