Your message dated Wed, 18 May 2016 22:47:16 +0000
with message-id <[email protected]>
and subject line Bug#774882: fixed in openssl 1.0.1t-1+deb8u1
has caused the Debian Bug report #774882,
regarding openssl: fail to verify some sites when 1024bit root CAs removed
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
774882: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774882
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssl
Version: 1.0.1j-1
Severity: normal
Dear Maintainer,
To avoid security weakness, when 1024-bit RSA root CAs removed,
verify error occurs in some sites with cross root CA.
I've seen following,
https://bugzilla.mozilla.org/show_bug.cgi?id=986005#c4
And fixed patch is following,
http://rt.openssl.org/Ticket/Display.html?id=3637&user=guest&pass=guest
[PATCH] x509: skip certs if in alternative cert chain
I've test this patch. No issues were found.
My tests are following.
1) build openssl packages that applied the patch and install these.
2) remove root CAs in /usr/share/ca-certificates/mozilla/
Equifax_Secure_*.crt
GTE_CyberTrust_Global_Root.crt
Thawte_*.crt
Verisign_Class_3_Public_Primary_Certification_Authority.crt
Verisign_Class_3_Public_Primary_Certification_Authority_2.crt
3) [strace] openssl s_client -CApath /etc/ssl/certs -showcerts -connect
s3.amazonaws.com:443
test other sites, e.g. www.debian.org, www.geotrust.co.jp, dinahosting.com
Thank you.
--
Hiroyuki YAMAMORI
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=, LC_CTYPE= (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssl depends on:
ii libc6 2.19-13
ii libssl1.0.0 1.0.1j-1+p1
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20141019
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 1.0.1t-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kurt Roeckx <[email protected]> (supplier of updated openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 06 May 2016 15:56:09 +0200
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc
libssl1.0.0-dbg
Architecture: source all amd64
Version: 1.0.1t-1+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Kurt Roeckx <[email protected]>
Description:
libcrypto1.0.0-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb)
libssl-dev - Secure Sockets Layer toolkit - development files
libssl-doc - Secure Sockets Layer toolkit - development documentation
libssl1.0.0 - Secure Sockets Layer toolkit - shared libraries
libssl1.0.0-dbg - Secure Sockets Layer toolkit - debug information
openssl - Secure Sockets Layer toolkit - cryptographic utility
Closes: 774882 807057
Changes:
openssl (1.0.1t-1+deb8u1) jessie; urgency=medium
.
[ Sebastian Andrzej Siewior ]
* Update to 1.0.1t stable release (drop applied patches and refresh existing
ones).
- Use alternate trust chains part of 1.0.1n (Closes: #774882).
- Use correct digest when exporting keying material (Closes: #807057)
- Fix CVE-2015-3197 (not affected, SSLv2 disabled)
- Fix CVE-2015-1793 (1.0.1n+ is affected and last upload was k)
Checksums-Sha1:
1a68da2267c2596dfecb5f7bf0934a192fba352f 2255 openssl_1.0.1t-1+deb8u1.dsc
a684ba59d6721a90f354b1953e19611646be7e7d 4556447 openssl_1.0.1t.orig.tar.gz
0f27b341bd954a28636e9d6734a0ec920b552532 79488
openssl_1.0.1t-1+deb8u1.debian.tar.xz
55e4460555d9803f18d63eb1d031d58bc34c4053 1166672
libssl-doc_1.0.1t-1+deb8u1_all.deb
bed5bad56ddcfd547184293df163f94cb657ec62 664614
openssl_1.0.1t-1+deb8u1_amd64.deb
19e3d6d9ca8be01bab2fa3443b11fd1ad0b198d3 1044562
libssl1.0.0_1.0.1t-1+deb8u1_amd64.deb
ad9c9a5c143355e51c7d826d5d054e780959a8f1 643516
libcrypto1.0.0-udeb_1.0.1t-1+deb8u1_amd64.udeb
8186f8c2255bd017b502ca1aa661d25d736b91a0 1281922
libssl-dev_1.0.1t-1+deb8u1_amd64.deb
5500a78f3dd89509e906422d1fe7177b21faa74a 2815714
libssl1.0.0-dbg_1.0.1t-1+deb8u1_amd64.deb
Checksums-Sha256:
3e0af48183e3e20da6b71b4166a88a4663bc628973e78e3543d57f3333363b3e 2255
openssl_1.0.1t-1+deb8u1.dsc
4a6ee491a2fdb22e519c76fdc2a628bb3cec12762cd456861d207996c8a07088 4556447
openssl_1.0.1t.orig.tar.gz
911367ab71df2542858d401f4ffbc7fa36f4de8412b4e47948aa91cf5079bf49 79488
openssl_1.0.1t-1+deb8u1.debian.tar.xz
5b308b4c7b0c120a6b6d6c6ef41ff092f5f56f81be4c43af8c2969b24b364309 1166672
libssl-doc_1.0.1t-1+deb8u1_all.deb
7bd8b68b9627819e3b5585be36411dcb9b53b91b8ebbb1ce63ef67f5eefb40f3 664614
openssl_1.0.1t-1+deb8u1_amd64.deb
ed55f548aff094394871604966aa3d450f59f504cbdb34e3889386b2628fb6d7 1044562
libssl1.0.0_1.0.1t-1+deb8u1_amd64.deb
6c4d282298390cc9d40e6ece2b3e1a749c272813b11a8b3bc01b1480afda712a 643516
libcrypto1.0.0-udeb_1.0.1t-1+deb8u1_amd64.udeb
8a45beaf4fee31ddfef55caf35bb4d1f04c45cb3f5a9815fd4e88da3ac9f8bae 1281922
libssl-dev_1.0.1t-1+deb8u1_amd64.deb
40873618e0fee7a8efb629ab9f21de2b32ebfdf2035a935ed3f55ea36152bc93 2815714
libssl1.0.0-dbg_1.0.1t-1+deb8u1_amd64.deb
Files:
c5d7c121c046ca3e4a4b58c26b00dec8 2255 utils optional
openssl_1.0.1t-1+deb8u1.dsc
9837746fcf8a6727d46d22ca35953da1 4556447 utils optional
openssl_1.0.1t.orig.tar.gz
21584a79034c751255fb76da351f075d 79488 utils optional
openssl_1.0.1t-1+deb8u1.debian.tar.xz
d7f1d076c43f43175ee8ca1dd0272de0 1166672 doc optional
libssl-doc_1.0.1t-1+deb8u1_all.deb
e17f906c412f6db70b22156ef5fb2cbc 664614 utils optional
openssl_1.0.1t-1+deb8u1_amd64.deb
b5c68339c19401fe2769e5d1d0155381 1044562 libs important
libssl1.0.0_1.0.1t-1+deb8u1_amd64.deb
9afc148605d568e50ade2ba2e1fed0c6 643516 debian-installer optional
libcrypto1.0.0-udeb_1.0.1t-1+deb8u1_amd64.udeb
95c032b0de0fe0bf19585135e94d81e2 1281922 libdevel optional
libssl-dev_1.0.1t-1+deb8u1_amd64.deb
3fb82d512dc480585138210f277ad8ed 2815714 debug extra
libssl1.0.0-dbg_1.0.1t-1+deb8u1_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJXLK1aAAoJEOPE3c0eTBJExm0QAJxMhNX2xdDeESWP6oO8PlL4
H5uqON5S98YbTSYQPPaszqwOn2J3fsK+vPDQBPJk95nnt0H7Mf9+I5MDagSqbi9t
NkLXeGcV0YHmhf18GN5+Vg37K53tv0inl7NdHesQuIJQC683xjEeK1voa06ouxCn
PvV+Ug3y+iSBZaYxaZmOJUmA8qX0bAsQpUd5MN0dFxTUwt+oKRPzKY8R+/qofSBh
GtboQf9w/4uH9thjKpO9d8gfx1ONOXCLKlWnCKJTsiibxhChxNphTp4Dec9rqi7l
fwkPqXprgowUP2dXhopAH1hXMUdf3bvRmiyRWP8P6tQGT6bXlW9OW7XV2Y1RXQLY
7s3lVfeZqKo2zlU9SEkNhxctEUIY/44m70F6bajE/m4YcDu8jbH3soTysv2CJSnc
DJI/ZN+fSvcdWf+9TjovE4LGf9MOByjJ2B5vzyof2Frhc43EmNh1PxyWDavLGYkd
hnHq7EHJsPFabpp9ZVG5gau5DgQanZnZdDgHzUd3ApX7fDARQxs0P1ltMnl9KLAo
ZAihGS/IHy72xvzvmQnvHocOUx52us8Gp8DQBxnFRSBI5D2vygz8Co4iJvlaI+UV
06q8yvdh8zNfZBZb6UVFl2Hav1yoB51VUGmPPlNTbswOyTkrMHPlbogqlDKdxEqX
VfwYNGX9miYl1JSEk9Wc
=VDFi
-----END PGP SIGNATURE-----
--- End Message ---
