Your message dated Sat, 11 Jul 2026 10:32:47 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1129707,
regarding trixie-pu: package ckermit/416~beta12-1+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1129707: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129707
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:ckermit
User: [email protected]
Usertags: pu

  * CVE-2025-68920: Block remote control of the local kermit by default.
    Closes: #1123025
  * Permanently disable OpenSSL version check.  Closes: #1118629.

The OpenSSL version check is currently a problem for the trixie
package in trixie.
diffstat for ckermit-416~beta12 ckermit-416~beta12

 NEWS                          |   11 ++++
 changelog                     |   11 ++++
 patches/openssl-check-disable |   85 ++++++++++++++++++++++++++++++++++
 patches/remote-security.patch |  104 ++++++++++++++++++++++++++++++++++++++++++
 patches/series                |    2 
 5 files changed, 213 insertions(+)

diff -Nru ckermit-416~beta12/debian/changelog 
ckermit-416~beta12/debian/changelog
--- ckermit-416~beta12/debian/changelog 2025-04-05 07:59:58.000000000 +0300
+++ ckermit-416~beta12/debian/changelog 2026-03-04 19:30:35.000000000 +0200
@@ -1,3 +1,14 @@
+ckermit (416~beta12-1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+
+  [ John Goerzen ]
+  * CVE-2025-68920: Block remote control of the local kermit by default.
+    Closes: #1123025
+  * Permanently disable OpenSSL version check.  Closes: #1118629.
+
+ -- Adrian Bunk <[email protected]>  Wed, 04 Mar 2026 19:30:35 +0200
+
 ckermit (416~beta12-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru ckermit-416~beta12/debian/NEWS ckermit-416~beta12/debian/NEWS
--- ckermit-416~beta12/debian/NEWS      1970-01-01 02:00:00.000000000 +0200
+++ ckermit-416~beta12/debian/NEWS      2026-03-04 19:30:35.000000000 +0200
@@ -0,0 +1,11 @@
+ckermit (416~beta12-1+deb13u1) trixie; urgency=medium
+
+  The default permissions have changed such that a remote kermit can no longer
+  turn around a connection and control a local kermit.  Furthermore, the 
default
+  settings no longer permits overwriting a local file.  Both address security
+  vulnerabilities.
+
+  For further information, including information on restoring previous 
defaults,
+  see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123025
+
+ -- John Goerzen <[email protected]>  Mon, 15 Dec 2025 19:11:21 -0600
diff -Nru ckermit-416~beta12/debian/patches/openssl-check-disable 
ckermit-416~beta12/debian/patches/openssl-check-disable
--- ckermit-416~beta12/debian/patches/openssl-check-disable     1970-01-01 
02:00:00.000000000 +0200
+++ ckermit-416~beta12/debian/patches/openssl-check-disable     2026-03-04 
19:30:35.000000000 +0200
@@ -0,0 +1,85 @@
+--- a/ck_ssl.c
++++ b/ck_ssl.c
+@@ -1529,82 +1529,6 @@
+     debug(F110,"OpenSSL Library",SSLeay_version(SSLEAY_CFLAGS),0);
+     debug(F110,"OpenSSL Library",SSLeay_version(SSLEAY_PLATFORM),0);
+ 
+-    /* The following test is suggested by Richard Levitte */
+-    /* if (((OPENSSL_VERSION_NUMBER ^ SSLeay()) & 0xffffff0f) */
+-    /* Modified by Adam Friedlander for OpenSSL >= 1.0.0 */
+-    if (OPENSSL_VERSION_NUMBER > SSLeay()
+-         || ((OPENSSL_VERSION_NUMBER ^ SSLeay()) & COMPAT_VERSION_MASK)
+-#ifdef OS2
+-/* DG 2024-08-05: Not sure what the point of this was. Presumably the goal was
+- *    to prevent updated OpenSSL libraries from being used, though why you'd
+- *    want to do that I'm not sure. Might have been to do with how Kermit 95s
+- *    SSH code was built way back in the early 2000s I guess. Today Kermit 95s
+- *    use of OpenSSL is largely the same as how C-Kermit uses it on other
+- *    platforms so I don't see any reason to treat it differently here.
+-         || ckstrcmp(OPENSSL_VERSION_TEXT,(char 
*)SSLeay_version(SSLEAY_VERSION),-1,1)
+-*/
+-#endif /* OS2 */
+-         ) {
+-        ssl_installed = 0;
+-        debug(F111,"OpenSSL Version does not match.  Built with",
