[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1004895: bullseye-pu: package e2guardian/5.3.4-1+deb11u1



Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

I just uploaded e2guardian 5.3.4-1+deb11u1 to bullseye including the fix
for CVE-2021-44273:

diff --git a/debian/changelog b/debian/changelog
index 8900938..488096b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+e2guardian (5.3.4-1+deb11u1) bullseye; urgency=medium
+
+  * debian/patches:
+    + CVE-2021-44273: Fix missing SSL certificate validation in the SSL MiTM
+      engine. Add 0001_CVE-2021-44273_fix-hostname-validation-in-
+      certificates.patch. (Closes: #1003125).
+
+ -- Mike Gabriel <sunweaver@debian.org>  Wed, 02 Feb 2022 21:06:57 +0100
+

[ Reason ]
Fix no-DSA security issue.

[ Impact ]
None to other packages, e2guardian is a leaf package.

[ Tests ]
Build success and runtime test on a production server succeeded, too.

[ Risks ]
None,

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
see above

[ Other info ]
Security team recommended uploading via bullseye-pu.
diff -Nru e2guardian-5.3.4/debian/changelog e2guardian-5.3.4/debian/changelog
--- e2guardian-5.3.4/debian/changelog	2020-02-15 10:43:10.000000000 +0100
+++ e2guardian-5.3.4/debian/changelog	2022-02-02 21:06:57.000000000 +0100
@@ -1,3 +1,12 @@
+e2guardian (5.3.4-1+deb11u1) bullseye-security; urgency=medium
+
+  * debian/patches:
+    + CVE-2021-44273: Fix missing SSL certificate validation in the SSL MiTM
+      engine. Add 0001_CVE-2021-44273_fix-hostname-validation-in-
+      certificates.patch. (Closes: #1003125).
+
+ -- Mike Gabriel <sunweaver@debian.org>  Wed, 02 Feb 2022 21:06:57 +0100
+
 e2guardian (5.3.4-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru e2guardian-5.3.4/debian/patches/0001_CVE-2021-44273_fix-hostname-validation-in-certificates.patch e2guardian-5.3.4/debian/patches/0001_CVE-2021-44273_fix-hostname-validation-in-certificates.patch
--- e2guardian-5.3.4/debian/patches/0001_CVE-2021-44273_fix-hostname-validation-in-certificates.patch	1970-01-01 01:00:00.000000000 +0100
+++ e2guardian-5.3.4/debian/patches/0001_CVE-2021-44273_fix-hostname-validation-in-certificates.patch	2022-02-02 21:03:36.000000000 +0100
@@ -0,0 +1,25 @@
+From eae46a7e2a57103aadca903c4a24cca94dc502a2 Mon Sep 17 00:00:00 2001
+From: Philip Pearce <philip.pearce@e2bn.org>
+Date: Tue, 23 Nov 2021 09:52:38 +0000
+Subject: [PATCH] Fix bug #707 cert hostnames not being checked - only happened
+ when openssl v1.1 is used
+
+---
+ src/Socket.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/Socket.cpp b/src/Socket.cpp
+index 6ef9619c0..2b687ef5a 100644
+--- a/src/Socket.cpp
++++ b/src/Socket.cpp
+@@ -377,6 +377,10 @@ int Socket::startSslClient(const std::string &certificate_path, String hostname)
+     //fcntl(this->getFD() ,F_SETFL, O_NONBLOCK); // blocking mode used currently
+     SSL_set_fd(ssl, this->getFD());
+     SSL_set_tlsext_host_name(ssl, hostname.c_str());
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#else
++  X509_VERIFY_PARAM_set1_host(SSL_get0_param(ssl),hostname.c_str(),0);
++#endif
+ 
+     //make io non blocking as select wont tell us if we can do a read without blocking
+     //BIO_set_nbio(SSL_get_rbio(ssl),1l);  // blocking mode used currently
diff -Nru e2guardian-5.3.4/debian/patches/series e2guardian-5.3.4/debian/patches/series
--- e2guardian-5.3.4/debian/patches/series	2020-02-15 10:43:10.000000000 +0100
+++ e2guardian-5.3.4/debian/patches/series	2022-02-02 21:06:33.000000000 +0100
@@ -1,2 +1,3 @@
 2002_Debian-clamd-socket.patch
 1001_spelling-fixes.patch
+0001_CVE-2021-44273_fix-hostname-validation-in-certificates.patch

Reply to: