[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1004895: marked as done (bullseye-pu: package e2guardian/5.3.4-1+deb11u1)

Your message dated Sat, 26 Mar 2022 11:59:13 +0000
with message-id <c4d20274f6d76a43fb574d2177f6e3af4235e4be.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for updates in 11.3
has caused the Debian Bug report #1004895,
regarding bullseye-pu: package e2guardian/5.3.4-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1004895: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004895
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

I just uploaded e2guardian 5.3.4-1+deb11u1 to bullseye including the fix
for CVE-2021-44273:

diff --git a/debian/changelog b/debian/changelog
index 8900938..488096b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+e2guardian (5.3.4-1+deb11u1) bullseye; urgency=medium
+
+  * debian/patches:
+    + CVE-2021-44273: Fix missing SSL certificate validation in the SSL MiTM
+      engine. Add 0001_CVE-2021-44273_fix-hostname-validation-in-
+      certificates.patch. (Closes: #1003125).
+
+ -- Mike Gabriel <sunweaver@debian.org>  Wed, 02 Feb 2022 21:06:57 +0100
+

[ Reason ]
Fix no-DSA security issue.

[ Impact ]
None to other packages, e2guardian is a leaf package.

[ Tests ]
Build success and runtime test on a production server succeeded, too.

[ Risks ]
None,

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
see above

[ Other info ]
Security team recommended uploading via bullseye-pu.

diff -Nru e2guardian-5.3.4/debian/changelog e2guardian-5.3.4/debian/changelog
--- e2guardian-5.3.4/debian/changelog	2020-02-15 10:43:10.000000000 +0100
+++ e2guardian-5.3.4/debian/changelog	2022-02-02 21:06:57.000000000 +0100
@@ -1,3 +1,12 @@
+e2guardian (5.3.4-1+deb11u1) bullseye-security; urgency=medium
+
+  * debian/patches:
+    + CVE-2021-44273: Fix missing SSL certificate validation in the SSL MiTM
+      engine. Add 0001_CVE-2021-44273_fix-hostname-validation-in-
+      certificates.patch. (Closes: #1003125).
+
+ -- Mike Gabriel <sunweaver@debian.org>  Wed, 02 Feb 2022 21:06:57 +0100
+
 e2guardian (5.3.4-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru e2guardian-5.3.4/debian/patches/0001_CVE-2021-44273_fix-hostname-validation-in-certificates.patch e2guardian-5.3.4/debian/patches/0001_CVE-2021-44273_fix-hostname-validation-in-certificates.patch
--- e2guardian-5.3.4/debian/patches/0001_CVE-2021-44273_fix-hostname-validation-in-certificates.patch	1970-01-01 01:00:00.000000000 +0100
+++ e2guardian-5.3.4/debian/patches/0001_CVE-2021-44273_fix-hostname-validation-in-certificates.patch	2022-02-02 21:03:36.000000000 +0100
@@ -0,0 +1,25 @@
+From eae46a7e2a57103aadca903c4a24cca94dc502a2 Mon Sep 17 00:00:00 2001
+From: Philip Pearce <philip.pearce@e2bn.org>
+Date: Tue, 23 Nov 2021 09:52:38 +0000
+Subject: [PATCH] Fix bug #707 cert hostnames not being checked - only happened
+ when openssl v1.1 is used
+
+---
+ src/Socket.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/Socket.cpp b/src/Socket.cpp
+index 6ef9619c0..2b687ef5a 100644
+--- a/src/Socket.cpp
++++ b/src/Socket.cpp
+@@ -377,6 +377,10 @@ int Socket::startSslClient(const std::string &certificate_path, String hostname)
+     //fcntl(this->getFD() ,F_SETFL, O_NONBLOCK); // blocking mode used currently
+     SSL_set_fd(ssl, this->getFD());
+     SSL_set_tlsext_host_name(ssl, hostname.c_str());
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#else
++  X509_VERIFY_PARAM_set1_host(SSL_get0_param(ssl),hostname.c_str(),0);
++#endif
+ 
+     //make io non blocking as select wont tell us if we can do a read without blocking
+     //BIO_set_nbio(SSL_get_rbio(ssl),1l);  // blocking mode used currently
diff -Nru e2guardian-5.3.4/debian/patches/series e2guardian-5.3.4/debian/patches/series
--- e2guardian-5.3.4/debian/patches/series	2020-02-15 10:43:10.000000000 +0100
+++ e2guardian-5.3.4/debian/patches/series	2022-02-02 21:06:33.000000000 +0100
@@ -1,2 +1,3 @@
 2002_Debian-clamd-socket.patch
 1001_spelling-fixes.patch
+0001_CVE-2021-44273_fix-hostname-validation-in-certificates.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.3

Hi,

The updates referenced by these bugs were included in stable as part of
this morning's 11.3 point release.

Regards,

Adam

--- End Message ---
Reply to: