Your message dated Wed, 12 Aug 2015 15:54:56 +0200 with message-id <20150812135456.GA13885@crossbow> and subject line Re: apt-transport-https: Apt https transport does not stop downloading, when host verification failed. Furthermore, no errors raised. has caused the Debian Bug report #658452, regarding apt-transport-https: Apt https transport does not stop downloading, when host verification failed. Furthermore, no errors raised. to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 658452: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658452 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apt-transport-https: Apt https transport does not stop downloading, when host verification failed. Furthermore, no errors raised.
- From: Nikolay Bogdanov <nikolay.bogdanov@flant.ru>
- Date: Fri, 03 Feb 2012 11:46:31 +0400
- Message-id: <20120203074631.4319.48162.reportbug@gyrt-notebook.loc>
Package: apt-transport-https Version: 0.8.10.3+squeeze1 Severity: important I create secure apt repository with https access. When I start secutiry tests, I found this bug. I attach my aptconfig and apt debug output. -- System Information: Debian Release: 6.0.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.39-bpo.2-amd64 (SMP w/4 CPU cores) Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages apt-transport-https depends on: ii apt [libapt-pkg4.10] 0.8.10.3+squeeze1 Advanced front-end for dpkg ii libc6 2.11.3-2 Embedded GNU C Library: Shared lib ii libcurl3-gnutls 7.21.0-2.1+squeeze1 Multi-protocol file transfer libra ii libgcc1 1:4.4.5-8 GCC support library ii libstdc++6 4.4.5-8 The GNU Standard C++ Library v3 apt-transport-https recommends no packages. apt-transport-https suggests no packages. -- no debconf informationAPT ""; APT::Architecture "amd64"; APT::Build-Essential ""; APT::Build-Essential:: "build-essential"; APT::Install-Recommends "1"; APT::Install-Suggests "0"; APT::Acquire ""; APT::Acquire::Translation "environment"; APT::Authentication ""; APT::Authentication::TrustCDROM "true"; APT::NeverAutoRemove ""; APT::NeverAutoRemove:: "^firmware-linux.*"; APT::NeverAutoRemove:: "^linux-firmware$"; APT::NeverAutoRemove:: "^linux-image.*"; APT::NeverAutoRemove:: "^kfreebsd-image.*"; APT::NeverAutoRemove:: "^linux-restricted-modules.*"; APT::NeverAutoRemove:: "^linux-ubuntu-modules-.*"; APT::Never-MarkAuto-Sections ""; APT::Never-MarkAuto-Sections:: "metapackages"; APT::Never-MarkAuto-Sections:: "restricted/metapackages"; APT::Never-MarkAuto-Sections:: "universe/metapackages"; APT::Never-MarkAuto-Sections:: "multiverse/metapackages"; APT::Never-MarkAuto-Sections:: "oldlibs"; APT::Never-MarkAuto-Sections:: "restricted/oldlibs"; APT::Never-MarkAuto-Sections:: "universe/oldlibs"; APT::Never-MarkAuto-Sections:: "multiverse/oldlibs"; APT::Periodic ""; APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "0"; APT::Periodic::AutocleanInterval "0"; APT::Update ""; APT::Update::Post-Invoke ""; APT::Update::Post-Invoke:: "touch /var/lib/apt/periodic/update-success-stamp 2>/dev/null || true"; APT::Update::Post-Invoke-Success ""; APT::Update::Post-Invoke-Success:: "[ ! -f /var/run/dbus/system_bus_socket ] || /usr/bin/dbus-send --system --dest=org.debian.apt --type=signal /org/debian/apt org.debian.apt.CacheChanged || true"; APT::Archives ""; APT::Archives::MaxAge "30"; APT::Archives::MinAge "2"; APT::Archives::MaxSize "500"; Dir "/"; Dir::State "var/lib/apt/"; Dir::State::lists "lists/"; Dir::State::cdroms "cdroms.list"; Dir::State::mirrors "mirrors/"; Dir::State::extended_states "extended_states"; Dir::State::status "/var/lib/dpkg/status"; Dir::Cache "var/cache/apt/"; Dir::Cache::archives "archives/"; Dir::Cache::srcpkgcache "srcpkgcache.bin"; Dir::Cache::pkgcache "pkgcache.bin"; Dir::Etc "etc/apt/"; Dir::Etc::sourcelist "sources.list"; Dir::Etc::sourceparts "sources.list.d"; Dir::Etc::vendorlist "vendors.list"; Dir::Etc::vendorparts "vendors.list.d"; Dir::Etc::main "apt.conf"; Dir::Etc::netrc "auth.conf"; Dir::Etc::parts "apt.conf.d"; Dir::Etc::preferences "preferences"; Dir::Etc::preferencesparts "preferences.d"; Dir::Etc::trusted "trusted.gpg"; Dir::Etc::trustedparts "trusted.gpg.d"; Dir::Bin ""; Dir::Bin::methods "/usr/lib/apt/methods"; Dir::Bin::dpkg "/usr/bin/dpkg"; Dir::Media ""; Dir::Media::MountPath "/media/cdrom"; Dir::Log "var/log/apt"; Dir::Log::Terminal "term.log"; Dir::Log::History "history.log"; Dir::Ignore-Files-Silently ""; Dir::Ignore-Files-Silently:: "~$"; Dir::Ignore-Files-Silently:: "\.disabled$"; Dir::Ignore-Files-Silently:: "\.bak$"; Dir::Ignore-Files-Silently:: "\.dpkg-[a-z]+$"; Acquire ""; Acquire::cdrom ""; Acquire::cdrom::mount "/media/cdrom"; Acquire::https ""; Acquire::https::Verify-Host "true"; Acquire::https::Verify-Peer "true"; DPkg ""; DPkg::Pre-Install-Pkgs ""; DPkg::Pre-Install-Pkgs:: "/usr/bin/apt-listchanges --apt || test $? -ne 10"; DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true"; DPkg::Tools ""; DPkg::Tools::Options ""; DPkg::Tools::Options::/usr/bin/apt-listchanges ""; DPkg::Tools::Options::/usr/bin/apt-listchanges::Version "2"; DPkg::Post-Invoke ""; DPkg::Post-Invoke:: "if [ -d /var/lib/update-notifier ]; then touch /var/lib /update-notifier/dpkg-run-stamp; fi; if [ -e /var/lib/update-notifier/updates- available ]; then echo > /var/lib/update-notifier/updates-available; fi "; Unattended-Upgrade ""; Unattended-Upgrade::Allowed-Origins ""; Unattended-Upgrade::Allowed-Origins:: "${distro_id} stable"; Unattended-Upgrade::Allowed-Origins:: "${distro_id} ${distro_codename}-security"; Debug ""; Debug::Acquire ""; Debug::Acquire::Https "true"; CommandLine ""; CommandLine::AsString "apt-config dump";0% [Обработка]* About to connect() to apt.flant.ru port 443 (#0) * Trying 89.108.116.132... * connected * Connected to apt.flant.ru (89.108.116.132) port 443 (#0) Получить:1 http://mirror.yandex.ru/debian/ squeeze/main python-gtkspell amd64 2.25.3-7 [35,5 kB] 31% [Обработка]* found 141 certificates in /etc/ssl/certs/ca- certificates.crt * server certificate verification OK * common name: run.flant.ru (does not match 'apt.flant.ru') * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: C=RU,ST=Moscow,L=Moscow,O=CJSC Flant,CN=run.flant.ru * start date: Thu, 03 Nov 2011 00:00:00 GMT * expire date: Fri, 02 Nov 2012 23:59:59 GMT * issuer: C=US,O=Thawte\, Inc.,CN=Thawte SSL CA * compression: NULL * cipher: AES-256-CBC * MAC: SHA1 > GET /common/pool/main/h/htop/htop_1.0-squeeze1_amd64.deb HTTP/1.1 User-Agent: Debian APT-CURL/1.0 (0.8.10.3) Host: apt.flant.ru Accept: */* Cache-Control: max-age=0 < HTTP/1.1 200 OK < Server: nginx/0.7.65 < Date: Fri, 03 Feb 2012 07:25:37 GMT < Content-Type: application/octet-stream < Connection: keep-alive < Keep-Alive: timeout=20 < Content-Length: 76792 < Last-Modified: Mon, 19 Dec 2011 10:28:56 GMT < Accept-Ranges: bytes < Получить:2 https://apt.flant.ru/common/ squeeze/main htop amd64 1.0-squeeze1 [76,8 kB] 45% [2 htop 16127/76,8 kB 21%]* Connection #0 to host apt.flant.ru left intact
--- End Message ---
--- Begin Message ---
- To: 658452-done@bugs.debian.org
- Subject: Re: apt-transport-https: Apt https transport does not stop downloading, when host verification failed. Furthermore, no errors raised.
- From: David Kalnischkies <david@kalnischkies.de>
- Date: Wed, 12 Aug 2015 15:54:56 +0200
- Message-id: <20150812135456.GA13885@crossbow>
- In-reply-to: <20120203074631.4319.48162.reportbug@gyrt-notebook.loc>
- References: <20120203074631.4319.48162.reportbug@gyrt-notebook.loc>
Version: 0.8.11 On Fri, Feb 03, 2012 at 11:46:31AM +0400, Nikolay Bogdanov wrote: > I create secure apt repository with https access. > When I start secutiry tests, I found this bug. > I attach my aptconfig and apt debug output. That was a popular bug by an unluckily designed API which usually used true/false values, but for this one security sensitive feature requires passing in the value 2 to be completely enabled instead of just one 1 (which is what true evaluates to). See CURLOPT_SSL_VERIFYHOST, apt was hardly the only tool falling into this trap… This was eventually fixed in the verison I denoted above and ported to the stabele branches back then. It was just never closed in terms of this bugreport, so fixing this now by a manual close. Best regards David KalnischkiesAttachment: signature.asc
Description: Digital signature
--- End Message ---