Bug#948653: stretch-pu: package mod-gnutls/0.8.2-3+deb9u1
Control: retitle -1 stretch-pu: package mod-gnutls/0.8.2-3+deb9u2
Control: tags -1 - pending
On Fri, Jul 03, 2020 at 06:57:55AM +0100, Adam D. Barratt wrote:
> Hi,
Hi Adam,
> On Fri, 2020-01-31 at 08:43 +0200, Adrian Bunk wrote:
> > Control: block -1 by 950300
> >
> > On Tue, Jan 28, 2020 at 08:41:29AM +0000, Adam D. Barratt wrote:
> > > Control: tags -1 + confirmed
> > >
> > > On 2020-01-11 10:34, Adrian Bunk wrote:
> > > > * Avoid deprecated ciphersuites in test suite (Closes: #907008)
> > > >
> > > > FTBFS, tests were broken by gnutls28 3.5.8-5+deb9u4.
> > >
> > > Please go ahead.
> >
> > The apache2 2.4.25-3+deb9u9 upgrade causes an unrelated FTBFS in
> > mod-gnutls, which made 0.8.2-3+deb9u1 fail on the buildds.
> >
> > Reported as #950300, this bug is present even in unstable.
> >
> > Seems fixed in upstream 0.9.1.
> >
> > I'll take care of this, but there is not enough time left to get
> > this fixed for the upcoming stretch point release - I won't do a 0-
> > day NMU for a just reported FTBFS in unstable.
>
> What's the status of this?
sorry for the delay, debdiff is attached.
> Regards,
>
> Adam
cu
Adrian
diff -Nru mod-gnutls-0.8.2/debian/changelog mod-gnutls-0.8.2/debian/changelog
--- mod-gnutls-0.8.2/debian/changelog 2020-01-11 12:27:37.000000000 +0200
+++ mod-gnutls-0.8.2/debian/changelog 2020-07-07 00:29:59.000000000 +0300
@@ -1,3 +1,11 @@
+mod-gnutls (0.8.2-3+deb9u2) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Backported patches to fix test failures with the
+ apache CVE-2019-10092 fix. (Closes: #950300)
+
+ -- Adrian Bunk <bunk@debian.org> Tue, 07 Jul 2020 00:29:59 +0300
+
mod-gnutls (0.8.2-3+deb9u1) stretch; urgency=medium
* Non-maintainer upload.
diff -Nru mod-gnutls-0.8.2/debian/patches/0001-Test-suite-Remove-URLs-from-expected-error-responses.patch mod-gnutls-0.8.2/debian/patches/0001-Test-suite-Remove-URLs-from-expected-error-responses.patch
--- mod-gnutls-0.8.2/debian/patches/0001-Test-suite-Remove-URLs-from-expected-error-responses.patch 1970-01-01 02:00:00.000000000 +0200
+++ mod-gnutls-0.8.2/debian/patches/0001-Test-suite-Remove-URLs-from-expected-error-responses.patch 2020-07-07 00:29:44.000000000 +0300
@@ -0,0 +1,94 @@
+From a55742a9e3ea3d5ab8151f0c54e196187b203b7b Mon Sep 17 00:00:00 2001
+From: Fiona Klute <fiona.klute@gmx.de>
+Date: Fri, 1 Nov 2019 19:17:57 +0100
+Subject: Test suite: Remove URLs from expected error responses
+
+Apache HTTPD removed request URLs from canned error messages to
+prevent misleading text/links being displayed via crafted links
+(CVE-2019-10092). Adjust the expected error responses in our tests so
+they can pass again.
+---
+ test/tests/18_client_verification_wrong_cert/output | 6 +++---
+ test/tests/21_TLS_reverse_proxy_wrong_cert/output | 5 ++---
+ test/tests/22_TLS_reverse_proxy_crl_revoke/output | 5 ++---
+ .../tests/23_TLS_reverse_proxy_mismatched_priorities/output | 5 ++---
+ 4 files changed, 9 insertions(+), 12 deletions(-)
+
+diff --git a/test/tests/18_client_verification_wrong_cert/output b/test/tests/18_client_verification_wrong_cert/output
+index 766e7b6..2a89afe 100644
+--- a/test/tests/18_client_verification_wrong_cert/output
++++ b/test/tests/18_client_verification_wrong_cert/output
+@@ -1,7 +1,7 @@
++<html><head>
++<title>403 Forbidden</title>
+ </head><body>
+ <h1>Forbidden</h1>
+-<p>You don't have permission to access /test.txt
+-on this server.<br />
+-</p>
++<p>You don't have permission to access this resource.</p>
+ </body></html>
+ - Peer has closed the GnuTLS connection
+diff --git a/test/tests/21_TLS_reverse_proxy_wrong_cert/output b/test/tests/21_TLS_reverse_proxy_wrong_cert/output
+index f60e6f6..1c9cc06 100644
+--- a/test/tests/21_TLS_reverse_proxy_wrong_cert/output
++++ b/test/tests/21_TLS_reverse_proxy_wrong_cert/output
+@@ -1,5 +1,5 @@
+ HTTP/1.1 502 Proxy Error
+-Content-Length: 407
++Content-Length: 341
+ Connection: close
+ Content-Type: text/html; charset=iso-8859-1
+
+@@ -10,7 +10,6 @@ Content-Type: text/html; charset=iso-8859-1
+ <h1>Proxy Error</h1>
+ <p>The proxy server received an invalid
+ response from an upstream server.<br />
+-The proxy server could not handle the request <em><a href="/proxy/test.txt">GET /proxy/test.txt</a></em>.<p>
+-Reason: <strong>Error reading from remote server</strong></p></p>
++The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p>
+ </body></html>
+ - Peer has closed the GnuTLS connection
+diff --git a/test/tests/22_TLS_reverse_proxy_crl_revoke/output b/test/tests/22_TLS_reverse_proxy_crl_revoke/output
+index f60e6f6..1c9cc06 100644
+--- a/test/tests/22_TLS_reverse_proxy_crl_revoke/output
++++ b/test/tests/22_TLS_reverse_proxy_crl_revoke/output
+@@ -1,5 +1,5 @@
+ HTTP/1.1 502 Proxy Error
+-Content-Length: 407
++Content-Length: 341
+ Connection: close
+ Content-Type: text/html; charset=iso-8859-1
+
+@@ -10,7 +10,6 @@ Content-Type: text/html; charset=iso-8859-1
+ <h1>Proxy Error</h1>
+ <p>The proxy server received an invalid
+ response from an upstream server.<br />
+-The proxy server could not handle the request <em><a href="/proxy/test.txt">GET /proxy/test.txt</a></em>.<p>
+-Reason: <strong>Error reading from remote server</strong></p></p>
++The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p>
+ </body></html>
+ - Peer has closed the GnuTLS connection
+diff --git a/test/tests/23_TLS_reverse_proxy_mismatched_priorities/output b/test/tests/23_TLS_reverse_proxy_mismatched_priorities/output
+index f60e6f6..1c9cc06 100644
+--- a/test/tests/23_TLS_reverse_proxy_mismatched_priorities/output
++++ b/test/tests/23_TLS_reverse_proxy_mismatched_priorities/output
+@@ -1,5 +1,5 @@
+ HTTP/1.1 502 Proxy Error
+-Content-Length: 407
++Content-Length: 341
+ Connection: close
+ Content-Type: text/html; charset=iso-8859-1
+
+@@ -10,7 +10,6 @@ Content-Type: text/html; charset=iso-8859-1
+ <h1>Proxy Error</h1>
+ <p>The proxy server received an invalid
+ response from an upstream server.<br />
+-The proxy server could not handle the request <em><a href="/proxy/test.txt">GET /proxy/test.txt</a></em>.<p>
+-Reason: <strong>Error reading from remote server</strong></p></p>
++The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p>
+ </body></html>
+ - Peer has closed the GnuTLS connection
+--
+2.20.1
+
diff -Nru mod-gnutls-0.8.2/debian/patches/series mod-gnutls-0.8.2/debian/patches/series
--- mod-gnutls-0.8.2/debian/patches/series 2020-01-11 12:26:12.000000000 +0200
+++ mod-gnutls-0.8.2/debian/patches/series 2020-07-07 00:29:59.000000000 +0300
@@ -7,3 +7,4 @@
0007-Do-not-treat-warnings-about-deprecated-declarations-.patch
0008-Wait-for-OCSP-server-to-become-available.patch
0001-Fix-test-16-view-status-by-changing-priority-string.patch
+0001-Test-suite-Remove-URLs-from-expected-error-responses.patch
Reply to: