tags 683927 + patch tags 683927 + pending thanks Dear maintainer,
I've prepared an NMU for libcloud (versioned as 0.5.0-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards. -- .''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06 : :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `-
diff -Nru libcloud-0.5.0/debian/changelog libcloud-0.5.0/debian/changelog --- libcloud-0.5.0/debian/changelog 2011-06-14 13:27:50.000000000 +0200 +++ libcloud-0.5.0/debian/changelog 2012-08-19 16:24:52.000000000 +0200 @@ -1,3 +1,14 @@ +libcloud (0.5.0-1.1) unstable; urgency=low + + * Non-maintainer upload. + * [SECURITY] Fix "CVE-2012-3446: MITM vulnerability in TLS/SSL certificates + verification": add patch + 0001-Fix-hostname-validation-in-the-SSL-verification-code.patch + taken from upstream git. + (Closes: #683927) + + -- gregor herrmann <gre...@debian.org> Sun, 19 Aug 2012 16:24:16 +0200 + libcloud (0.5.0-1) unstable; urgency=low * New upstream release (Closes: #598463) diff -Nru libcloud-0.5.0/debian/patches/0001-Fix-hostname-validation-in-the-SSL-verification-code.patch libcloud-0.5.0/debian/patches/0001-Fix-hostname-validation-in-the-SSL-verification-code.patch --- libcloud-0.5.0/debian/patches/0001-Fix-hostname-validation-in-the-SSL-verification-code.patch 1970-01-01 01:00:00.000000000 +0100 +++ libcloud-0.5.0/debian/patches/0001-Fix-hostname-validation-in-the-SSL-verification-code.patch 2012-08-19 16:24:07.000000000 +0200 @@ -0,0 +1,86 @@ +Bug-Debian: http://bugs.debian.org/683927 +Reviewed-by: gregor herrmann <gre...@debian.org> +Last-Update: 2012-08-19 +Origin: https://github.com/apache/libcloud/commit/f2af5502dae3ac63e656dd1b7d5f29cc82ded401 +Comment: This is f2af550 from upstream git, minus the changes in the Changes + file and the version change in __init__.py, plus adjustments for offsets + +From f2af5502dae3ac63e656dd1b7d5f29cc82ded401 Mon Sep 17 00:00:00 2001 +From: Tomaž Muraus <to...@apache.org> +Date: Thu, 2 Aug 2012 00:39:09 +0000 +Subject: [PATCH] Fix hostname validation in the SSL verification code + (CVE-2012-3446). Reported by researchers from the + University of Texas at Austin (Martin Georgiev, Suman Jana + and Vitaly Shmatikov). For more info, see + http://libcloud.apache.org/security.html. + +--- a/libcloud/httplib_ssl.py ++++ b/libcloud/httplib_ssl.py +@@ -115,13 +115,8 @@ + # replace * with alphanumeric and dash + # replace . with literal . + valid_patterns = [ +- re.compile( +- pattern.replace( +- r".", r"\." +- ).replace( +- r"*", r"[0-9A-Za-z]+" +- ) +- ) ++ re.compile('^' + pattern.replace(r".", r"\.") \ ++ .replace(r"*", r"[0-9A-Za-z]+") + '$') + for pattern + in (set(common_name) | set(alt_names)) + ] +--- a/test/test_httplib_ssl.py ++++ b/test/test_httplib_ssl.py +@@ -44,16 +44,49 @@ + 'subjectAltName': ((('DNS', 'foo.alt.name')), + (('DNS', 'foo.alt.name.1')))} + ++ cert3 = {'notAfter': 'Feb 16 16:54:50 2013 GMT', ++ 'subject': ((('countryName', 'US'),), ++ (('stateOrProvinceName', 'Delaware'),), ++ (('localityName', 'Wilmington'),), ++ (('organizationName', 'Python Software Foundation'),), ++ (('organizationalUnitName', 'SSL'),), ++ (('commonName', 'python.org'),))} ++ + self.assertFalse(self.httplib_object._verify_hostname( + hostname='invalid', cert=cert1)) ++ self.assertFalse(self.httplib_object._verify_hostname( ++ hostname='machine.python.org', cert=cert1)) ++ self.assertFalse(self.httplib_object._verify_hostname( ++ hostname='foomachine.python.org', cert=cert1)) ++ self.assertFalse(self.httplib_object._verify_hostname( ++ hostname='somesomemachine.python.org', cert=cert1)) ++ self.assertFalse(self.httplib_object._verify_hostname( ++ hostname='somemachine.python.orga', cert=cert1)) ++ self.assertFalse(self.httplib_object._verify_hostname( ++ hostname='somemachine.python.org.org', cert=cert1)) + self.assertTrue(self.httplib_object._verify_hostname( + hostname='somemachine.python.org', cert=cert1)) + + self.assertFalse(self.httplib_object._verify_hostname( + hostname='invalid', cert=cert2)) ++ self.assertFalse(self.httplib_object._verify_hostname( ++ hostname='afoo.alt.name.1', cert=cert2)) ++ self.assertFalse(self.httplib_object._verify_hostname( ++ hostname='a.foo.alt.name.1', cert=cert2)) ++ self.assertFalse(self.httplib_object._verify_hostname( ++ hostname='foo.alt.name.1.2', cert=cert2)) ++ self.assertFalse(self.httplib_object._verify_hostname( ++ hostname='afoo.alt.name.1.2', cert=cert2)) + self.assertTrue(self.httplib_object._verify_hostname( + hostname='foo.alt.name.1', cert=cert2)) + ++ self.assertTrue(self.httplib_object._verify_hostname( ++ hostname='python.org', cert=cert3)) ++ self.assertFalse(self.httplib_object._verify_hostname( ++ hostname='opython.org', cert=cert3)) ++ self.assertFalse(self.httplib_object._verify_hostname( ++ hostname='ython.org', cert=cert3)) ++ + def test_get_subject_alt_names(self): + cert1 = {'notAfter': 'Feb 16 16:54:50 2013 GMT', + 'subject': ((('countryName', 'US'),), diff -Nru libcloud-0.5.0/debian/patches/series libcloud-0.5.0/debian/patches/series --- libcloud-0.5.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libcloud-0.5.0/debian/patches/series 2012-08-19 16:09:56.000000000 +0200 @@ -0,0 +1 @@ +0001-Fix-hostname-validation-in-the-SSL-verification-code.patch
signature.asc
Description: Digital signature