Your message dated Wed, 19 Oct 2016 22:24:24 +0000 with message-id <[email protected]> and subject line Bug#839751: fixed in apt-cacher-ng 1-1 has caused the Debian Bug report #839751, regarding apt-cacher-ng: Hostname not verified on outgoing TLS connections to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 839751: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839751 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: apt-cacher-ng Version: 0.9.1-1ubuntu1 Severity: important Dear Maintainer, apt-cacher-ng 0.9.1-1~bpo8+1 as included in the backports for Debian Jessie, 0.9.1-1ubuntu1 as included in Ubuntu Xenial as well as the version in the "upstream/sid" branch do not verify the hostname in certificates when making outgoing TLS connections (HTTPS). This report is produced on an Ubuntu installation, but the issue is unrelated to the distribution. How to reproduce: * Insert "172.217.19.14 fakegoogle" into /etc/hosts * Test whether OpenSSL complains about a mismatching name (requires a sufficiently recent OpenSSL version): $ openssl s_client -verify 2 -verify_hostname fakegoogle \ -verify_return_error -connect fakegoogle:443 * Add "Remap-fakegoogle: /fakegoogle ; https://fakegoogle/"; to apt-cacher-ng configuration and restart apt-cacher-ng * Request a file from that upstream: $ curl -v http://127.0.0.1:3142/fakegoogle/dists/test/Release.gpg ... > GET /fakegoogle/dists/test/Release.gpg HTTP/1.1 ... < HTTP/1.1 404 Not Found Observed behaviour: Connection to upstream succeeds despite the hostname not matching the certificate. The error code is 404 due to Google not serving a Release.gpg from that location. Google was only used as an example, of course. Expected behaviour: Connection to upstream fails due to a mismatching hostname and the client is returned a suitable error code (probably HTTP 500). OpenSSL 1.0.2 and newer provide a set of APIs for easier hostname validation: https://wiki.openssl.org/index.php/Hostname_validation Thank you, Michael -- Package-specific info: -- System Information: Debian Release: stretch/sid APT prefers xenial-updates APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-38-generic (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apt-cacher-ng depends on: ii adduser 3.113+nmu3ubuntu4 ii debconf [debconf-2.0] 1.5.58ubuntu1 ii dpkg 1.18.4ubuntu1.1 ii init-system-helpers 1.29ubuntu2 ii libbz2-1.0 1.0.6-8 ii libc6 2.23-0ubuntu3 ii libgcc1 1:6.0.1-0ubuntu1 ii liblzma5 5.1.1alpha+20120614-2ubuntu2 ii libssl1.0.0 1.0.2g-1ubuntu4.5 ii libstdc++6 5.4.0-6ubuntu1~16.04.2 ii libsystemd0 229-4ubuntu10 ii libwrap0 7.6.q-25 ii zlib1g 1:1.2.8.dfsg-2ubuntu4 apt-cacher-ng recommends no packages. Versions of packages apt-cacher-ng suggests: pn avahi-daemon <none> pn doc-base <none> ii libfuse2 2.9.4-1ubuntu3.1
--- End Message ---
--- Begin Message ---Source: apt-cacher-ng Source-Version: 1-1 We believe that the bug you reported is fixed in the latest version of apt-cacher-ng, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Eduard Bloch <[email protected]> (supplier of updated apt-cacher-ng package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 19 Oct 2016 22:14:15 +0200 Source: apt-cacher-ng Binary: apt-cacher-ng Architecture: source amd64 Version: 1-1 Distribution: unstable Urgency: low Maintainer: Eduard Bloch <[email protected]> Changed-By: Eduard Bloch <[email protected]> Description: apt-cacher-ng - caching proxy server for software repositories Closes: 834755 839751 Changes: apt-cacher-ng (1-1) unstable; urgency=low . * New upstream version + Better TLS hostname checks (closes: #839751) + Making build reproducible again (closes: #834755) Checksums-Sha1: af1d81fa15e1f34e3b041dff9f7b8846a24d73b6 2165 apt-cacher-ng_1-1.dsc 98e860bcca1cf53064dd51c5d750bcce31440b6c 312120 apt-cacher-ng_1.orig.tar.xz 16ace6cbbe19e16cf83df7ac1e4973479451bdf0 46872 apt-cacher-ng_1-1.debian.tar.xz 16be349dbb370164c85d89d1e5436e12f0265974 2404446 apt-cacher-ng-dbgsym_1-1_amd64.deb 20761ee3b2e206e78a2bd6f918a1663314f5d4cf 518736 apt-cacher-ng_1-1_amd64.deb Checksums-Sha256: ee3e7b4f69ee6369b4f535aa4d00f911578cf99306ba5ee154cd6267ba68e33c 2165 apt-cacher-ng_1-1.dsc f8e6fee778b2e2fa37c99b1a398d1d7fe352a719e30f4c4a21323ce0558fa9d9 312120 apt-cacher-ng_1.orig.tar.xz 887b130ab165c458556246146030ae2d48ef3df7f40806b3562333f428296aa3 46872 apt-cacher-ng_1-1.debian.tar.xz cb4e651d70706478412c44f7fac8ba5d1efb06a0f35dc2fc18f5dc0bfb1105a2 2404446 apt-cacher-ng-dbgsym_1-1_amd64.deb 5d15843926b7d13d9e4f7d8f77c69ab6583d872097b8f084e8247ec0759e1dd6 518736 apt-cacher-ng_1-1_amd64.deb Files: 6a6d512116d8b3b6a4089666b5c15c7d 2165 net optional apt-cacher-ng_1-1.dsc 16208bb9ee32c0c5df990b52279a6792 312120 net optional apt-cacher-ng_1.orig.tar.xz 4d0bcc8919e8becb2bdee9be4b35cf86 46872 net optional apt-cacher-ng_1-1.debian.tar.xz b14cdbcbdca4a490e5377459cfefc52a 2404446 debug extra apt-cacher-ng-dbgsym_1-1_amd64.deb a5cbd1684bf0f7229ddbe393d8bfa1b9 518736 net optional apt-cacher-ng_1-1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJYB9XQAAoJEGl0DlyzX+w8OawQAKbXTFpnbfW2O1BFZ90ZDqgK 0NOQdMWLfNFSvU7RJROizteRFEefmWLg2YCudqvI0Nmv/aRE8Y5TXkRBgVUMEpXm uNi2no43QhjMCib9WqmRXIVvSzu1b8G7TZmNNa5Mw3uBFlWiOTlNrSCBzV79mzQ+ VIw5jWfUm6FbHBm/6K7rNEVPh+XhGy9txEbXxxiITmLSPKe08mLB+TsLmZ8O212Z m7DATJUxswwvvo/L7kVOuhKUurFiD4tM6WCvxr/hFBQNpeazAH7z5VTnSYC+tWFN SLwlxxoGOfjzamb4SuySXF863g/GpeIeR8nKYCakn9zawZIAVzcecS8WGGsMjFEx WWQWycA+xTbgb+qfZcDI3SqlfOurPzfxZhwiphlvMSHlO/ugW1tbbYjAu30fYaE4 y8zlD2LHc7+8tBH7ilHJ2vWnCosU0yEygjQA8wNMY+mfplBGlqtq/sn30ZUAodyR SaHLjkWefSW5fdUe2VbziIK0pOU+XFzPIIWeavsZywu/OPaf5DyMCke8VczCQdiL gER7P28FyyFcgdzytRjc3EBemnGwPf51B9+VjP3pP0NNOwd7Y3mEsusGGWFeICT3 N2wrJNqQCmxl27bE0jM+r9INIYTEtxS9QSMgGtRHyMBPm7qiADA647ZoiRAF1oMD lJ819he/H9uDaeE3zE/u =f57C -----END PGP SIGNATURE-----
--- End Message ---
