Bug#887399: marked as done (stretch-pu: package python-certbot/0.10.2-1)
Your message dated Thu, 24 Jan 2019 22:32:09 +0000
with message-id <E1gmnXd-000C7n-9F@fasolo.debian.org>
and subject line Bug#887399: fixed in python-certbot 0.28.0-1~deb9u1
has caused the Debian Bug report #887399,
regarding stretch-pu: package python-certbot/0.10.2-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
887399: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887399
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package python-certbot/0.10.2-1
- From: Harlan Lieberman-Berg <hlieberman@debian.org>
- Date: Mon, 15 Jan 2018 18:04:59 -0500
- Message-id: <151605749911.30780.8281113995162562151.reportbug@aztlan>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hello Release Team,
Due to a security issue in the underlying Let's Encrypt protocol, one of the main methods of getting certificates from Let's Encrypt has been disabled (the TLS-SNI-01 protocol; https://community.letsencrypt.org/t/tls-sni-challenges-disabled-for-most-new-issuance/50316 for more info).
This puts us in a bit of an awkward spot. The upstream certbot provider is preparing to do a new release that has support for HTTP-01 inside the python-certbot-apache and python-certbot-nginx plugins, as well as the required work in python-acme and python-certbot (and certbot), but I'm not sure backporting the patches is realistic. A lot of development has been done in the interim, both in the certbot packaging and in the upstream software. Without those patches, users with the apache or nginx plugins will fail to update their certificates starting 2018-04-09.
I can talk to the certbot upstream to see if they'd be willing to help backport the patches (CCed), but initial conversations seem to indicate that doing so will be difficult.
The other approach that we can take is to backport the next version that supports the new challenge through to s-p-u and into stable. I'm guessing that you will ask me to unwind the work I did to convert to python3 in the last release (sadface), but I can do that if that's what it needs to get this fixed in stable.
Gurus and Wise Ones, I beseech you for guidance!
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.14.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: python-certbot
Source-Version: 0.28.0-1~deb9u1
We believe that the bug you reported is fixed in the latest version of
python-certbot, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 887399@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Harlan Lieberman-Berg <hlieberman@debian.org> (supplier of updated python-certbot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 02 Dec 2018 19:21:09 -0500
Source: python-certbot
Binary: python3-certbot certbot python-certbot-doc letsencrypt
Architecture: source all
Version: 0.28.0-1~deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian Let's Encrypt <team+letsencrypt@tracker.debian.org>
Changed-By: Harlan Lieberman-Berg <hlieberman@debian.org>
Description:
certbot - automatically configure HTTPS using Let's Encrypt
letsencrypt - transitional dummy package
python-certbot-doc - client documentation for certbot
python3-certbot - main library for certbot
Closes: 887399
Changes:
python-certbot (0.28.0-1~deb9u1) stretch; urgency=medium
.
* This stretch update is to cure the problem caused by the deprecation
and disabling of the upstream TLS-SNI-01 certificate verification
protocol due to a security vulnerability. Note, the security
vulnerability isn't in this package; rather, earlier versions of
certbot are no longer functional due to changes in the interface that
certbot uses to retrieve certificates. (Closes: #887399)
Checksums-Sha1:
125230b7d08e8a87f2e9958a88eb918350eba3b2 3147 python-certbot_0.28.0-1~deb9u1.dsc
992c46ca67cb49fdc2dfd06ae43ee94550e741a2 10856 python-certbot_0.28.0-1~deb9u1.debian.tar.xz
6166c2b70a4a098074d929dad86fa78eea31c05f 37496 certbot_0.28.0-1~deb9u1_all.deb
4bc79b0a1b2112ebe161b214806758971866898b 21890 letsencrypt_0.28.0-1~deb9u1_all.deb
52cbc9a8c5145632e2e6083fae968a6bf834b73f 327864 python-certbot-doc_0.28.0-1~deb9u1_all.deb
9eaf3a487bed6f60c58a35dd68ff6fe43b225cfc 9042 python-certbot_0.28.0-1~deb9u1_amd64.buildinfo
22f5d207f19302c34faaf0b220641e0929f9b379 222156 python3-certbot_0.28.0-1~deb9u1_all.deb
Checksums-Sha256:
88382080acaa6f252fbedbef7aa35241b55444fa9bc55682d70cdb9a6df99b28 3147 python-certbot_0.28.0-1~deb9u1.dsc
5aab16b3414ec52c4ca07a8d24cc74906ced13c9b9634a3f20bf12d5746ce298 10856 python-certbot_0.28.0-1~deb9u1.debian.tar.xz
d00e4cc81c94ce81c6e8b23b60c615e80090763bdac056447d14c2cdf42c90d2 37496 certbot_0.28.0-1~deb9u1_all.deb
6253f94c926aba5cfe7636a425a9842a7619cff4026d83ad0ce588f5588d7a72 21890 letsencrypt_0.28.0-1~deb9u1_all.deb
cfb54f4310c95725e866779b3acd3f064cd9ff8273ad771e19c2da65bddbc329 327864 python-certbot-doc_0.28.0-1~deb9u1_all.deb
be1e32fc60f1abe71e5758afe6f870ef55fb613bcae89c5fc2d872f456e9ec09 9042 python-certbot_0.28.0-1~deb9u1_amd64.buildinfo
1c73dc748f27e5d3be2e306cbbd7fe75c14b6e23afeda544cc89eb6acfe1a2bc 222156 python3-certbot_0.28.0-1~deb9u1_all.deb
Files:
cafce59a6f015b51d10eb51f4f7abfe2 3147 python optional python-certbot_0.28.0-1~deb9u1.dsc
90b8210b7294cc2615fd4a37101e8285 10856 python optional python-certbot_0.28.0-1~deb9u1.debian.tar.xz
aa8503a7ea1fb817ee25370943fabde5 37496 web optional certbot_0.28.0-1~deb9u1_all.deb
977028b3447c95298fa04883cc896561 21890 oldlibs optional letsencrypt_0.28.0-1~deb9u1_all.deb
7a147b0ef4c2da51615e2f667b32c813 327864 doc optional python-certbot-doc_0.28.0-1~deb9u1_all.deb
7b6772c29f64138456a7a116936d85a6 9042 python optional python-certbot_0.28.0-1~deb9u1_amd64.buildinfo
8eae3049896ea074e159bce946bd5c30 222156 python optional python3-certbot_0.28.0-1~deb9u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQKqBAEBCgCUFiEEAUCsXNRiG9DwejN3fudPmcDF31sFAlxJGrBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDAx
NDBBQzVDRDQ2MjFCRDBGMDdBMzM3NzdFRTc0Rjk5QzBDNURGNUIWHGhsaWViZXJt
YW5AZGViaWFuLm9yZwAKCRB+50+ZwMXfW1WJD/4xi7lyTgZPfpZ3c1ZQ2+OE9rZS
6ygBCHVKMliJxQ1H94+JiR2tiWzDXhLNIbORc+O7f+hBPdq7B3Hc8incFeDOCUEs
CGOFvb3PXDtpGw3nEPAjdxaE51fUWSDskRe9PGryUj1ADjW5m5dMtU1PdD2M3FKi
ZdbKLpM9HXZKCPXrkZvLAHtisq9a76SUlXaGda6KUWUF06AVz10EyzTPA7Ddhwho
5ZcM/AjAxsYWufrrBWp/Q6Zfrh3/Pil+L6t7uUG4QxTkaiFGiA1rljGGWcQkDZ2X
cZUx1+/6ZpQGFRGWoO//b3ZDR+xbWc+/SD4BWc4r3BD14BYGt6WhD2Dxs0xpUmSC
lNOoWK6hMGN8uJZUByPqObB1stxWv8wU5wK7abJbX9QXdX/EITzhnXdP7IKXSQPq
j7Ig2gOZnLMeZMkSx67zb73TP2Ar4xrMVaOPLyTxE2LGlGvvsIiSnyMua+d15C0Y
lW/axYWTxGrs1W1D7QR2yxes4lCK8j4O64UyUPlmLtNb5YmMVuryLSI+nRce/u/9
BztiZVjAONtO/FxcjwllKEnlZSs5XjtbIzVYW2UN8x/huBCJq2hHjc39E/evpCwK
ESgq+NtoDNrZwlgNweHDmJiFOMQCKDn8wFDYW7aCD9+CacOoz++Giu5gRAfX+HnQ
FKnTY/SGiXIHp+YLxQ==
=Pz/x
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: