Bug#955861: stretch-pu: package csync2/2.0-8-g175a01c-4+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
Please approve the following update for stretch fixing a CVE:
diff -Nru csync2-2.0-8-g175a01c/debian/changelog csync2-2.0-8-g175a01c/debian/changelog
--- csync2-2.0-8-g175a01c/debian/changelog 2016-10-23 15:38:46.000000000 +0200
+++ csync2-2.0-8-g175a01c/debian/changelog 2020-04-05 15:26:41.000000000 +0200
@@ -1,3 +1,9 @@
+csync2 (2.0-8-g175a01c-4+deb9u1) stretch; urgency=medium
+
+ * Add patch for CVE-2019-15522 (Closes: #955445)
+
+ -- Valentin Vidic <vvidic@debian.org> Sun, 05 Apr 2020 15:26:41 +0200
+
csync2 (2.0-8-g175a01c-4) unstable; urgency=medium
[ Christoph Berg ]
diff -Nru csync2-2.0-8-g175a01c/debian/patches/CVE-2019-15522.patch csync2-2.0-8-g175a01c/debian/patches/CVE-2019-15522.patch
--- csync2-2.0-8-g175a01c/debian/patches/CVE-2019-15522.patch 1970-01-01 01:00:00.000000000 +0100
+++ csync2-2.0-8-g175a01c/debian/patches/CVE-2019-15522.patch 2020-04-05 15:25:58.000000000 +0200
@@ -0,0 +1,21 @@
+From 0ecfc333da51575f188dd7cf6ac4974d13a800b1 Mon Sep 17 00:00:00 2001
+From: Malte Kraus <malte.kraus@suse.com>
+Date: Tue, 13 Aug 2019 11:25:57 +0200
+Subject: [PATCH] fail HELLO command when SSL is required
+
+---
+ daemon.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/daemon.c b/daemon.c
+index 2d8407d..2a1a8af 100644
+--- a/daemon.c
++++ b/daemon.c
+@@ -747,6 +747,7 @@ void csync_daemon_session()
+ goto conn_without_ssl_ok;
+ }
+ cmd_error = conn_response(CR_ERR_SSL_EXPECTED);
++ peer = NULL;
+ }
+ conn_without_ssl_ok:;
+ #endif
diff -Nru csync2-2.0-8-g175a01c/debian/patches/series csync2-2.0-8-g175a01c/debian/patches/series
--- csync2-2.0-8-g175a01c/debian/patches/series 2016-10-23 15:38:46.000000000 +0200
+++ csync2-2.0-8-g175a01c/debian/patches/series 2020-04-05 15:26:06.000000000 +0200
@@ -1,3 +1,4 @@
fix-MAXPATHLEN-for-hurd-i386.patch
fix-libsqlite3-name.patch
fix-xinetd.patch
+CVE-2019-15522.patch
Reply to: