Your message dated Fri, 31 Jul 2015 05:04:05 +0000 with message-id <[email protected]> and subject line Bug#783595: fixed in sympa 6.1.24~dfsg-1 has caused the Debian Bug report #783595, regarding sympa: LDAP support for SSLv3 broken on Debian 8.0 ("Jessie") to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 783595: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783595 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: sympa Version: 6.1.23~dfsg-2 Severity: important Tags: patch Both LDAP authentication and LDAP data sources using ssl_version sslv3 are broken in Debian 8.0. The LDAP server used is OpenLDAP from Debian 8.0. A real (non-self signed) certificate is used. This thus affects /etc/sympa/auth.conf and /var/lib/sympa/list_data/*/config. A completely nondescript error message is emitted ("Unable to connect to the LDAP server"). Debugging this using openssl s_server -accept 636 \ -key mykey.pem \ -cert mycert.pem prints the following: ACCEPT ERROR 139697326311056:error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol:s23_srvr.c:610: shutting down SSL CONNECTION CLOSED Replacing sslv3 with tlsv1 resolves the problem, but Sympa has another bug in this regard where /usr/share/sympa/lib/List.pm has a bad ssl_version constant for TLSv1: it uses "tls" instead of "tlsv1". Thus: 1. Replace "sslv3" with "tlsv1" for "ssl_version" in /etc/sympa/auth.conf 2. Patch /usr/share/sympa/lib/List.pm: --- /usr/share/sympa/lib/List.pm~ 2015-04-28 10:30:05.879888964 +0200 +++ /usr/share/sympa/lib/List.pm 2015-04-28 10:30:30.679888964 +0200 @@ -877,7 +877,7 @@ 'gettext_id' => 'use SSL (LDAPS)', 'order' => 2.5, }, - 'ssl_version' => {'format' => ['sslv2','sslv3','tls'], + 'ssl_version' => {'format' => ['sslv2','sslv3','tlsv1'], 'default' => 'sslv3', 'gettext_id' => 'SSL version', 'order' => 2.5, @@ -1001,7 +1001,7 @@ 'gettext_id' => 'use SSL (LDAPS)', 'order' => 2.5, }, - 'ssl_version' => {'format' => ['sslv2','sslv3','tls'], + 'ssl_version' => {'format' => ['sslv2','sslv3','tlsv1'], 'default' => '', 'gettext_id' => 'SSL version', 'order' => 2.5, @@ -1579,7 +1579,7 @@ # include_ldap_2level_query.ssl_version, include_ldap_query.ssl_version 'sslv2' => {'gettext_id' => 'SSL version 2'}, 'sslv3' => {'gettext_id' => 'SSL version 3'}, - 'tls' => {'gettext_id' => 'TLS'}, + 'tlsv1' => {'gettext_id' => 'TLS'}, # editor.reception, owner_include.reception, owner.reception, # editor_include.reception 3. Either change the ssl_version parameter for all data sources on the Web interface to "TLS", or edit /var/lib/sympa/list_data/*/config accordingly. -- System Information: Debian Release: 8.0 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages sympa depends on: ii adduser 3.113+nmu3 ii ca-certificates 20141019 ii dbconfig-common 1.8.47+nmu3 ii debconf [debconf-2.0] 1.5.56 ii libarchive-zip-perl 1.39-1 ii libc6 2.19-18 ii libcgi-fast-perl 1:2.04-1 ii libcgi-pm-perl 4.09-1 ii libdbd-mysql-perl 4.028-2+b1 ii libdbd-pg-perl 3.4.2-1 ii libdbd-sqlite3-perl 1.44-1 ii libdbd-sybase-perl 1.14-1+b2 ii libdbi-perl 1.631-3+b1 ii libfcgi-perl 0.77-1+b1 ii libfile-copy-recursive-perl 0.38-1 ii libhtml-format-perl 2.11-1 ii libhtml-stripscripts-parser-perl 1.03-1 ii libhtml-tree-perl 5.03-1 ii libintl-perl 1.23-1 ii libio-stringy-perl 2.110-5 ii libmailtools-perl 2.13-1 ii libmime-charset-perl 1.011.1-1 ii libmime-encwords-perl 1.014.3-1 ii libmime-lite-html-perl 1.24-1 ii libmime-tools-perl 5.505-1 ii libmsgcat-perl 1.03-6+b1 ii libnet-ldap-perl 1:0.6400+dfsg-2 ii libnet-netmask-perl 1.9021-1 ii libregexp-common-perl 2013031301-1 ii libsoap-lite-perl 1.11-1 ii libtemplate-perl 2.24-1.2+b1 ii libterm-progressbar-perl 2.16-1 ii libunicode-linebreak-perl 0.0.20140601-2 ii libxml-libxml-perl 2.0116+dfsg-1+b1 ii lsb-base 4.1+Debian13+nmu1 ii mhonarc 2.6.19-1 ii perl 5.20.2-3 ii perl-modules 5.20.2-3 ii postfix [mail-transport-agent] 2.11.3-1 ii rsyslog [system-log-daemon] 8.4.2-1 ii sqlite3 3.8.7.1-1 Versions of packages sympa recommends: ii apache2-suexec 2.4.10-10 ii apache2-suexec-pristine [apache2-suexec] 2.4.10-10 ii doc-base 0.10.6 ii libapache2-mod-fcgid 1:2.3.9-1+b1 ii libcrypt-ciphersaber-perl 0.61-4 ii libfile-nfslock-perl 1.24-1 ii libio-socket-ssl-perl 2.002-2 ii libmail-dkim-perl 0.40-1 ii locales 2.19-18 ii logrotate 3.8.7-1+b1 ii postgresql 9.4+165 Versions of packages sympa suggests: ii apache2 [httpd-cgi] 2.4.10-10 ii apache2-mpm-worker [httpd-cgi] 2.4.10-10 pn libauthcas-perl <none> pn libdbd-oracle-perl <none> pn libtext-wrap-perl <none> ii openssl 1.0.1k-3 -- Configuration Files: /etc/sympa/auth.conf [Errno 13] Permission denied: u'/etc/sympa/auth.conf' /etc/sympa/sympa.conf-smime.in [Errno 13] Permission denied: u'/etc/sympa/sympa.conf-smime.in' /etc/sympa/topics.conf [Errno 13] Permission denied: u'/etc/sympa/topics.conf' -- debconf information excluded
--- End Message ---
--- Begin Message ---Source: sympa Source-Version: 6.1.24~dfsg-1 We believe that the bug you reported is fixed in the latest version of sympa, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bouthenot <[email protected]> (supplier of updated sympa package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 31 Jul 2015 06:35:47 +0200 Source: sympa Binary: sympa Architecture: source amd64 Version: 6.1.24~dfsg-1 Distribution: unstable Urgency: medium Maintainer: Debian Sympa team <[email protected]> Changed-By: Emmanuel Bouthenot <[email protected]> Description: sympa - Modern mailing list manager Closes: 783595 788152 Changes: sympa (6.1.24~dfsg-1) unstable; urgency=medium . * New upstream release - Remove patch for CVE-2015-1306 * Switch to plain Debhelper rather than CDBS * Fix debian/watch file in order to exclude alpha or beta versions * Fix perl-modules and libcgi-pm-perl build dependencies (Closes: #788152) * Bump Standards-Version to 3.9.6 * Add a patch (backported from Sympa 6.2) to fix various SSL/TLS issues (Closes: #783595) Checksums-Sha1: 9730e1ab0ac5cfff4528026299c8a428e9118023 2459 sympa_6.1.24~dfsg-1.dsc 01d513d7e9980efcf9dff0e65655ba47cb88b176 5936907 sympa_6.1.24~dfsg.orig.tar.gz 8a418a6d10ac29d347cb6a6cc3977710f049a9a8 74808 sympa_6.1.24~dfsg-1.debian.tar.xz 217dd2a3e691024719b897f9810d52082998f61e 2256358 sympa_6.1.24~dfsg-1_amd64.deb Checksums-Sha256: 563a93b5089a2b18fcf2424ee40319968d89be457c6f52877d4ea138120d7f81 2459 sympa_6.1.24~dfsg-1.dsc 8076e623923f138124fcb2ef960cf09d7325b486517c9163dfd3dc38a518512b 5936907 sympa_6.1.24~dfsg.orig.tar.gz 2e82b500eef1f9248b66f87fbbeb546179ad5aa5556c24721c3cf10e0f90b2d4 74808 sympa_6.1.24~dfsg-1.debian.tar.xz 847ac683c399fe132293714397bef1f82915fbe3100be9d27ce6a1bce7e33a0d 2256358 sympa_6.1.24~dfsg-1_amd64.deb Files: 9ac9c77ed37b3298b4d3b583276bc8ed 2459 mail optional sympa_6.1.24~dfsg-1.dsc 5b0dad4a22b3f546aee9468c617987c2 5936907 mail optional sympa_6.1.24~dfsg.orig.tar.gz 5d664bc15a5ab900e4446a97a13e90f3 74808 mail optional sympa_6.1.24~dfsg-1.debian.tar.xz d279cbdc4dea29113eb9f5f92527b9c7 2256358 mail optional sympa_6.1.24~dfsg-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVuv6TAAoJEEsHdyOSnULDsgUP/2by7juSo0vQ92HPXZiFG1uB ZlSZJx4j31y8AsRGBLT/IuKlqQxquHJOX5SoKXMnq52IS3K6sm44nng9e0NdJ3Aq 0Hxu5bsq7jsih5SnyI2OLa4ZP7rAlSDJTxBKafzXv2OkdOTv4jFmEGl5v53RGqEv bWoOA+jFGvgNb2UtL98Un9jClLvUg3QYZtT4uQGnYg7x3PsF5ojWhe8wWuDY8YkC c4ns0cXiTcwk/+X+utf3iWnYVXkntEj802B6JcDAkMJmJ8731ab7zrnZLisNd+Rj Bli7GApIbQY7khdldnc/id3BeLdFUUjggf0FGKvnVsIWpqG4SjVyEGdbGzISB5rc /bp4LB4DdXSqfV1K/Cj8pUCp3sw7IORShxZpmmyCOJmG5QMZVkFtoeFaa5R4wbZF 5i3bkgsHUlidTsCe7fxhwdS6eQc0iok9oq4a9j76xq8aBD4tij8AiiSn6LmXX4og cX3fxABN3xKiRF7YfdLCTq42JFel/x5uJu2OYA/qwJfLouN178rxqHGeyioPXETA ApJScE6F9QkhGelD3fPGkk1o2tYwx9+g5AiMnSBR66SMDbKJ7eXtG9qCDEEtDJFo rth6mc9npMEVzQHR71Vq62U9En4hE1VSyXIKS5nHu0cOXP6JHIMUPnQ/quKTIoWP Ko3jTvpxWbwXyOoo/p1W =XE+E -----END PGP SIGNATURE-----
--- End Message ---
