Bug#658452: marked as done (apt-transport-https: Apt https transport does not stop downloading, when host verification failed. Furthermore, no errors raised.)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 12 Aug 2015 15:54:56 +0200
with message-id <20150812135456.GA13885@crossbow>
and subject line Re: apt-transport-https: Apt https transport does not stop downloading, when host verification failed. Furthermore, no errors raised.
has caused the Debian Bug report #658452,
regarding apt-transport-https: Apt https transport does not stop downloading, when host verification failed. Furthermore, no errors raised.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
658452: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658452
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: apt-transport-https: Apt https transport does not stop downloading, when host verification failed. Furthermore, no errors raised.
• From: Nikolay Bogdanov <nikolay.bogdanov@flant.ru>
• Date: Fri, 03 Feb 2012 11:46:31 +0400
• Message-id: <20120203074631.4319.48162.reportbug@gyrt-notebook.loc>

Package: apt-transport-https
Version: 0.8.10.3+squeeze1
Severity: important

I create secure apt repository with https access.
When I start secutiry tests, I found this bug.
I attach my aptconfig and apt debug output.



-- System Information:
Debian Release: 6.0.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.39-bpo.2-amd64 (SMP w/4 CPU cores)
Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apt-transport-https depends on:
ii  apt [libapt-pkg4.10] 0.8.10.3+squeeze1   Advanced front-end for dpkg
ii  libc6                2.11.3-2            Embedded GNU C Library: Shared lib
ii  libcurl3-gnutls      7.21.0-2.1+squeeze1 Multi-protocol file transfer libra
ii  libgcc1              1:4.4.5-8           GCC support library
ii  libstdc++6           4.4.5-8             The GNU Standard C++ Library v3

apt-transport-https recommends no packages.

apt-transport-https suggests no packages.

-- no debconf information

APT "";
APT::Architecture "amd64";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Install-Recommends "1";
APT::Install-Suggests "0";
APT::Acquire "";
APT::Acquire::Translation "environment";
APT::Authentication "";
APT::Authentication::TrustCDROM "true";
APT::NeverAutoRemove "";
APT::NeverAutoRemove:: "^firmware-linux.*";
APT::NeverAutoRemove:: "^linux-firmware$";
APT::NeverAutoRemove:: "^linux-image.*";
APT::NeverAutoRemove:: "^kfreebsd-image.*";
APT::NeverAutoRemove:: "^linux-restricted-modules.*";
APT::NeverAutoRemove:: "^linux-ubuntu-modules-.*";
APT::Never-MarkAuto-Sections "";
APT::Never-MarkAuto-Sections:: "metapackages";
APT::Never-MarkAuto-Sections:: "restricted/metapackages";
APT::Never-MarkAuto-Sections:: "universe/metapackages";
APT::Never-MarkAuto-Sections:: "multiverse/metapackages";
APT::Never-MarkAuto-Sections:: "oldlibs";
APT::Never-MarkAuto-Sections:: "restricted/oldlibs";
APT::Never-MarkAuto-Sections:: "universe/oldlibs";
APT::Never-MarkAuto-Sections:: "multiverse/oldlibs";
APT::Periodic "";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "0";
APT::Periodic::AutocleanInterval "0";
APT::Update "";
APT::Update::Post-Invoke "";
APT::Update::Post-Invoke:: "touch /var/lib/apt/periodic/update-success-stamp
2>/dev/null || true";
APT::Update::Post-Invoke-Success "";
APT::Update::Post-Invoke-Success:: "[ ! -f /var/run/dbus/system_bus_socket ] ||
/usr/bin/dbus-send --system --dest=org.debian.apt --type=signal /org/debian/apt
org.debian.apt.CacheChanged || true";
APT::Archives "";
APT::Archives::MaxAge "30";
APT::Archives::MinAge "2";
APT::Archives::MaxSize "500";
Dir "/";
Dir::State "var/lib/apt/";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::mirrors "mirrors/";
Dir::State::extended_states "extended_states";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt/";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt/";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::sourceparts "sources.list.d";
Dir::Etc::vendorlist "vendors.list";
Dir::Etc::vendorparts "vendors.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::netrc "auth.conf";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Etc::preferencesparts "preferences.d";
Dir::Etc::trusted "trusted.gpg";
Dir::Etc::trustedparts "trusted.gpg.d";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::dpkg "/usr/bin/dpkg";
Dir::Media "";
Dir::Media::MountPath "/media/cdrom";
Dir::Log "var/log/apt";
Dir::Log::Terminal "term.log";
Dir::Log::History "history.log";
Dir::Ignore-Files-Silently "";
Dir::Ignore-Files-Silently:: "~$";
Dir::Ignore-Files-Silently:: "\.disabled$";
Dir::Ignore-Files-Silently:: "\.bak$";
Dir::Ignore-Files-Silently:: "\.dpkg-[a-z]+$";
Acquire "";
Acquire::cdrom "";
Acquire::cdrom::mount "/media/cdrom";
Acquire::https "";
Acquire::https::Verify-Host "true";
Acquire::https::Verify-Peer "true";
DPkg "";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "/usr/bin/apt-listchanges --apt || test $? -ne 10";
DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";
DPkg::Tools "";
DPkg::Tools::Options "";
DPkg::Tools::Options::/usr/bin/apt-listchanges "";
DPkg::Tools::Options::/usr/bin/apt-listchanges::Version "2";
DPkg::Post-Invoke "";
DPkg::Post-Invoke:: "if [ -d /var/lib/update-notifier ]; then touch /var/lib
/update-notifier/dpkg-run-stamp; fi; if [ -e /var/lib/update-notifier/updates-
available ]; then echo > /var/lib/update-notifier/updates-available; fi ";
Unattended-Upgrade "";
Unattended-Upgrade::Allowed-Origins "";
Unattended-Upgrade::Allowed-Origins:: "${distro_id} stable";
Unattended-Upgrade::Allowed-Origins:: "${distro_id}
${distro_codename}-security";
Debug "";
Debug::Acquire "";
Debug::Acquire::Https "true";
CommandLine "";
CommandLine::AsString "apt-config dump";

0% [Обработка]* About to connect() to apt.flant.ru port 443 (#0)
*   Trying 89.108.116.132... * connected
* Connected to apt.flant.ru (89.108.116.132) port 443 (#0)
Получить:1 http://mirror.yandex.ru/debian/ squeeze/main python-gtkspell
amd64 2.25.3-7 [35,5 kB]
31% [Обработка]* found 141 certificates in /etc/ssl/certs/ca-
certificates.crt
*        server certificate verification OK
*        common name: run.flant.ru (does not match 'apt.flant.ru')
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: C=RU,ST=Moscow,L=Moscow,O=CJSC Flant,CN=run.flant.ru
*        start date: Thu, 03 Nov 2011 00:00:00 GMT
*        expire date: Fri, 02 Nov 2012 23:59:59 GMT
*        issuer: C=US,O=Thawte\, Inc.,CN=Thawte SSL CA
*        compression: NULL
*        cipher: AES-256-CBC
*        MAC: SHA1
> GET /common/pool/main/h/htop/htop_1.0-squeeze1_amd64.deb HTTP/1.1
User-Agent: Debian APT-CURL/1.0 (0.8.10.3)
Host: apt.flant.ru
Accept: */*
Cache-Control: max-age=0

< HTTP/1.1 200 OK
< Server: nginx/0.7.65
< Date: Fri, 03 Feb 2012 07:25:37 GMT
< Content-Type: application/octet-stream
< Connection: keep-alive
< Keep-Alive: timeout=20
< Content-Length: 76792
< Last-Modified: Mon, 19 Dec 2011 10:28:56 GMT
< Accept-Ranges: bytes
<
Получить:2 https://apt.flant.ru/common/ squeeze/main htop amd64
1.0-squeeze1 [76,8 kB]
45% [2 htop 16127/76,8 kB 21%]* Connection #0 to host apt.flant.ru left intact

--- End Message ---

--- Begin Message ---

• To: 658452-done@bugs.debian.org
• Subject: Re: apt-transport-https: Apt https transport does not stop downloading, when host verification failed. Furthermore, no errors raised.
• From: David Kalnischkies <david@kalnischkies.de>
• Date: Wed, 12 Aug 2015 15:54:56 +0200
• Message-id: <20150812135456.GA13885@crossbow>
• In-reply-to: <20120203074631.4319.48162.reportbug@gyrt-notebook.loc>
• References: <20120203074631.4319.48162.reportbug@gyrt-notebook.loc>

Version: 0.8.11

On Fri, Feb 03, 2012 at 11:46:31AM +0400, Nikolay Bogdanov wrote:
> I create secure apt repository with https access.
> When I start secutiry tests, I found this bug.
> I attach my aptconfig and apt debug output.

That was a popular bug by an unluckily designed API which usually used
true/false values, but for this one security sensitive feature requires
passing in the value 2 to be completely enabled instead of just one
1 (which is what true evaluates to). See CURLOPT_SSL_VERIFYHOST, apt was
hardly the only tool falling into this trap…

This was eventually fixed in the verison I denoted above and ported to
the stabele branches back then. It was just never closed in terms of
this bugreport, so fixing this now by a manual close.


Best regards

David Kalnischkies

Attachment: signature.asc
Description: Digital signature

--- End Message ---