[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#925083: marked as done (unblock: nsca-ng/1.5-4)

Your message dated Sat, 23 Mar 2019 16:28:14 +0000
with message-id <20190323162814.GA1767@powdarrmonkey.net>
and subject line Re: Bug#925083: unblock: nsca-ng/1.5-4
has caused the Debian Bug report #925083,
regarding unblock: nsca-ng/1.5-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
925083: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925083
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package nsca-ng 1.5-4.

It cherry-picks the OpenSSL 1.1.1 change from the 1.6 release available
in experimental.

unblock nsca-ng/1.5-4

Kind Regards,

Bas

diff -Nru nsca-ng-1.5/debian/changelog nsca-ng-1.5/debian/changelog
--- nsca-ng-1.5/debian/changelog	2018-07-29 12:38:31.000000000 +0200
+++ nsca-ng-1.5/debian/changelog	2019-03-19 18:32:59.000000000 +0100
@@ -1,3 +1,14 @@
+nsca-ng (1.5-4) unstable; urgency=medium
+
+  * Team upload.
+  * Drop autopkgtest to test installability.
+  * Add lintian override for testsuite-autopkgtest-missing.
+  * Bump Standards-Version to 4.3.0, no changes.
+  * Add upstream patch to fix FTBFS with OpenSSL 1.1.1.
+    (closes: #900152)
+
+ -- Bas Couwenberg <sebastic@debian.org>  Tue, 19 Mar 2019 18:32:59 +0100
+
 nsca-ng (1.5-3) unstable; urgency=medium
 
   * Team upload.
diff -Nru nsca-ng-1.5/debian/control nsca-ng-1.5/debian/control
--- nsca-ng-1.5/debian/control	2018-07-29 12:38:31.000000000 +0200
+++ nsca-ng-1.5/debian/control	2019-03-19 18:29:13.000000000 +0100
@@ -10,7 +10,7 @@
                libbsd-dev,
                libssl-dev,
                libsystemd-dev
-Standards-Version: 4.1.5
+Standards-Version: 4.3.0
 Vcs-Browser: https://salsa.debian.org/nagios-team/pkg-nsca-ng
 Vcs-Git: https://salsa.debian.org/nagios-team/pkg-nsca-ng.git
 Homepage: http://www.nsca-ng.org/
diff -Nru nsca-ng-1.5/debian/patches/0001-Work-around-TLSv1.3-PSK-bug-in-OpenSSL-1.1.1.patch nsca-ng-1.5/debian/patches/0001-Work-around-TLSv1.3-PSK-bug-in-OpenSSL-1.1.1.patch
--- nsca-ng-1.5/debian/patches/0001-Work-around-TLSv1.3-PSK-bug-in-OpenSSL-1.1.1.patch	1970-01-01 01:00:00.000000000 +0100
+++ nsca-ng-1.5/debian/patches/0001-Work-around-TLSv1.3-PSK-bug-in-OpenSSL-1.1.1.patch	2019-03-19 18:31:41.000000000 +0100
@@ -0,0 +1,77 @@
+Description: Work around TLSv1.3 PSK bug in OpenSSL 1.1.1
+ When TLSv1.3 is used with (at least) OpenSSL 1.1.1b, the
+ SSL_get_psk_identity(3) unexpectedly returns NULL.  Work around this
+ issue be storing a copy of the PSK identity into the SSL object.
+From: Holger Weiß <holger@weiss.in-berlin.de>
+Origin :https://github.com/weiss/nsca-ng/commit/7d9ca3413e661c0ac8a020bf674d16c3af4ebccb
+Bug: https://github.com/weiss/nsca-ng/issues/4
+Bug-Debian: https://bugs.debian.org/900152
+
+--- a/src/common/tls.c
++++ b/src/common/tls.c
+@@ -530,6 +530,8 @@ tls_free(tls_state *tls)
+ 		free(tls->output);
+ 	if (tls->addr != NULL)
+ 		free(tls->addr);
++	if (tls->id != NULL)
++		free(tls->id);
+ 	if (tls->peer != NULL)
+ 		free(tls->peer);
+ 	if (tls->ssl != NULL)
+@@ -632,7 +634,7 @@ accept_ssl_cb(EV_P_ ev_io *w, int revent
+ 		debug("TLS handshake with %s not (yet) successful", tls->addr);
+ 		check_tls_error(EV_A_ w, result);
+ 	} else { /* The TLS connection is established. */
+-		if ((tls->id = SSL_get_psk_identity(tls->ssl)) == NULL) {
++		if ((tls->id = SSL_get_app_data(tls->ssl)) == NULL) {
+ 			error("Cannot retrieve client identity");
+ 			tls_free(tls);
+ 		} else {
+--- a/src/common/tls.h
++++ b/src/common/tls.h
+@@ -61,7 +61,7 @@
+ typedef struct tls_state_s {
+ /* public: */
+ 	void *data;     /* Can freely be used by the caller. */
+-	const char *id; /* Client ID (e.g., "foo"). */
++	char *id;       /* Client ID (e.g., "foo"). */
+ 	char *addr;     /* Client IP address (e.g., "192.0.2.2"). */
+ 	char *peer;     /* Client ID and IP address (e.g., "foo@192.0.2.2"). */
+ 
+--- a/src/server/auth.c
++++ b/src/server/auth.c
+@@ -41,6 +41,7 @@
+ #include "log.h"
+ #include "system.h"
+ #include "util.h"
++#include "wrappers.h"
+ 
+ static bool match(regex_t * restrict, const char * restrict);
+ 
+@@ -49,8 +50,8 @@ static bool match(regex_t * restrict, co
+  */
+ 
+ unsigned int
+-check_psk(SSL *ssl __attribute__((__unused__)), const char *identity,
+-          unsigned char *password, unsigned int max_password_len)
++check_psk(SSL *ssl, const char *identity, unsigned char *password,
++          unsigned int max_password_len)
+ {
+ 	cfg_t *auth;
+ 	const char *configured_pw;
+@@ -63,6 +64,15 @@ check_psk(SSL *ssl __attribute__((__unus
+ 	}
+ 	debug("Verifying key provided by %s", identity);
+ 
++	/*
++	 * With (at least) OpenSSL 1.1.1b, SSL_get_psk_identity(3) returns NULL
++	 * when TLSv1.3 is used.  As a workaround, we store the ID ourselves:
++	 */
++	if (SSL_set_app_data(ssl, xstrdup(identity)) != 1) {
++		error("Cannot store client-supplied ID (`%s')", identity);
++		return 0;
++	}
++
+ 	configured_pw = cfg_getstr(auth, "password");
+ 	password_len = MIN(strlen(configured_pw), max_password_len);
+ 	(void)memcpy(password, configured_pw, password_len);
diff -Nru nsca-ng-1.5/debian/patches/series nsca-ng-1.5/debian/patches/series
--- nsca-ng-1.5/debian/patches/series	2016-12-03 22:51:15.000000000 +0100
+++ nsca-ng-1.5/debian/patches/series	2019-03-19 18:31:35.000000000 +0100
@@ -1 +1,2 @@
 nsca-ng.cfg_debian_config
+0001-Work-around-TLSv1.3-PSK-bug-in-OpenSSL-1.1.1.patch
diff -Nru nsca-ng-1.5/debian/source/lintian-overrides nsca-ng-1.5/debian/source/lintian-overrides
--- nsca-ng-1.5/debian/source/lintian-overrides	2018-07-29 12:38:31.000000000 +0200
+++ nsca-ng-1.5/debian/source/lintian-overrides	2019-03-19 18:29:13.000000000 +0100
@@ -1,3 +1,6 @@
 # Not available via HTTPS.
 debian-watch-uses-insecure-uri *
 
+# Not worth the effort
+testsuite-autopkgtest-missing
+
diff -Nru nsca-ng-1.5/debian/tests/control nsca-ng-1.5/debian/tests/control
--- nsca-ng-1.5/debian/tests/control	2018-07-29 12:38:31.000000000 +0200
+++ nsca-ng-1.5/debian/tests/control	1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# Test installability
-Depends: @
-Test-Command: /bin/true

--- End Message ---
--- Begin Message --- 
On Sat, Mar 23, 2019 at 04:57:59PM +0100, Sebastiaan Couwenberg wrote:
> The fix for the RC bug that cause the removal from testing only became
> available now.
> 
> That's probably not good enough, but the best we could do to try have
> nsca-ng available in buster.
> 
> Feel free to close this issue if you'd rather ship buster without nsca-ng.

Given its seemingly limited popularity and the need for responsive
maintenance for ~6 years, I do think this would live better in
buster-backports when it opens.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

--- End Message ---
Reply to: