Package: net-snmp Version: 5.7.3+dfsg-1.6 Severity: normal Tags: patch pending
Dear maintainer, I've prepared an NMU for net-snmp (versioned as 5.7.3+dfsg-1.7). The diff is attached to this message. Regards. diff -Nru net-snmp-5.7.3+dfsg/debian/changelog net-snmp-5.7.3+dfsg/debian/changelog --- net-snmp-5.7.3+dfsg/debian/changelog 2017-01-14 08:40:05.000000000 +0000 +++ net-snmp-5.7.3+dfsg/debian/changelog 2017-01-24 20:16:23.000000000 +0000 @@ -1,3 +1,22 @@ +net-snmp (5.7.3+dfsg-1.7) unstable; urgency=medium + + [ Niels Thykier ] + * Non-maintainer upload with the following changes from + other people. + + [ Sebastian Andrzej Siewior ] + * drop dep on libssl1.0-dev in the dev package. (Closes: #851946) + * add a guard to catch users of the wrong library + * remove "-lcrypto" from the pkg-config when linking statically. + This is technical suboptimal and should ideally be reverted + for buster (when all packages migrate to the same ssl version). + + [ Adrian Bunk ] + * Re-able "pie" hardening as its absence is causing issues for + reverse dependencies. (Closes: #852023) + + -- Niels Thykier <[email protected]> Tue, 24 Jan 2017 20:16:23 +0000 + net-snmp (5.7.3+dfsg-1.6) unstable; urgency=medium * Non-maintainer upload. diff -Nru net-snmp-5.7.3+dfsg/debian/control net-snmp-5.7.3+dfsg/debian/control --- net-snmp-5.7.3+dfsg/debian/control 2017-01-14 08:18:58.000000000 +0000 +++ net-snmp-5.7.3+dfsg/debian/control 2017-01-24 19:53:24.000000000 +0000 @@ -120,7 +120,7 @@ Provides: libsnmp9-dev Conflicts: libsnmp9-dev, libsnmp15-dev, snmp (<< 5.4~dfsg) Breaks: libsnmp-base (<< 5.7.2~dfsg-8.1~) -Depends: libc6-dev, libsnmp30 (=${binary:Version}), libwrap0-dev, libssl1.0-dev | libssl-dev (<< 1.1), procps, +Depends: libc6-dev, libsnmp30 (=${binary:Version}), libwrap0-dev, procps, libkvm-dev [kfreebsd-any], libsensors4-dev [linux-any], ${misc:Depends}, libpci-dev Description: SNMP (Simple Network Management Protocol) development files diff -Nru net-snmp-5.7.3+dfsg/debian/patches/drop_lcrypto_from_NSC_LNETSNMPLIBS.patch net-snmp-5.7.3+dfsg/debian/patches/drop_lcrypto_from_NSC_LNETSNMPLIBS.patch --- net-snmp-5.7.3+dfsg/debian/patches/drop_lcrypto_from_NSC_LNETSNMPLIBS.patch 1970-01-01 00:00:00.000000000 +0000 +++ net-snmp-5.7.3+dfsg/debian/patches/drop_lcrypto_from_NSC_LNETSNMPLIBS.patch 2017-01-24 19:53:24.000000000 +0000 @@ -0,0 +1,22 @@ +Subject: drop lcrypto from NSC_LNETSNMPLIBS + +The -lcrypto in NSC_LNETSNMPLIBS shouldn't be required for most compiles. It +will break static linking but usually don't do this. +The main reason for this is to avoid pullin in libssl's dev package in. + +Signed-of-by: Sebastian Andrzej Siewior <[email protected]> +--- + net-snmp-config.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net-snmp-config.in ++++ b/net-snmp-config.in +@@ -49,7 +49,7 @@ datarootdir=@datarootdir@ + NSC_LDFLAGS="@LDFLAGS@" + + NSC_LIBS="@LIBS@" +-NSC_LNETSNMPLIBS="@LNETSNMPLIBS@" ++NSC_LNETSNMPLIBS="" #"@LNETSNMPLIBS@" + NSC_LAGENTLIBS="@LAGENTLIBS@ @PERLLDOPTS_FOR_APPS@" + NSC_LMIBLIBS="@LMIBLIBS@" + diff -Nru net-snmp-5.7.3+dfsg/debian/patches/ensure_correct_openssl_version.patch net-snmp-5.7.3+dfsg/debian/patches/ensure_correct_openssl_version.patch --- net-snmp-5.7.3+dfsg/debian/patches/ensure_correct_openssl_version.patch 1970-01-01 00:00:00.000000000 +0000 +++ net-snmp-5.7.3+dfsg/debian/patches/ensure_correct_openssl_version.patch 2017-01-24 19:53:24.000000000 +0000 @@ -0,0 +1,24 @@ +Subject: Ensure correct openssl version + +The dev package does not depend on openssl headers which means 1.0.2 and 1.1.0 +can be installed. If cert_util.h functionality is used by 3rd party then it +should be ensured that it is linked and compiled against 1.0.2. + +Signed-off-by: Sebastian Andrzej Siewior <[email protected]> +--- + include/net-snmp/library/cert_util.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/include/net-snmp/library/cert_util.h ++++ b/include/net-snmp/library/cert_util.h +@@ -9,6 +9,10 @@ + #error "must include <openssl/x509.h> before cert_util.h" + #endif + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000 ++#error This needs to be compiled against openssl 1.0.2. ++#endif ++ + #ifdef __cplusplus + extern "C" { + #endif diff -Nru net-snmp-5.7.3+dfsg/debian/patches/series net-snmp-5.7.3+dfsg/debian/patches/series --- net-snmp-5.7.3+dfsg/debian/patches/series 2016-09-02 14:26:20.000000000 +0000 +++ net-snmp-5.7.3+dfsg/debian/patches/series 2017-01-24 19:53:24.000000000 +0000 @@ -32,3 +32,5 @@ fix_engineid_reprobe.diff 0001-Remove-U64-typedef.patch 0001-CHANGES-BUG-2712-Fix-Perl-module-compilation.patch +ensure_correct_openssl_version.patch +drop_lcrypto_from_NSC_LNETSNMPLIBS.patch diff -Nru net-snmp-5.7.3+dfsg/debian/rules net-snmp-5.7.3+dfsg/debian/rules --- net-snmp-5.7.3+dfsg/debian/rules 2016-06-20 08:36:05.000000000 +0000 +++ net-snmp-5.7.3+dfsg/debian/rules 2017-01-24 20:03:32.000000000 +0000 @@ -1,9 +1,7 @@ #!/usr/bin/make -f #export DH_VERBOSE=1 -# TODO -# without -pie build fails during perl module build somehow... -export DEB_BUILD_MAINT_OPTIONS := hardening=+all,-pie +export DEB_BUILD_MAINT_OPTIONS := hardening=+all DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) LIB_VERSION = 30
