Bug#964417: buster-pu: package mod-gnutls/0.9.0-1.1~deb10u1

To: 964417@bugs.debian.org
Subject: Bug#964417: buster-pu: package mod-gnutls/0.9.0-1.1~deb10u1
From: Adrian Bunk <bunk@debian.org>
Date: Tue, 7 Jul 2020 01:07:15 +0300
Message-id: <[🔎] 20200706220715.GA16651@localhost>
Reply-to: Adrian Bunk <bunk@debian.org>, 964417@bugs.debian.org
In-reply-to: <[🔎] 159407272102.7891.5731900095306753714.reportbug@localhost>
References: <[🔎] 159407272102.7891.5731900095306753714.reportbug@localhost> <[🔎] 159407272102.7891.5731900095306753714.reportbug@localhost>

On Tue, Jul 07, 2020 at 12:58:41AM +0300, Adrian Bunk wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian.org@packages.debian.org
> Usertags: pu
> 
>   * Backported patches to fix test failures with the
>     apache CVE-2019-10092 fix. (Closes: #950300)
>   * Disable a test that fails with GnuTLS >= 3.6.11. (Closes: #950301)
>   * Backported a fix for a possible segfault on failed TLS handshake.
> 
> Technically the #950301 fix is not necessary in buster,
> but the tests of this package are so fragile with changes
> in build dependencies that disabling a test that might
> pass is better-safe-than-sorry.

The missing debdiff is attached.

cu
Adrian

diff -Nru mod-gnutls-0.9.0/debian/changelog mod-gnutls-0.9.0/debian/changelog
--- mod-gnutls-0.9.0/debian/changelog	2019-02-08 23:27:06.000000000 +0200
+++ mod-gnutls-0.9.0/debian/changelog	2020-07-07 00:37:00.000000000 +0300
@@ -1,3 +1,20 @@
+mod-gnutls (0.9.0-1.1~deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for buster.
+
+ -- Adrian Bunk <bunk@debian.org>  Tue, 07 Jul 2020 00:37:00 +0300
+
+mod-gnutls (0.9.0-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Backported patches to fix test failures with the
+    apache CVE-2019-10092 fix. (Closes: #950300)
+  * Disable a test that fails with GnuTLS >= 3.6.11. (Closes: #950301)
+  * Backported a fix for a possible segfault on failed TLS handshake.
+
+ -- Adrian Bunk <bunk@debian.org>  Sat, 08 Feb 2020 23:14:39 +0200
+
 mod-gnutls (0.9.0-1) unstable; urgency=medium
 
   [ Fiona Klute ]
diff -Nru mod-gnutls-0.9.0/debian/patches/0001-Fix-possible-segfault-NULL-pointer-dereference-on-fa.patch mod-gnutls-0.9.0/debian/patches/0001-Fix-possible-segfault-NULL-pointer-dereference-on-fa.patch
--- mod-gnutls-0.9.0/debian/patches/0001-Fix-possible-segfault-NULL-pointer-dereference-on-fa.patch	1970-01-01 02:00:00.000000000 +0200
+++ mod-gnutls-0.9.0/debian/patches/0001-Fix-possible-segfault-NULL-pointer-dereference-on-fa.patch	2020-02-08 17:20:28.000000000 +0200
@@ -0,0 +1,40 @@
+From dcec2098a29e43d93efe6b0b6150e35ef198a1eb Mon Sep 17 00:00:00 2001
+From: Fiona Klute <fiona.klute@gmx.de>
+Date: Thu, 28 Nov 2019 10:42:46 +0100
+Subject: Fix possible segfault (NULL pointer dereference) on failed TLS
+ handshake
+
+Calling ssl_var_lookup() after a failed handshake could lead to GnuTLS
+session information functions being called on a NULL session pointer,
+leading to segfault. I observed this in a case where mod_http2 was
+trying to check the negotiated TLS version after the client rejected
+the server certificate.
+---
+ src/mod_gnutls.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/mod_gnutls.c b/src/mod_gnutls.c
+index d6edffc..b667a9c 100644
+--- a/src/mod_gnutls.c
++++ b/src/mod_gnutls.c
+@@ -2,7 +2,7 @@
+  *  Copyright 2004-2005 Paul Querna
+  *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
+  *  Copyright 2011 Dash Shendy
+- *  Copyright 2015-2018 Fiona Klute
++ *  Copyright 2015-2019 Fiona Klute
+  *
+  *  Licensed under the Apache License, Version 2.0 (the "License");
+  *  you may not use this file except in compliance with the License.
+@@ -178,7 +178,7 @@ char* ssl_var_lookup(apr_pool_t *p, server_rec *s __attribute__((unused)),
+     mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c);
+ 
+     /* TLS parameters are empty if there is no session */
+-    if (ctxt == NULL || ctxt->c == NULL)
++    if (ctxt == NULL || ctxt->c == NULL || ctxt->session == NULL)
+         return NULL;
+ 
+     if (strcmp(var, "SSL_PROTOCOL") == 0)
+-- 
+2.20.1
+
diff -Nru mod-gnutls-0.9.0/debian/patches/0001-Test-suite-ignore-Content-Length-header.patch mod-gnutls-0.9.0/debian/patches/0001-Test-suite-ignore-Content-Length-header.patch
--- mod-gnutls-0.9.0/debian/patches/0001-Test-suite-ignore-Content-Length-header.patch	1970-01-01 02:00:00.000000000 +0200
+++ mod-gnutls-0.9.0/debian/patches/0001-Test-suite-ignore-Content-Length-header.patch	2020-02-08 17:20:44.000000000 +0200
@@ -0,0 +1,291 @@
+From 20a20dfab4f9b854228ae1999b912dcab7f8c260 Mon Sep 17 00:00:00 2001
+From: Krista Karppinen <krista.celestia@gmail.com>
+Date: Fri, 1 Nov 2019 23:07:20 +0200
+Subject: Test suite: ignore "Content-Length" header
+
+Do not check the returned "Content-Length" header value when running the
+tests, as long as it's valid. This will allow for more flexibility in
+matching the content in the future.
+---
+ test/runtests                                                | 5 +++--
+ test/tests/00_basic/output                                   | 1 -
+ test/tests/01_serverwide_priorities/output                   | 1 -
+ test/tests/03_cachetimeout_in_vhost/output                   | 1 -
+ test/tests/04_basic_nosni/output                             | 1 -
+ test/tests/06_verify_sni_a/output                            | 1 -
+ test/tests/07_verify_sni_b/output                            | 1 -
+ test/tests/08_verify_no_sni_fallback_to_first_vhost/output   | 1 -
+ test/tests/10_basic_client_verification/output               | 1 -
+ test/tests/14_resume_session/output                          | 1 -
+ test/tests/15_basic_msva/output                              | 1 -
+ test/tests/19_TLS_reverse_proxy/output                       | 1 -
+ test/tests/20_TLS_reverse_proxy_client_auth/output           | 1 -
+ test/tests/21_TLS_reverse_proxy_wrong_cert/output            | 1 -
+ test/tests/22_TLS_reverse_proxy_crl_revoke/output            | 1 -
+ test/tests/23_TLS_reverse_proxy_mismatched_priorities/output | 1 -
+ test/tests/24_pkcs11_cert/output                             | 1 -
+ test/tests/27_OCSP_server/output                             | 1 -
+ test/tests/29_force_handshake_vhost/output                   | 1 -
+ test/tests/30_ip_based_vhosts/output                         | 1 -
+ test/tests/31_vhost_SNI_serveralias_match/output             | 1 -
+ test/tests/32_vhost_SNI_serveralias_mismatch/output          | 1 -
+ test/tests/33_vhost_SNI_serveralias_missinghost/output       | 1 -
+ test/tests/34_TLS_reverse_proxy_h2/output                    | 1 -
+ 24 files changed, 3 insertions(+), 25 deletions(-)
+
+diff --git a/test/runtests b/test/runtests
+index 1c4ffdf..291755e 100755
+--- a/test/runtests
++++ b/test/runtests
+@@ -49,8 +49,8 @@ function stop_msva()
+ 
+ # Compare expected/actual outputs, filtering out headers from actual
+ # output that are expected to change between runs or builds (currently
+-# "Date" and "Server"). The headers must be excluded in the expected
+-# output.
++# "Date", "Server" and "Content-Length"). The headers must be excluded
++# in the expected output.
+ #
+ # Parameters:
+ # $1: path to expected output
+@@ -63,6 +63,7 @@ function diff_output_filter_headers()
+     diff $3 -u "${expected}" <( cat "${actual}" | \
+ 	grep -v -P '^Date:\s.*GMT\s?$' | \
+ 	grep -v -P '^Server:\sApache'  | \
++	grep -v -P '^Content-Length:\s\d+\s?$' | \
+ 	tail -n "$(wc -l < ${expected})" )
+ }
+ 
+diff --git a/test/tests/00_basic/output b/test/tests/00_basic/output
+index 6259290..341d60e 100644
+--- a/test/tests/00_basic/output
++++ b/test/tests/00_basic/output
+@@ -1,5 +1,4 @@
+ Accept-Ranges: bytes
+-Content-Length: 5
+ Connection: close
+ Content-Type: text/plain
+ 
+diff --git a/test/tests/01_serverwide_priorities/output b/test/tests/01_serverwide_priorities/output
+index 6259290..341d60e 100644
+--- a/test/tests/01_serverwide_priorities/output
++++ b/test/tests/01_serverwide_priorities/output
+@@ -1,5 +1,4 @@
+ Accept-Ranges: bytes
+-Content-Length: 5
+ Connection: close
+ Content-Type: text/plain
+ 
+diff --git a/test/tests/03_cachetimeout_in_vhost/output b/test/tests/03_cachetimeout_in_vhost/output
+index 6259290..341d60e 100644
+--- a/test/tests/03_cachetimeout_in_vhost/output
++++ b/test/tests/03_cachetimeout_in_vhost/output
+@@ -1,5 +1,4 @@
+ Accept-Ranges: bytes
+-Content-Length: 5
+ Connection: close
+ Content-Type: text/plain
+ 
+diff --git a/test/tests/04_basic_nosni/output b/test/tests/04_basic_nosni/output
+index 6259290..341d60e 100644
+--- a/test/tests/04_basic_nosni/output
++++ b/test/tests/04_basic_nosni/output
+@@ -1,5 +1,4 @@
+ Accept-Ranges: bytes
+-Content-Length: 5
+ Connection: close
+ Content-Type: text/plain
+ 
+diff --git a/test/tests/06_verify_sni_a/output b/test/tests/06_verify_sni_a/output
+index 6259290..341d60e 100644
+--- a/test/tests/06_verify_sni_a/output
++++ b/test/tests/06_verify_sni_a/output
+@@ -1,5 +1,4 @@
+ Accept-Ranges: bytes
+-Content-Length: 5
+ Connection: close
+ Content-Type: text/plain
+ 
+diff --git a/test/tests/07_verify_sni_b/output b/test/tests/07_verify_sni_b/output
+index 6259290..341d60e 100644
+--- a/test/tests/07_verify_sni_b/output
++++ b/test/tests/07_verify_sni_b/output
+@@ -1,5 +1,4 @@
+ Accept-Ranges: bytes
+-Content-Length: 5
+ Connection: close
+ Content-Type: text/plain
+ 
+diff --git a/test/tests/08_verify_no_sni_fallback_to_first_vhost/output b/test/tests/08_verify_no_sni_fallback_to_first_vhost/output
+index 6259290..341d60e 100644
+--- a/test/tests/08_verify_no_sni_fallback_to_first_vhost/output
++++ b/test/tests/08_verify_no_sni_fallback_to_first_vhost/output
+@@ -1,5 +1,4 @@
+ Accept-Ranges: bytes
+-Content-Length: 5
+ Connection: close
+ Content-Type: text/plain
+ 
+diff --git a/test/tests/10_basic_client_verification/output b/test/tests/10_basic_client_verification/output
+index 6259290..341d60e 100644
+--- a/test/tests/10_basic_client_verification/output
++++ b/test/tests/10_basic_client_verification/output
+@@ -1,5 +1,4 @@
+ Accept-Ranges: bytes
+-Content-Length: 5
+ Connection: close
+ Content-Type: text/plain
+ 
+diff --git a/test/tests/14_resume_session/output b/test/tests/14_resume_session/output
+index 6259290..341d60e 100644
+--- a/test/tests/14_resume_session/output
++++ b/test/tests/14_resume_session/output
+@@ -1,5 +1,4 @@
+ Accept-Ranges: bytes
+-Content-Length: 5
+ Connection: close
+ Content-Type: text/plain
+ 
+diff --git a/test/tests/15_basic_msva/output b/test/tests/15_basic_msva/output
+index 6259290..341d60e 100644
+--- a/test/tests/15_basic_msva/output
++++ b/test/tests/15_basic_msva/output
+@@ -1,5 +1,4 @@
+ Accept-Ranges: bytes
+-Content-Length: 5
+ Connection: close
+ Content-Type: text/plain
+ 
+diff --git a/test/tests/19_TLS_reverse_proxy/output b/test/tests/19_TLS_reverse_proxy/output
+index c346200..f7c4e4e 100644
+--- a/test/tests/19_TLS_reverse_proxy/output
++++ b/test/tests/19_TLS_reverse_proxy/output
+@@ -1,5 +1,4 @@
+ Accept-Ranges: bytes
+-Content-Length: 5
+ Content-Type: text/plain
+ Connection: close
+ 
+diff --git a/test/tests/20_TLS_reverse_proxy_client_auth/output b/test/tests/20_TLS_reverse_proxy_client_auth/output
+index c346200..f7c4e4e 100644
+--- a/test/tests/20_TLS_reverse_proxy_client_auth/output
++++ b/test/tests/20_TLS_reverse_proxy_client_auth/output
+@@ -1,5 +1,4 @@
+ Accept-Ranges: bytes
+-Content-Length: 5
+ Content-Type: text/plain
+ Connection: close
+ 
+diff --git a/test/tests/21_TLS_reverse_proxy_wrong_cert/output b/test/tests/21_TLS_reverse_proxy_wrong_cert/output
+index 1c9cc06..8c2419d 100644
+--- a/test/tests/21_TLS_reverse_proxy_wrong_cert/output
++++ b/test/tests/21_TLS_reverse_proxy_wrong_cert/output
+@@ -1,5 +1,4 @@
+ HTTP/1.1 502 Proxy Error
+-Content-Length: 341
+ Connection: close
+ Content-Type: text/html; charset=iso-8859-1
+ 
+diff --git a/test/tests/22_TLS_reverse_proxy_crl_revoke/output b/test/tests/22_TLS_reverse_proxy_crl_revoke/output
+index 1c9cc06..8c2419d 100644
+--- a/test/tests/22_TLS_reverse_proxy_crl_revoke/output
++++ b/test/tests/22_TLS_reverse_proxy_crl_revoke/output
+@@ -1,5 +1,4 @@
+ HTTP/1.1 502 Proxy Error
+-Content-Length: 341
+ Connection: close
+ Content-Type: text/html; charset=iso-8859-1
+ 
+diff --git a/test/tests/23_TLS_reverse_proxy_mismatched_priorities/output b/test/tests/23_TLS_reverse_proxy_mismatched_priorities/output
+index 1c9cc06..8c2419d 100644
+--- a/test/tests/23_TLS_reverse_proxy_mismatched_priorities/output
++++ b/test/tests/23_TLS_reverse_proxy_mismatched_priorities/output
+@@ -1,5 +1,4 @@
+ HTTP/1.1 502 Proxy Error
+-Content-Length: 341
+ Connection: close
+ Content-Type: text/html; charset=iso-8859-1
+ 
+diff --git a/test/tests/24_pkcs11_cert/output b/test/tests/24_pkcs11_cert/output
+index 6259290..341d60e 100644
+--- a/test/tests/24_pkcs11_cert/output
++++ b/test/tests/24_pkcs11_cert/output
+@@ -1,5 +1,4 @@
+ Accept-Ranges: bytes
+-Content-Length: 5
+ Connection: close
+ Content-Type: text/plain
+ 
+diff --git a/test/tests/27_OCSP_server/output b/test/tests/27_OCSP_server/output
+index 6259290..341d60e 100644
+--- a/test/tests/27_OCSP_server/output
++++ b/test/tests/27_OCSP_server/output
+@@ -1,5 +1,4 @@
+ Accept-Ranges: bytes
+-Content-Length: 5
+ Connection: close
+ Content-Type: text/plain
+ 
+diff --git a/test/tests/29_force_handshake_vhost/output b/test/tests/29_force_handshake_vhost/output
+index c14b0e5..a09e295 100644
+--- a/test/tests/29_force_handshake_vhost/output
++++ b/test/tests/29_force_handshake_vhost/output
+@@ -1,5 +1,4 @@
+ HTTP/1.1 421 Misdirected Request
+-Content-Length: 322
+ Connection: close
+ Content-Type: text/html; charset=iso-8859-1
+ 
+diff --git a/test/tests/30_ip_based_vhosts/output b/test/tests/30_ip_based_vhosts/output
+index 6259290..341d60e 100644
+--- a/test/tests/30_ip_based_vhosts/output
++++ b/test/tests/30_ip_based_vhosts/output
+@@ -1,5 +1,4 @@
+ Accept-Ranges: bytes
+-Content-Length: 5
+ Connection: close
+ Content-Type: text/plain
+ 
+diff --git a/test/tests/31_vhost_SNI_serveralias_match/output b/test/tests/31_vhost_SNI_serveralias_match/output
+index 6259290..341d60e 100644
+--- a/test/tests/31_vhost_SNI_serveralias_match/output
++++ b/test/tests/31_vhost_SNI_serveralias_match/output
+@@ -1,5 +1,4 @@
+ Accept-Ranges: bytes
+-Content-Length: 5
+ Connection: close
+ Content-Type: text/plain
+ 
+diff --git a/test/tests/32_vhost_SNI_serveralias_mismatch/output b/test/tests/32_vhost_SNI_serveralias_mismatch/output
+index c14b0e5..a09e295 100644
+--- a/test/tests/32_vhost_SNI_serveralias_mismatch/output
++++ b/test/tests/32_vhost_SNI_serveralias_mismatch/output
+@@ -1,5 +1,4 @@
+ HTTP/1.1 421 Misdirected Request
+-Content-Length: 322
+ Connection: close
+ Content-Type: text/html; charset=iso-8859-1
+ 
+diff --git a/test/tests/33_vhost_SNI_serveralias_missinghost/output b/test/tests/33_vhost_SNI_serveralias_missinghost/output
+index c14b0e5..a09e295 100644
+--- a/test/tests/33_vhost_SNI_serveralias_missinghost/output
++++ b/test/tests/33_vhost_SNI_serveralias_missinghost/output
+@@ -1,5 +1,4 @@
+ HTTP/1.1 421 Misdirected Request
+-Content-Length: 322
+ Connection: close
+ Content-Type: text/html; charset=iso-8859-1
+ 
+diff --git a/test/tests/34_TLS_reverse_proxy_h2/output b/test/tests/34_TLS_reverse_proxy_h2/output
+index c346200..f7c4e4e 100644
+--- a/test/tests/34_TLS_reverse_proxy_h2/output
++++ b/test/tests/34_TLS_reverse_proxy_h2/output
+@@ -1,5 +1,4 @@
+ Accept-Ranges: bytes
+-Content-Length: 5
+ Content-Type: text/plain
+ Connection: close
+ 
+-- 
+2.20.1
+
diff -Nru mod-gnutls-0.9.0/debian/patches/0001-Test-suite-Remove-URLs-from-expected-error-responses.patch mod-gnutls-0.9.0/debian/patches/0001-Test-suite-Remove-URLs-from-expected-error-responses.patch
--- mod-gnutls-0.9.0/debian/patches/0001-Test-suite-Remove-URLs-from-expected-error-responses.patch	1970-01-01 02:00:00.000000000 +0200
+++ mod-gnutls-0.9.0/debian/patches/0001-Test-suite-Remove-URLs-from-expected-error-responses.patch	2020-02-08 17:20:52.000000000 +0200
@@ -0,0 +1,94 @@
+From a55742a9e3ea3d5ab8151f0c54e196187b203b7b Mon Sep 17 00:00:00 2001
+From: Fiona Klute <fiona.klute@gmx.de>
+Date: Fri, 1 Nov 2019 19:17:57 +0100
+Subject: Test suite: Remove URLs from expected error responses
+
+Apache HTTPD removed request URLs from canned error messages to
+prevent misleading text/links being displayed via crafted links
+(CVE-2019-10092). Adjust the expected error responses in our tests so
+they can pass again.
+---
+ test/tests/18_client_verification_wrong_cert/output         | 6 +++---
+ test/tests/21_TLS_reverse_proxy_wrong_cert/output           | 5 ++---
+ test/tests/22_TLS_reverse_proxy_crl_revoke/output           | 5 ++---
+ .../tests/23_TLS_reverse_proxy_mismatched_priorities/output | 5 ++---
+ 4 files changed, 9 insertions(+), 12 deletions(-)
+
+diff --git a/test/tests/18_client_verification_wrong_cert/output b/test/tests/18_client_verification_wrong_cert/output
+index 766e7b6..2a89afe 100644
+--- a/test/tests/18_client_verification_wrong_cert/output
++++ b/test/tests/18_client_verification_wrong_cert/output
+@@ -1,7 +1,7 @@
++<html><head>
++<title>403 Forbidden</title>
+ </head><body>
+ <h1>Forbidden</h1>
+-<p>You don't have permission to access /test.txt
+-on this server.<br />
+-</p>
++<p>You don't have permission to access this resource.</p>
+ </body></html>
+ - Peer has closed the GnuTLS connection
+diff --git a/test/tests/21_TLS_reverse_proxy_wrong_cert/output b/test/tests/21_TLS_reverse_proxy_wrong_cert/output
+index f60e6f6..1c9cc06 100644
+--- a/test/tests/21_TLS_reverse_proxy_wrong_cert/output
++++ b/test/tests/21_TLS_reverse_proxy_wrong_cert/output
+@@ -1,5 +1,5 @@
+ HTTP/1.1 502 Proxy Error
+-Content-Length: 407
++Content-Length: 341
+ Connection: close
+ Content-Type: text/html; charset=iso-8859-1
+ 
+@@ -10,7 +10,6 @@ Content-Type: text/html; charset=iso-8859-1
+ <h1>Proxy Error</h1>
+ <p>The proxy server received an invalid
+ response from an upstream server.<br />
+-The proxy server could not handle the request <em><a href="/proxy/test.txt">GET&nbsp;/proxy/test.txt</a></em>.<p>
+-Reason: <strong>Error reading from remote server</strong></p></p>
++The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p>
+ </body></html>
+ - Peer has closed the GnuTLS connection
+diff --git a/test/tests/22_TLS_reverse_proxy_crl_revoke/output b/test/tests/22_TLS_reverse_proxy_crl_revoke/output
+index f60e6f6..1c9cc06 100644
+--- a/test/tests/22_TLS_reverse_proxy_crl_revoke/output
++++ b/test/tests/22_TLS_reverse_proxy_crl_revoke/output
+@@ -1,5 +1,5 @@
+ HTTP/1.1 502 Proxy Error
+-Content-Length: 407
++Content-Length: 341
+ Connection: close
+ Content-Type: text/html; charset=iso-8859-1
+ 
+@@ -10,7 +10,6 @@ Content-Type: text/html; charset=iso-8859-1
+ <h1>Proxy Error</h1>
+ <p>The proxy server received an invalid
+ response from an upstream server.<br />
+-The proxy server could not handle the request <em><a href="/proxy/test.txt">GET&nbsp;/proxy/test.txt</a></em>.<p>
+-Reason: <strong>Error reading from remote server</strong></p></p>
++The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p>
+ </body></html>
+ - Peer has closed the GnuTLS connection
+diff --git a/test/tests/23_TLS_reverse_proxy_mismatched_priorities/output b/test/tests/23_TLS_reverse_proxy_mismatched_priorities/output