+-               SSLeay_version(SSLEAY_VERSION),SSLEAY_VERSION_NUMBER);
+-        printf("?OpenSSL libraries do not match required version:\r\n");
+-        printf("  . C-Kermit built with %s\r\n",OPENSSL_VERSION_TEXT);
+-        printf("  . Version found  %s\r\n",SSLeay_version(SSLEAY_VERSION));
+-#ifdef OPENSSL_100
+-      printf("  OpenSSL versions 1.0.0 or newer must be the same\r\n");
+-      printf("  major and minor version number, and Kermit may not\r\n");
+-      printf("  be used with a version of OpenSSL older than the one\r\n");
+-      printf("  supplied at compile time.\r\n");
+-#else
+-        printf("  OpenSSL versions prior to 1.0.0 must be the same.\r\n");
+-#endif /* OPENSSL_100 */
+-
+-      s = "R";
+-#ifdef SOLARIS
+-      printf("  Set CD_LIBRARY_PATH for %s.\r\n",OPENSSL_VERSION_TEXT);
+-      s = " Or r";
+-#endif        /* SOLARIS */
+-
+-#ifdef HPUX
+-      printf("  Set SHLIB_PATH for %s.\r\n",OPENSSL_VERSION_TEXT);
+-      s = " Or r";
+-#endif        /* HPUX */
+-
+-#ifdef AIX
+-      printf("  Set LIBPATH for %s.\r\n",OPENSSL_VERSION_TEXT);
+-      s = " Or r";
+-#endif        /* AIX */
+-
+-#ifdef LINUX
+-      printf("  Set LD_LIBRARY_PATH for %s.\r\n",OPENSSL_VERSION_TEXT);
+-      s = " Or r";
+-#endif        /* LINUX */
+-
+-        printf(" %sebuild C-Kermit from source on this computer to make \
+-versions agree.\r\n",s);
+-
+-#ifdef KTARGET
+-      {
+-          char * s;
+-          s = KTARGET;
+-          if (!s) s = "";
+-          if (!*s) s = "(unknown)";
+-          printf("  C-Kermit makefile target: %s\r\n",s);
+-      }
+-#endif        /* KTARGET */
+-        printf("  Or if that is what you did then try to find out why\r\n");
+-        printf("  the program loader (image activator) is choosing a\r\n");
+-        printf("  different OpenSSL library than the one specified in \
+-the build.\r\n\r\n");
+-        printf("  All SSL/TLS features disabled.\r\n\r\n");
+-        bleep(BP_FAIL);
+-#ifdef SSLDLL
+-        ck_ssl_unloaddll();
+-        ck_crypto_unloaddll();
+-#endif /* SSLDLL */
+-        return;
+-    }
+ #endif /* OS2ONLY */
+ 
+     /* init things so we will get meaningful error messages
diff -Nru ckermit-416~beta12/debian/patches/remote-security.patch 
ckermit-416~beta12/debian/patches/remote-security.patch
--- ckermit-416~beta12/debian/patches/remote-security.patch     1970-01-01 
02:00:00.000000000 +0200
+++ ckermit-416~beta12/debian/patches/remote-security.patch     2026-03-04 
19:30:35.000000000 +0200
@@ -0,0 +1,104 @@
+Description: Fix remote security hole
+Author: John Goerzen <[email protected]>
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123025
+Last-Update: 2025-12-15
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+
+Fix insecure defaults
+
+This can lead to data exfiltration and compromise
+
+Further information at http://bugs.debian.org/1123025
+--- a/ckcmai.c
++++ b/ckcmai.c
+@@ -724,7 +724,7 @@
+ #ifdef VMS                              /* Default filename collision action 
*/
+     XYFX_X,                             /* REPLACE for VAX/VMS */
+ #else
+-    XYFX_B,                             /* BACKUP for everybody else */
++    XYFX_D,                             /* REJECT for everybody else */
+ #endif /* VMS */
+ 
+ #ifdef OS2                              /* Flag for file name conversion */
+@@ -1574,37 +1574,37 @@
+   only as initial (default) values.
+ */
+ int en_xit = 2;                         /* EXIT */
+-int en_cwd = 3;                         /* CD/CWD */
+-int en_cpy = 3;                         /* COPY   */
++int en_cwd = 2;                         /* CD/CWD */
++int en_cpy = 2;                         /* COPY   */
+ int en_del = 2;                         /* DELETE */
+-int en_mkd = 3;                         /* MKDIR */
++int en_mkd = 2;                         /* MKDIR */
+ int en_rmd = 2;                         /* RMDIR */
+-int en_dir = 3;                         /* DIRECTORY */
