Bug#955860: buster-pu: package csync2/2.0-22-gce67c55-1+deb10u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#955860: buster-pu: package csync2/2.0-22-gce67c55-1+deb10u1
From: Valentin Vidic <vvidic@debian.org>
Date: Sun, 5 Apr 2020 15:24:26 +0200
Message-id: <[🔎] 20200405132426.GZ5449@valentin-vidic.from.hr>
Reply-to: Valentin Vidic <vvidic@debian.org>, 955860@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

Please approve the following update for buster fixing a CVE:

diff -Nru csync2-2.0-22-gce67c55/debian/changelog csync2-2.0-22-gce67c55/debian/changelog
--- csync2-2.0-22-gce67c55/debian/changelog	2018-10-06 23:05:46.000000000 +0200
+++ csync2-2.0-22-gce67c55/debian/changelog	2020-04-05 12:55:07.000000000 +0200
@@ -1,3 +1,9 @@
+csync2 (2.0-22-gce67c55-1+deb10u1) buster; urgency=medium
+
+  * Add patch for CVE-2019-15522 (Closes: #955445)
+
+ -- Valentin Vidic <vvidic@debian.org>  Sun, 05 Apr 2020 12:55:07 +0200
+
 csync2 (2.0-22-gce67c55-1) unstable; urgency=medium
 
   * New upstream version 2.0-22-gce67c55
diff -Nru csync2-2.0-22-gce67c55/debian/patches/CVE-2019-15522.patch csync2-2.0-22-gce67c55/debian/patches/CVE-2019-15522.patch
--- csync2-2.0-22-gce67c55/debian/patches/CVE-2019-15522.patch	1970-01-01 01:00:00.000000000 +0100
+++ csync2-2.0-22-gce67c55/debian/patches/CVE-2019-15522.patch	2020-04-05 12:51:42.000000000 +0200
@@ -0,0 +1,21 @@
+From 0ecfc333da51575f188dd7cf6ac4974d13a800b1 Mon Sep 17 00:00:00 2001
+From: Malte Kraus <malte.kraus@suse.com>
+Date: Tue, 13 Aug 2019 11:25:57 +0200
+Subject: [PATCH] fail HELLO command when SSL is required
+
+---
+ daemon.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/daemon.c b/daemon.c
+index 2d8407d..2a1a8af 100644
+--- a/daemon.c
++++ b/daemon.c
+@@ -747,6 +747,7 @@ void csync_daemon_session()
+ 						goto conn_without_ssl_ok;
+ 				}
+ 				cmd_error = conn_response(CR_ERR_SSL_EXPECTED);
++				peer = NULL;
+ 			}
+ conn_without_ssl_ok:;
+ #endif
diff -Nru csync2-2.0-22-gce67c55/debian/patches/series csync2-2.0-22-gce67c55/debian/patches/series
--- csync2-2.0-22-gce67c55/debian/patches/series	2018-04-18 22:30:48.000000000 +0200
+++ csync2-2.0-22-gce67c55/debian/patches/series	2020-04-05 12:51:17.000000000 +0200
@@ -3,3 +3,4 @@
 spelling.patch
 fix-manpage-header.patch
 fix-parallel-build.patch
+CVE-2019-15522.patch

-- 
Valentin

Reply to:

Follow-Ups:
- Bug#955860: buster-pu: package csync2/2.0-22-gce67c55-1+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#955860: buster-pu: package csync2/2.0-22-gce67c55-1+deb10u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#955860: csync2 2.0-22-gce67c55-1+deb10u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Processed: transition: netcdf
Next by Date: Bug#955861: stretch-pu: package csync2/2.0-8-g175a01c-4+deb9u1
Previous by thread: Bug#955807: marked as done (transition: netcdf)
Next by thread: Bug#955860: buster-pu: package csync2/2.0-22-gce67c55-1+deb10u1
Index(es):
- Date
- Thread