Your message dated Mon, 15 Dec 2008 00:17:04 +0000
with message-id <[email protected]>
and subject line Bug#503495: fixed in inn2 2.4.5-5
has caused the Debian Bug report #503495,
regarding inn2: SSL-Documentation and -Support is wrong/broken
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
503495: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503495
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: inn2
Version: 2.4.5-2
Severity: normal
README.Debian.gz contains some information regarding SSL support but it
turns out that whats written there is simply wrong, also the SSL support
in the package is completely broken anyway.
1. It is told that one needs a CA cert in /etc/news/nnrpd-ca-cert.pem,
a key in /etc/news/nnrpd-key.pem and a cert in /etc/news/nnrpd-cert.pem
and that the key should be chown root:news and chmod 0640. All of this
is wrong.
The paths are configured /etc/news/sasl.conf and they point to a non
existing directory /usr/lib/news/lib where a cert.pem containing both
the key and the cert (and not a ca cert) is expected. This file must
be owned by news, not by root, and it must have 0600 as permissions,
not 0640.
2. After fixing path and permissions it still won't work. NNTP with SSL
can be done in two flavors. The modern and better one would be the
use of STARTTLS. This won't work because the shipped nnrpd binary does
not contain SSL support, only nnrpd-ssl does - but this one is not the
one inn calls upon reader.connect. So STARTTLS is broken by this
design decision of debian. I don't see a point in having nnrpd without
SSL support and a separate binary for this anyway, because both are
shipped in the same package.
3. The other flavor is NNTPS on port 563, which requires to call nnrpd-ssl
with option "-S". The /etc/init.d/inn2 does even contain a line to
start this, but it won't work because it does su news and non-root can't
bind to port 563.
Please consider removing nnrpd-ssl and make nnrpd ssl-capable, so that
STARTTLS is enabled. Please find a way to make NNTPS working (preferably
without using inetd as suggested by INN docs). Also please fix the paths
in sasl.conf and the docs.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.22-xul
Locale: LANG=de_DE.UTF-8, LC_CTYPE=en_US.ISO-8859-15 (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages inn2 depends on:
ii cron 3.0pl1-104 management of regular background p
ii inn2-inews 2.4.5-2 NNTP client news injector, from In
ii libc6 2.7-13 GNU C Library: Shared libraries
ii libcomerr2 1.41.0-3 common error description library
ii libdb4.6 4.6.21-8 Berkeley v4.6 Database Libraries [
ii libkrb53 1.6.dfsg.4~beta1-4 MIT Kerberos runtime libraries
ii libpam0g 1.0.1-4+b1 Pluggable Authentication Modules l
ii libperl5.10 5.10.0-13 Shared Perl library
ii libssl0.9.8 0.9.8g-13 SSL shared libraries
ii nullmailer [mail-tran 1:1.04-1 simple relay-only mail transport a
ii perl 5.10.0-13 Larry Wall's Practical Extraction
ii perl-base [perlapi-5. 5.10.0-13 minimal Perl system
ii procps 1:3.2.7-8 /proc file system utilities
ii time 1.7-23 The GNU time program for measuring
inn2 recommends no packages.
Versions of packages inn2 suggests:
ii gnupg 1.4.9-3 GNU privacy guard - a free PGP rep
ii wget 1.11.4-1 retrieves files from the web
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: inn2
Source-Version: 2.4.5-5
We believe that the bug you reported is fixed in the latest version of
inn2, which is due to be installed in the Debian FTP archive:
inn2-dev_2.4.5-5_i386.deb
to pool/main/i/inn2/inn2-dev_2.4.5-5_i386.deb
inn2-inews_2.4.5-5_i386.deb
to pool/main/i/inn2/inn2-inews_2.4.5-5_i386.deb
inn2-lfs_2.4.5-5_i386.deb
to pool/main/i/inn2/inn2-lfs_2.4.5-5_i386.deb
inn2_2.4.5-5.diff.gz
to pool/main/i/inn2/inn2_2.4.5-5.diff.gz
inn2_2.4.5-5.dsc
to pool/main/i/inn2/inn2_2.4.5-5.dsc
inn2_2.4.5-5_i386.deb
to pool/main/i/inn2/inn2_2.4.5-5_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marco d'Itri <[email protected]> (supplier of updated inn2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 15 Dec 2008 00:50:17 +0100
Source: inn2
Binary: inn2 inn2-lfs inn2-inews inn2-dev
Architecture: source i386
Version: 2.4.5-5
Distribution: unstable
Urgency: medium
Maintainer: Marco d'Itri <[email protected]>
Changed-By: Marco d'Itri <[email protected]>
Description:
inn2 - 'InterNetNews' news server
inn2-dev - The libinn.a library, headers and man pages
inn2-inews - NNTP client news injector, from InterNetNews (INN)
inn2-lfs - 'InterNetNews' news server (LFS version)
Closes: 503495 507256
Changes:
inn2 (2.4.5-5) unstable; urgency=medium
.
* Added patches u_*: bug fixes from SVN chosen by the upstream maintainer:
- misc innreport bugs
- incorrect TLS error handling
- correctly initialize the status file IP address variables
- do not send a duplicate reply when TLS negotiation fails
- correct the permissions checking for XHDR and XPAT
- do not send a duplicate reply to XOVER/XHDR/XPAT in a empty group
* Install again our own sasl.conf with the correct paths.
* Document in README.Debian that STARTTLS and MODE READER do not work
together. (Closes: #503495)
* Added patch typo_inn_conf_man fixes a typo in inn.conf(5).
(Closes: #507256)
* Updated the md5.c license in debian/copyright.
Checksums-Sha1:
a8864f71d79edd967647fc7df54f092fe2dee39f 1077 inn2_2.4.5-5.dsc
e2fe262f52a344d1c535a97c1f7309d677ab2a46 35022 inn2_2.4.5-5.diff.gz
588ea021a66c9d4a2f71aadaf3c63e30362f0e25 3215926 inn2_2.4.5-5_i386.deb
a16bb90896fa95e30fdea5bc41ce817d1f1cd678 3324900 inn2-lfs_2.4.5-5_i386.deb
4b39ff51366e4918f6079cd6c4f8d5cd5de93c63 155942 inn2-inews_2.4.5-5_i386.deb
65551295e2c30d83c60febca3eb4b5e2499e7cf4 252030 inn2-dev_2.4.5-5_i386.deb
Checksums-Sha256:
57efdc900e8c3c52712864d7a7e0adc5c447fb7f122a21ee15b67c73724fbff5 1077
inn2_2.4.5-5.dsc
ebbf69352beb6d55892105bc3b08a7073c2748fde28c261cede26429b86bf01e 35022
inn2_2.4.5-5.diff.gz
694a8acf27352fc79b25181b8e537d0bedacf8daa408ebb1a94a33919f249dad 3215926
inn2_2.4.5-5_i386.deb
45a7087a6b4cd2257691b153a4d184416784f3bcfd20562a64f1b7256b7e419d 3324900
inn2-lfs_2.4.5-5_i386.deb
9e1f46eaca3308055c34e5bc0008ddb1d85b712883f20931099bda72cca5902d 155942
inn2-inews_2.4.5-5_i386.deb
f0dc70e49ffd9d3b05d5baa7c0910553939fcba0ca6eae1ff72d46b2440cced6 252030
inn2-dev_2.4.5-5_i386.deb
Files:
8fdcf362efa30474c4c522cc11937816 1077 news extra inn2_2.4.5-5.dsc
89ab7ad8a4003be2a2c5b88d82aa4aea 35022 news extra inn2_2.4.5-5.diff.gz
60eef60c43cd3aa16d791f92e5b2350c 3215926 news extra inn2_2.4.5-5_i386.deb
b3b859a45ad0cc5d908e44532703eb34 3324900 news extra inn2-lfs_2.4.5-5_i386.deb
a744b6ad765e7a8a377d0044bb8236dd 155942 news extra inn2-inews_2.4.5-5_i386.deb
b435f60a283ab1cad1fbfed7d272e6b3 252030 devel extra inn2-dev_2.4.5-5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAklFnGoACgkQFGfw2OHuP7Ep3ACfSgTO3AOTDKu2fqWDKuR/jRzp
8YwAnA3OvpnOkq5DyS0kLvSxzDWfSgcW
=g/Gx
-----END PGP SIGNATURE-----
--- End Message ---
