Bug#933369: buster-pu: package dma/0.11-1+deb10u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#933369: buster-pu: package dma/0.11-1+deb10u1
From: Laurent Bigonville <bigon@debian.org>
Date: Mon, 29 Jul 2019 21:13:24 +0200
Message-id: <[🔎] 156442760444.6028.14398328918736526043.reportbug@fornost.bigon.be>
Reply-to: Laurent Bigonville <bigon@debian.org>, 933369@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

dma currently use the TLSv1_client_method() function that means that it
only support TLS 1.0 which is considered deprecated (and forbidden by
PCI certification).

For what I can read, major providers are planning to remove support for
TLS 1.0 and TLS 1.1 current 2020.

The attached patches (cherry-picked from upstream) are switching to the
"version-flexible" function (TLS_client_method())

Could this be included in buster?

Kind regards,

Laurent Bigonville

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy

diff -Nru dma-0.11/debian/changelog dma-0.11/debian/changelog
--- dma-0.11/debian/changelog	2016-05-29 12:29:47.000000000 +0200
+++ dma-0.11/debian/changelog	2019-07-29 20:56:49.000000000 +0200
@@ -1,3 +1,12 @@
+dma (0.11-1+deb10u1) buster; urgency=medium
+
+  * d/p/0002-crypto-Don-t-limit-to-TLSv1-only.patch: Do not limit SSL
+    connection to TLSv1 (Closes: #871429)
+  * d/p/0003-properly-deal-with-SSL_connect-return-value.patch: Properly check
+    the return code of SSL_connect()
+
+ -- Laurent Bigonville <bigon@debian.org>  Mon, 29 Jul 2019 20:56:49 +0200
+
 dma (0.11-1) unstable; urgency=medium
 
   [ Arno Töll ]
diff -Nru dma-0.11/debian/patches/0002-crypto-Don-t-limit-to-TLSv1-only.patch dma-0.11/debian/patches/0002-crypto-Don-t-limit-to-TLSv1-only.patch
--- dma-0.11/debian/patches/0002-crypto-Don-t-limit-to-TLSv1-only.patch	1970-01-01 01:00:00.000000000 +0100
+++ dma-0.11/debian/patches/0002-crypto-Don-t-limit-to-TLSv1-only.patch	2019-07-29 20:56:49.000000000 +0200
@@ -0,0 +1,27 @@
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 11 Feb 2018 11:05:43 +0000
+Subject: crypto: Don't limit to TLSv1 only
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ crypto.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/crypto.c b/crypto.c
+index 897b55b..440c882 100644
+--- a/crypto.c
++++ b/crypto.c
+@@ -93,7 +93,12 @@ smtp_init_crypto(int fd, int feature)
+ 	SSL_library_init();
+ 	SSL_load_error_strings();
+ 
+-	meth = TLSv1_client_method();
++	// Allow any possible version
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
++	meth = TLS_client_method();
++#else
++	meth = SSLv23_client_method();
++#endif
+ 
+ 	ctx = SSL_CTX_new(meth);
+ 	if (ctx == NULL) {
diff -Nru dma-0.11/debian/patches/0003-properly-deal-with-SSL_connect-return-value.patch dma-0.11/debian/patches/0003-properly-deal-with-SSL_connect-return-value.patch
--- dma-0.11/debian/patches/0003-properly-deal-with-SSL_connect-return-value.patch	1970-01-01 01:00:00.000000000 +0100
+++ dma-0.11/debian/patches/0003-properly-deal-with-SSL_connect-return-value.patch	2019-07-29 20:56:49.000000000 +0200
@@ -0,0 +1,22 @@
+From: Simon Schubert <2@0x2c.org>
+Date: Thu, 13 Sep 2018 16:44:50 +0200
+Subject: properly deal with SSL_connect() return value
+
+Submitted-by: lc3412
+---
+ crypto.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto.c b/crypto.c
+index 440c882..ef08144 100644
+--- a/crypto.c
++++ b/crypto.c
+@@ -160,7 +160,7 @@ smtp_init_crypto(int fd, int feature)
+ 
+ 	/* Open SSL connection */
+ 	error = SSL_connect(config.ssl);
+-	if (error < 0) {
++	if (error != 1) {
+ 		syslog(LOG_ERR, "remote delivery deferred: SSL handshake failed fatally: %s",
+ 		       ssl_errstr());
+ 		return (1);
diff -Nru dma-0.11/debian/patches/series dma-0.11/debian/patches/series
--- dma-0.11/debian/patches/series	2016-05-29 12:29:47.000000000 +0200
+++ dma-0.11/debian/patches/series	2019-07-29 20:56:49.000000000 +0200
@@ -1,2 +1,3 @@
 03-debian-locations.patch
-#10-liblockfile.patch
+0002-crypto-Don-t-limit-to-TLSv1-only.patch
+0003-properly-deal-with-SSL_connect-return-value.patch

Reply to:

Prev by Date: Bug#933043: marked as done (nmu: petsc_3.10.5+dfsg1-1)
Next by Date: Bug#933379: buster-pu: package backup-manager/0.7.14-1+deb10u1
Previous by thread: Processed: Re: Processed: Re: Bug#931245: unblock: encoding-rs/0.8.15-2
Next by thread: Bug#933379: buster-pu: package backup-manager/0.7.14-1+deb10u1
Index(es):
- Date
- Thread