Bug#962160: buster-pu: package pagekite/0.5.9.3-2
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
This update proposes to fix bug #961984. Pagekite shipped certificates
internally which are now expired (as of 2020-05-31). All users of Pagekite are
unable to use the package securely as it can no longer make TLS connections to
frontend servers. This update makes Pagekite use Debian certificate database
instead of internal certificates (by shipping an additional configuration
file). Further information from upstream:
https://pagekite.wordpress.com/2020/05/30/tls-certificate-validation-issues/
The fix has been uploaded to unstable as part of pagekite/1.5.2.200531-1.
Source debdiff is attached. The patch has been tested as follows:
Installed and configured Pagekite on Debian Buster. In logs it shows that it is
unable to connect to the frontend server due TLS connection failures. Upgraded
to Pagkite with fix. Pagekite automatically restarts and connects properly to
the frontend server as per logs. The services on the Pagekite domain become
available after that.
This is an urgent fix that must go into stable-updates because the package
becomes unusable to most users without the fix.
Please let know if you need any more information.
Thanks,
- --
Sunil
- -- System Information:
Debian Release: 10.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-9-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_IN.UTF-8, LC_CTYPE=en_IN.UTF-8 (charmap=UTF-8),
LANGUAGE=en_IN.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE5xPDY9ZyWnWupXSBQ+oc/wqnxfIFAl7Yb5oRHHN1bmlsQG1l
ZGhhcy5vcmcACgkQQ+oc/wqnxfJEtRAAgQZWqu+XGN6HSgnZzoJdAhHreeHmqqNQ
S55/Du+xKopP0nx9Inup65SkdUwXCbwKqfdOMrgpvApAkMNa05abxcR9SQ8fi+ex
3kaaQm7DoC9tmlFnVe7bDyozHXbkOYoywj+bBbdTMYpQkezrSNNgZv7w14Du3wio
44acL6gqiUUPoG5wsBg664aWVtNpGKO7FQZpLN72FsTeE8XGN5seERIb/Cw6xU9m
S9/1qF5C/HajuZLkkcVPQBXDt+MGc5KS8L3PJiKqyNcxnfZ+x/WFcSfBrXDLoLVJ
Ga1ZMcs8U4gggEzSjgZTYn0oy5kWeRcAofhmTBjecRS64SUcHLM41KZHfir9Gkd+
QrZH8PMJSapzUiORA1ahhE1tvX5VYeHfLXpSts4nK8z+NTIjpuRiT86nN11vOSag
9eN6gh3INiD7RbmBGtOpTkSV6Dv33bP7YQxwIRns0YZ6d73Gocjby14d1NuUwcNQ
shgK2wXt3PwadKYaadBv2YPZIgtJDat/niVb9mMbJJl/EqUxou5vfiOqJzhdXYI0
IHjYBeSAZGJwrmUGO4IwO/SMkMViJwuODsJjVS++Ws4ba4ubeBuWfAWarxcXQwtL
Lhu6aZxTlecPUTLYghWY1jOqe67Xy9nfp6SMNt6hizy9tN9QntInzk2pbbWzi01m
oqSgncIG2A0=
=MHb2
-----END PGP SIGNATURE-----
diff -Nru pagekite-0.5.9.3/debian/changelog pagekite-0.5.9.3/debian/changelog
--- pagekite-0.5.9.3/debian/changelog 2018-03-30 07:54:06.000000000 -0700
+++ pagekite-0.5.9.3/debian/changelog 2020-06-03 18:10:32.000000000 -0700
@@ -1,3 +1,10 @@
+pagekite (0.5.9.3-2+deb10u1) UNRELEASED; urgency=medium
+
+ * Fix issue with expired internal certificates. Use
+ Debian certificates instead of internal certificate. (Closes: #961984)
+
+ -- Sunil Mohan Adapa <sunil@medhas.org> Wed, 03 Jun 2020 18:10:32 -0700
+
pagekite (0.5.9.3-2) unstable; urgency=medium
[ Petter Reinholdtsen ]
diff -Nru pagekite-0.5.9.3/debian/control pagekite-0.5.9.3/debian/control
--- pagekite-0.5.9.3/debian/control 2018-03-30 07:54:06.000000000 -0700
+++ pagekite-0.5.9.3/debian/control 2020-06-03 18:10:32.000000000 -0700
@@ -23,6 +23,7 @@
Package: pagekite
Architecture: all
Depends: ${misc:Depends}, ${python:Depends}
+ , ca-certificates
, daemon (>= 0.6)
, python-socksipychain (>= 2.0.15)
, python-openssl
diff -Nru pagekite-0.5.9.3/debian/patches/0002-use-debian-certificates.patch pagekite-0.5.9.3/debian/patches/0002-use-debian-certificates.patch
--- pagekite-0.5.9.3/debian/patches/0002-use-debian-certificates.patch 1969-12-31 16:00:00.000000000 -0800
+++ pagekite-0.5.9.3/debian/patches/0002-use-debian-certificates.patch 2020-06-03 18:10:32.000000000 -0700
@@ -0,0 +1,18 @@
+Description: Use Debian certificates instead of internal certificates
+ This is to make Pagekite use certificates shipped by Debian. Otherwise by
+ default, it uses internallly shipped certificates that may be outdated. See:
+ https://pagekite.wordpress.com/2020/05/30/tls-certificate-validation-issues/
+Author: Sunil Mohan Adapa <sunil@medhas.org>
+
+--- /dev/null
++++ b/etc/pagekite.d/90_debian_certs.rc
+@@ -0,0 +1,9 @@
++#
++# This is to make Pagekite use certificates shipped by Debian. Otherwise by
++# default, it uses internallly shipped certificates that may be outdated. See:
++# https://pagekite.wordpress.com/2020/05/30/tls-certificate-validation-issues/
++#
++# If you wish to override this setting, create another file starting with a
++# number higher than 90.
++#
++ca_certs = /etc/ssl/certs/ca-certificates.crt
diff -Nru pagekite-0.5.9.3/debian/patches/series pagekite-0.5.9.3/debian/patches/series
--- pagekite-0.5.9.3/debian/patches/series 2018-03-30 07:54:06.000000000 -0700
+++ pagekite-0.5.9.3/debian/patches/series 2020-06-03 18:10:32.000000000 -0700
@@ -1,2 +1,3 @@
002-reproducible-build.patch
003-manpage-no-ver-in-whatis.patch
+0002-use-debian-certificates.patch
Reply to: