Bug#1004895: bullseye-pu: package e2guardian/5.3.4-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
I just uploaded e2guardian 5.3.4-1+deb11u1 to bullseye including the fix
for CVE-2021-44273:
diff --git a/debian/changelog b/debian/changelog
index 8900938..488096b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+e2guardian (5.3.4-1+deb11u1) bullseye; urgency=medium
+
+ * debian/patches:
+ + CVE-2021-44273: Fix missing SSL certificate validation in the SSL MiTM
+ engine. Add 0001_CVE-2021-44273_fix-hostname-validation-in-
+ certificates.patch. (Closes: #1003125).
+
+ -- Mike Gabriel <sunweaver@debian.org> Wed, 02 Feb 2022 21:06:57 +0100
+
[ Reason ]
Fix no-DSA security issue.
[ Impact ]
None to other packages, e2guardian is a leaf package.
[ Tests ]
Build success and runtime test on a production server succeeded, too.
[ Risks ]
None,
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
see above
[ Other info ]
Security team recommended uploading via bullseye-pu.
diff -Nru e2guardian-5.3.4/debian/changelog e2guardian-5.3.4/debian/changelog
--- e2guardian-5.3.4/debian/changelog 2020-02-15 10:43:10.000000000 +0100
+++ e2guardian-5.3.4/debian/changelog 2022-02-02 21:06:57.000000000 +0100
@@ -1,3 +1,12 @@
+e2guardian (5.3.4-1+deb11u1) bullseye-security; urgency=medium
+
+ * debian/patches:
+ + CVE-2021-44273: Fix missing SSL certificate validation in the SSL MiTM
+ engine. Add 0001_CVE-2021-44273_fix-hostname-validation-in-
+ certificates.patch. (Closes: #1003125).
+
+ -- Mike Gabriel <sunweaver@debian.org> Wed, 02 Feb 2022 21:06:57 +0100
+
e2guardian (5.3.4-1) unstable; urgency=medium
* New upstream release.
diff -Nru e2guardian-5.3.4/debian/patches/0001_CVE-2021-44273_fix-hostname-validation-in-certificates.patch e2guardian-5.3.4/debian/patches/0001_CVE-2021-44273_fix-hostname-validation-in-certificates.patch
--- e2guardian-5.3.4/debian/patches/0001_CVE-2021-44273_fix-hostname-validation-in-certificates.patch 1970-01-01 01:00:00.000000000 +0100
+++ e2guardian-5.3.4/debian/patches/0001_CVE-2021-44273_fix-hostname-validation-in-certificates.patch 2022-02-02 21:03:36.000000000 +0100
@@ -0,0 +1,25 @@
+From eae46a7e2a57103aadca903c4a24cca94dc502a2 Mon Sep 17 00:00:00 2001
+From: Philip Pearce <philip.pearce@e2bn.org>
+Date: Tue, 23 Nov 2021 09:52:38 +0000
+Subject: [PATCH] Fix bug #707 cert hostnames not being checked - only happened
+ when openssl v1.1 is used
+
+---
+ src/Socket.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/Socket.cpp b/src/Socket.cpp
+index 6ef9619c0..2b687ef5a 100644
+--- a/src/Socket.cpp
++++ b/src/Socket.cpp
+@@ -377,6 +377,10 @@ int Socket::startSslClient(const std::string &certificate_path, String hostname)
+ //fcntl(this->getFD() ,F_SETFL, O_NONBLOCK); // blocking mode used currently
+ SSL_set_fd(ssl, this->getFD());
+ SSL_set_tlsext_host_name(ssl, hostname.c_str());
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#else
++ X509_VERIFY_PARAM_set1_host(SSL_get0_param(ssl),hostname.c_str(),0);
++#endif
+
+ //make io non blocking as select wont tell us if we can do a read without blocking
+ //BIO_set_nbio(SSL_get_rbio(ssl),1l); // blocking mode used currently
diff -Nru e2guardian-5.3.4/debian/patches/series e2guardian-5.3.4/debian/patches/series
--- e2guardian-5.3.4/debian/patches/series 2020-02-15 10:43:10.000000000 +0100
+++ e2guardian-5.3.4/debian/patches/series 2022-02-02 21:06:33.000000000 +0100
@@ -1,2 +1,3 @@
2002_Debian-clamd-socket.patch
1001_spelling-fixes.patch
+0001_CVE-2021-44273_fix-hostname-validation-in-certificates.patch
Reply to: