Daniel, On Wed, Mar 01, 2023 at 08:35:22PM +0100, Salvatore Bonaccorso wrote: > Daniel, > > On Wed, Mar 01, 2023 at 01:18:11PM -0500, Daniel Kahn Gillmor wrote: > > On Wed 2023-03-01 12:52:58 +0100, Salvatore Bonaccorso wrote: > > > Yes it does thank you. So even tough that's a bit a borderline case > > > (mean with it as with the vpn service case, where you have > > > authennticated users, but you might not entirely trust the entities) > > > let's release a DSA for it. Can you prepare a final debdiff for a > > > quick review for bullseye-security? > > > > Sure, a proposed final debdiff is attached. The code is also in the > > debian/bullseye branch on https://salsa.debian.org/debian/libreswan. > > > > Please let me know if you think anything else should be done > > differently. > > > > Thanks for keeping an eye on this, Salvatore! > > Thanks to you actually. Looks good to me, please do upload.
Were you able to test the change? I think there is still a problem in fact, not noticing earlier, as debdiff looked fine changewise: The package FTBFS everywhere: cc -DTimeZoneOffset=timezone -Dlinux -D_GNU_SOURCE -pthread -std=gnu99 -g -Werror -Wall -Wextra -Wformat -Wformat-nonliteral -Wformat-security -Wundef -Wmissing-declarations -Wredundant-decls -Wnested-externs -O2 -U_FORTIFY_SOURCE -D_FORT IFY_SOURCE=2 -fstack-protector-all -fno-strict-aliasing -fPIE -DPIE -DNSS_IPSEC_PROFILE -DXFRM_LIFETIME_DEFAULT=30 -DUSE_IKEv1 -DXFRM_SUPPORT -DUSE_XFRM_INTERFACE -DUSE_DNSSEC -DDEFAULT_DNSSEC_ROOTKEY_FILE=\"/usr/share/dns/root.key\" -DHA VE_LABELED_IPSEC -DLIBCURL -DUSE_LINUX_AUDIT -DUSE_SYSTEMD_WATCHDOG -DLIBLDAP -DHAVE_NM -DAUTH_HAVE_PAM -DUSE_3DES -DUSE_AES -DUSE_CAMELLIA -DUSE_CHACHA -DUSE_DH31 -DUSE_MD5 -DUSE_SHA1 -DUSE_SHA2 -DUSE_PRF_AES_XCBC -DUSE_NSS_KDF -DDEFAULT _RUNDIR=\"/run/pluto\" -DIPSEC_CONF=\"/etc/ipsec.conf\" -DIPSEC_CONFDDIR=\"/etc/ipsec.d\" -DIPSEC_NSSDIR=\"/var/lib/ipsec/nss\" -DIPSEC_CONFDIR=\"/etc\" -DIPSEC_EXECDIR=\"/usr/libexec/ipsec\" -DIPSEC_SBINDIR=\"/usr/sbin\" -DIPSEC_VARDIR=\ "/var\" -DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\" -DIPSEC_SECRETS_FILE=\"/etc/ipsec.secrets\" -DFORCE_PR_ASSERT -DUSE_FORK=1 -DUSE_VFORK=0 -DUSE_DAEMON=0 -DUSE_PTHREAD_SETSCHEDPRIO=1 -DGCC_LINT -DHAVE_LIBCAP_NG \ -I. -I../../OBJ.linux.amd64/programs/pluto -I../../include -I/usr/include/nss -I/usr/include/nspr -I/<<PKGBUILDDIR>>/programs/pluto/linux-copy \ -DHERE_BASENAME=\"ikev2_ts.c\" -g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security \ -MF ../../OBJ.linux.amd64/programs/pluto/ikev2_ts.d \ -MP -MMD -MT ikev2_ts.o \ -o ../../OBJ.linux.amd64/programs/pluto/ikev2_ts.o \ -c /<<PKGBUILDDIR>>/programs/pluto/ikev2_ts.c cc -DTimeZoneOffset=timezone -Dlinux -D_GNU_SOURCE -pthread -std=gnu99 -g -Werror -Wall -Wextra -Wformat -Wformat-nonliteral -Wformat-security -Wundef -Wmissing-declarations -Wredundant-decls -Wnested-externs -O2 -U_FORTIFY_SOURCE -D_FORT IFY_SOURCE=2 -fstack-protector-all -fno-strict-aliasing -fPIE -DPIE -DNSS_IPSEC_PROFILE -DXFRM_LIFETIME_DEFAULT=30 -DUSE_IKEv1 -DXFRM_SUPPORT -DUSE_XFRM_INTERFACE -DUSE_DNSSEC -DDEFAULT_DNSSEC_ROOTKEY_FILE=\"/usr/share/dns/root.key\" -DHA VE_LABELED_IPSEC -DLIBCURL -DUSE_LINUX_AUDIT -DUSE_SYSTEMD_WATCHDOG -DLIBLDAP -DHAVE_NM -DAUTH_HAVE_PAM -DUSE_3DES -DUSE_AES -DUSE_CAMELLIA -DUSE_CHACHA -DUSE_DH31 -DUSE_MD5 -DUSE_SHA1 -DUSE_SHA2 -DUSE_PRF_AES_XCBC -DUSE_NSS_KDF -DDEFAULT _RUNDIR=\"/run/pluto\" -DIPSEC_CONF=\"/etc/ipsec.conf\" -DIPSEC_CONFDDIR=\"/etc/ipsec.d\" -DIPSEC_NSSDIR=\"/var/lib/ipsec/nss\" -DIPSEC_CONFDIR=\"/etc\" -DIPSEC_EXECDIR=\"/usr/libexec/ipsec\" -DIPSEC_SBINDIR=\"/usr/sbin\" -DIPSEC_VARDIR=\ "/var\" -DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\" -DIPSEC_SECRETS_FILE=\"/etc/ipsec.secrets\" -DFORCE_PR_ASSERT -DUSE_FORK=1 -DUSE_VFORK=0 -DUSE_DAEMON=0 -DUSE_PTHREAD_SETSCHEDPRIO=1 -DGCC_LINT -DHAVE_LIBCAP_NG \ -I. -I../../OBJ.linux.amd64/programs/pluto -I../../include -I/usr/include/nss -I/usr/include/nspr -I/<<PKGBUILDDIR>>/programs/pluto/linux-copy \ -DHERE_BASENAME=\"ikev2_msgid.c\" -g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security \ -MF ../../OBJ.linux.amd64/programs/pluto/ikev2_msgid.d \ -MP -MMD -MT ikev2_msgid.o \ -o ../../OBJ.linux.amd64/programs/pluto/ikev2_msgid.o \ -c /<<PKGBUILDDIR>>/programs/pluto/ikev2_msgid.c /<<PKGBUILDDIR>>/programs/pluto/ikev2_ts.c: In function ‘v2_parse_ts’: /<<PKGBUILDDIR>>/programs/pluto/ikev2_ts.c:425:4: error: implicit declaration of function ‘llog_diag’; did you mean ‘log_diag’? [-Werror=implicit-function-declaration] 425 | llog_diag(RC_LOG, logger, &d, "%s", ""); | ^~~~~~~~~ | log_diag /<<PKGBUILDDIR>>/programs/pluto/ikev2_ts.c:425:4: error: nested extern declaration of ‘llog_diag’ [-Werror=nested-externs] I have rejected the current package so we can re-use the version later one, when this is fixed. Regards, Salvatore