+index f60e6f6..1c9cc06 100644
+--- a/test/tests/23_TLS_reverse_proxy_mismatched_priorities/output
++++ b/test/tests/23_TLS_reverse_proxy_mismatched_priorities/output
+@@ -1,5 +1,5 @@
+ HTTP/1.1 502 Proxy Error
+-Content-Length: 407
++Content-Length: 341
+ Connection: close
+ Content-Type: text/html; charset=iso-8859-1
+ 
+@@ -10,7 +10,6 @@ Content-Type: text/html; charset=iso-8859-1
+ <h1>Proxy Error</h1>
+ <p>The proxy server received an invalid
+ response from an upstream server.<br />
+-The proxy server could not handle the request <em><a href="/proxy/test.txt">GET&nbsp;/proxy/test.txt</a></em>.<p>
+-Reason: <strong>Error reading from remote server</strong></p></p>
++The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p>
+ </body></html>
+ - Peer has closed the GnuTLS connection
+-- 
+2.20.1
+
diff -Nru mod-gnutls-0.9.0/debian/patches/disable-test16.patch mod-gnutls-0.9.0/debian/patches/disable-test16.patch
--- mod-gnutls-0.9.0/debian/patches/disable-test16.patch	1970-01-01 02:00:00.000000000 +0200
+++ mod-gnutls-0.9.0/debian/patches/disable-test16.patch	2020-02-08 23:14:39.000000000 +0200
@@ -0,0 +1,15 @@
+Description: Disable a test that fails with GnuTLS >= 3.6.11
+ A proper fix is in upstream release 0.10.0.
+Bug-Debian: https://bugs.debian.org/950301
+
+--- mod-gnutls-0.9.0.orig/test/Makefile.am
++++ mod-gnutls-0.9.0/test/Makefile.am
+@@ -18,7 +18,7 @@ dist_check_SCRIPTS = test-00_basic.bash
+ if USE_MSVA
+ dist_check_SCRIPTS += test-15_basic_msva.bash
+ endif
+-dist_check_SCRIPTS += test-16_view-status.bash \
++dist_check_SCRIPTS += \
+ 	test-17_cgi_vars_large_cert.bash \
+ 	test-18_client_verification_wrong_cert.bash \
+ 	test-19_TLS_reverse_proxy.bash \
diff -Nru mod-gnutls-0.9.0/debian/patches/series mod-gnutls-0.9.0/debian/patches/series
--- mod-gnutls-0.9.0/debian/patches/series	2019-02-08 23:25:17.000000000 +0200
+++ mod-gnutls-0.9.0/debian/patches/series	2020-02-08 23:14:39.000000000 +0200
@@ -1 +1,5 @@
 0001-Never-build-PDF-documentation.patch
+0001-Fix-possible-segfault-NULL-pointer-dereference-on-fa.patch
+0001-Test-suite-Remove-URLs-from-expected-error-responses.patch
+0001-Test-suite-ignore-Content-Length-header.patch
+disable-test16.patch

Reply to:

Follow-Ups:
- Bug#964417: buster-pu: package mod-gnutls/0.9.0-1.1~deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Bug#964417: buster-pu: package mod-gnutls/0.9.0-1.1~deb10u1
  - From: Adrian Bunk <bunk@debian.org>

Prev by Date: Processed: Re: Bug#948653: stretch-pu: package mod-gnutls/0.8.2-3+deb9u1
Next by Date: NEW changes in oldstable-new
Previous by thread: Bug#964417: buster-pu: package mod-gnutls/0.9.0-1.1~deb10u1
Next by thread: Bug#964417: buster-pu: package mod-gnutls/0.9.0-1.1~deb10u1
Index(es):
- Date
- Thread