+-int en_fin = 3;                         /* FINISH */
+-int en_get = 3;                         /* GET */
++int en_dir = 2;                         /* DIRECTORY */
++int en_fin = 2;                         /* FINISH */
++int en_get = 2;                         /* GET */
+ #ifndef NOPUSH
+ int en_hos = 2;                         /* HOST enabled */
+ #else
+ int en_hos = 0;                         /* HOST disabled */
+ #endif /* NOPUSH */
+-int en_ren = 3;                         /* RENAME */
+-int en_sen = 3;                         /* SEND */
+-int en_set = 3;                         /* SET */
+-int en_spa = 3;                         /* SPACE */
+-int en_typ = 3;                         /* TYPE */
+-int en_who = 3;                         /* WHO */
++int en_ren = 2;                         /* RENAME */
++int en_sen = 2;                         /* SEND */
++int en_set = 2;                         /* SET */
++int en_spa = 2;                         /* SPACE */
++int en_typ = 2;                         /* TYPE */
++int en_who = 2;                         /* WHO */
+ #ifdef datageneral
+ /* Data General AOS/VS can't do this */
+ int en_bye = 0;                         /* BYE */
+ #else
+ int en_bye = 2;                         /* PCs in local mode... */
+ #endif /* datageneral */
+-int en_asg = 3;                         /* ASSIGN */
+-int en_que = 3;                         /* QUERY */
++int en_asg = 2;                         /* ASSIGN */
++int en_que = 2;                         /* QUERY */
+ int en_ret = 2;                         /* RETRIEVE */
+-int en_mai = 3;                         /* MAIL */
+-int en_pri = 3;                         /* PRINT */
+-int en_ena = 3;                         /* ENABLE */
++int en_mai = 2;                         /* MAIL */
++int en_pri = 2;                         /* PRINT */
++int en_ena = 2;                         /* ENABLE */
+ #else
+ int en_xit = 0, en_cwd = 0, en_cpy = 0, en_del = 0, en_mkd = 0, en_rmd = 0,
+     en_dir = 0, en_fin = 0, en_get = 0, en_hos = 0, en_ren = 0, en_sen = 0,
+--- a/ckuus2.c
++++ b/ckuus2.c
+@@ -4138,12 +4138,12 @@
+ "SET FILE COLLISION option",
+ "  Tells what to do when a file arrives that has the same name as",
+ "  an existing file.  The options are:",
+-"   BACKUP (default) - Rename the old file to a new, unique name and store",
++"   BACKUP - Rename the old file to a new, unique name and store",
+ "     the incoming file under the name it was sent with.",
+ "   OVERWRITE - Overwrite (replace) the existing file; doesn't work for",
+ "     a Kermit server unless you also tell it to ENABLE DELETE.",
+ "   APPEND - Append the incoming file to the end of the existing file.",
+-"   REJECT - Refuse and/or discard the incoming file (= DISCARD).",
++"   REJECT (default) - Refuse and/or discard the incoming file (= DISCARD).",
+ "   RENAME - Give the incoming file a unique name.",
+ "   UPDATE - Accept the incoming file only if newer than the existing file.",
+ " ",
+@@ -7929,7 +7929,7 @@
+ "SET TERMINAL AUTODOWNLOAD { ON, OFF, ERROR { STOP, CONTINUE } }",
+ "  enables/disables automatic switching into file-transfer mode when a 
Kermit",
+ "  or ZMODEM file transfer has been detected during CONNECT mode or while",
+-"  an INPUT command is active.  Default is OFF.",
++"  an INPUT command is active.  Default is ON.",
+ #else
+ "SET TERMINAL AUTODOWNLOAD { ON, OFF, ERROR { STOP, CONTINUE } }",
+ "  enables/disables automatic switching into file-transfer mode when a 
Kermit",
diff -Nru ckermit-416~beta12/debian/patches/series 
ckermit-416~beta12/debian/patches/series
--- ckermit-416~beta12/debian/patches/series    2025-04-05 07:59:58.000000000 
+0300
+++ ckermit-416~beta12/debian/patches/series    2026-03-04 19:30:35.000000000 
+0200
@@ -1,2 +1,4 @@
+openssl-check-disable
 ck_patch.patch
 cflags.patch
+remote-security.patch

--- End Message ---
--- Begin Message ---
Version: 13.6

This update was released as part of 13.6.

--- End Message ---

Reply via email to