On Mon, Aug 31, 2015 at 10:53:21am +0200, Ondřej Surý wrote:
> Hi security team and Thomas,
>
> I propose following patch for libval14 in stable:
>
> Index: validator/libval/val_dane.c
> ===================================================================
> --- validator/libval/val_dane.c (revision 8325)
> +++ validator/libval/val_dane.c (working copy)
> @@ -766,23 +766,6 @@
> break;
>
> case DANE_USE_TA_ASSERTION: /*2*/ {
> - SSL_CTX *ctx = SSL_get_SSL_CTX(con);
> - X509_STORE *store;
> - *do_pathval = 0;
> - if (store = X509_STORE_new()) {
> - X509 *tlsa_cert = NULL;
> - c = dane_cur->data;
> - tlsa_cert = d2i_X509(NULL, (const unsigned char
> **)&c,
> - dane_cur->datalen);
> - X509_STORE_add_cert(store, tlsa_cert);
> - SSL_CTX_set_cert_store(ctx, store);
> - if (SSL_get_verify_result(con) == X509_V_OK) {
> - val_log(context, LOG_INFO, "DANE:
> val_dane_match() success");
> - rv = VAL_DANE_NOERROR;
> - goto done;
> - }
> - }
> -
> val_log(context, LOG_NOTICE,
> "DANE: val_dane_check() for usage %d failed",
> dane_cur->usage);
>
>
> It will just make the DANE validation fail when 2 usage scenario is
> encountered.I noticed that you applied this patch in unstable closing #797470, but then you reopened it. Does that mean that the patch is not enough? > Unfortunately the code in 2.1 has diverted too much (API change), so we > are not able to use the (possibly fixed) code from there. > > I will also file a bug for irssi and kamailo to drop the libval usage > and remove the dnsval library from the Debian unless I have a strong > promise from upstream that they will take care of the library. It would maybe make sense to drop dnsval from jessie as well (though both irssi and kamailio would need to be updated there too). Could you try to contact the Release Team and see what they think about this? Thanks
signature.asc
Description: Digital signature
