Bug#854711: marked as done (unblock: netkit-ftp-ssl/0.17.34+0.2-4)

Debian Bug Tracking System Fri, 10 Feb 2017 10:00:37 -0800

Your message dated Fri, 10 Feb 2017 17:58:06 +0000
with message-id <[email protected]>
and subject line Re: Bug#854711: Unblocking package netkit-ftp-ssl, resolving 
#854460.
has caused the Debian Bug report #854711,
regarding unblock: netkit-ftp-ssl/0.17.34+0.2-4
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
854711: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854711
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: important
Tags: patch

Being the maintainer of netkit-ftp-ssl, I request an unblocking
of netkit-ftp-ssl in version 0.17.34+0.2-4. This upload resolves
successfully the bug #854460 of severity 'important'.

The problem is interoperability with TLS-able FTP servers, like
Proftpd, which mandate that the data connection reuse the session
identity set by the control channel.

The presently available version in testing, 0.17.34+0.2-3, is
not able to fetch files or get listings with TLS protection due
to an accidental inactivation of function SSL_copy_session_id().
This is a legacy function, not documented in any manual page,
and only mentioned in one file 'ssleay.txt' of the openssl archive.

The debdiff reactivates this function call, which was commented
out by me due to a misunderstanding. In addition, it turns out
to be decisive to forbid the use of libssl in version 1.1 for
the binary package. The reason being that libssl (>= 1.1.0)
only succeeds to reuse the session identity a single time,
yes really a single time, with the present unintrusive and
long time used solution. Therefore I had to change the build
dependency to read

    libssl1.0-dev | libssl-dev (<< 1.1.0~)

Both changes are necessary and they lead also to a package that
can be built directly in Wheezy without any changes, allowing
trivial backporting.

The packages netkit-ftp-ssl, linux-ftpd-ssl and netkit-telnet-ssl
have seen substantial improvement for certificate verification
and identification for this Debian release, but only the binary
ftp-ssl is affected by the present issue.

Best regards,
  Mats Erik Andersson, DM

diff -Nru netkit-ftp-ssl-0.17.34+0.2/debian/changelog 
netkit-ftp-ssl-0.17.34+0.2/debian/changelog
--- netkit-ftp-ssl-0.17.34+0.2/debian/changelog 2017-01-18 19:33:56.000000000 
+0100
+++ netkit-ftp-ssl-0.17.34+0.2/debian/changelog 2017-02-08 18:39:46.000000000 
+0100
@@ -1,3 +1,14 @@
+netkit-ftp-ssl (0.17.34+0.2-4) unstable; urgency=medium
+
+  * Correctly reuse SSL session identity in data connection.
+    This suffices for libssl1.0, not for libssl1.1.  (Closes: #854460)
+    + debian/patches/700_prefer_tls.diff: Reactivate commented out
+      function call to SSL_copy_session_id().
+    + debian/control: Prefer libssl1.0-dev and condition libssl-dev
+      on "<< 1.1.0~" for trivial backporting.
+
+ -- Mats Erik Andersson <[email protected]>  Wed, 08 Feb 2017 
18:39:46 +0100
+
 netkit-ftp-ssl (0.17.34+0.2-3) unstable; urgency=low
 
   * Allow verification mode to print additional details about the
diff -Nru netkit-ftp-ssl-0.17.34+0.2/debian/control 
netkit-ftp-ssl-0.17.34+0.2/debian/control
--- netkit-ftp-ssl-0.17.34+0.2/debian/control   2017-01-10 15:37:21.000000000 
+0100
+++ netkit-ftp-ssl-0.17.34+0.2/debian/control   2017-02-08 18:30:50.000000000 
+0100
@@ -4,7 +4,7 @@
 Maintainer: Mats Erik Andersson <[email protected]>
 Uploaders: Alberto Gonzalez Iniesta <[email protected]>
 Standards-Version: 3.9.8
-Build-Depends: debhelper (>= 9), libeditline-dev, libncurses5-dev, libssl-dev 
| libssl1.0-dev
+Build-Depends: debhelper (>= 9), libeditline-dev, libncurses5-dev, 
libssl1.0-dev | libssl-dev (<< 1.1.0~)
 
 Package: ftp-ssl
 Architecture: any
diff -Nru netkit-ftp-ssl-0.17.34+0.2/debian/patches/700_prefer_tls.diff 
netkit-ftp-ssl-0.17.34+0.2/debian/patches/700_prefer_tls.diff
--- netkit-ftp-ssl-0.17.34+0.2/debian/patches/700_prefer_tls.diff       
2017-01-18 19:33:41.000000000 +0100
+++ netkit-ftp-ssl-0.17.34+0.2/debian/patches/700_prefer_tls.diff       
2017-02-08 15:39:49.000000000 +0100
@@ -23,7 +23,7 @@
  .
 Author: Mats Erik Andersson <[email protected]>
 Forwarded: no
-Last-Update: 2017-01-18
+Last-Update: 2017-02-07
 
 diff -Naurp netkit-ftp-0.17.debian/ftp/cmds.c netkit-ftp-0.17/ftp/cmds.c
 --- netkit-ftp-0.17.debian/ftp/cmds.c  2016-12-23 00:05:51.820239257 +0100
@@ -190,20 +190,8 @@
  .Xr ftpd 8 ,
 diff -Naurp netkit-ftp-0.17.debian/ftp/ftp.c netkit-ftp-0.17/ftp/ftp.c
 --- netkit-ftp-0.17.debian/ftp/ftp.c   2016-12-23 00:05:52.380213160 +0100
-+++ netkit-ftp-0.17/ftp/ftp.c  2017-01-18 19:19:27.145786765 +0100
-@@ -1672,7 +1672,10 @@ dataconn(const char *lmode)
-            * this quick assuming Eric has this going
-            * okay! ;-)
-            */
--          SSL_copy_session_id(ssl_data_con,ssl_con);
-+          /* MEA: Do not use deterministic session identities
-+           * in a subordinate connection.
-+           */
-+          //SSL_copy_session_id(ssl_data_con,ssl_con);
- 
-           /* we are doing I/O and not using select so 
-            * it is "safe" to read ahead
-@@ -1686,12 +1689,17 @@ dataconn(const char *lmode)
++++ netkit-ftp-0.17/ftp/ftp.c  2017-02-07 23:35:32.871433587 +0100
+@@ -1686,12 +1686,17 @@ dataconn(const char *lmode)
  
            if ((ret=SSL_connect(ssl_data_con))<=0) {
                  static char errbuf[1024];
@@ -224,7 +212,7 @@
                fflush(stderr);
  
                /* abort time methinks ... */
-@@ -2111,16 +2119,50 @@ printbytes(off_t bytes)
+@@ -2111,16 +2116,50 @@ printbytes(off_t bytes)
  }
  
  #ifdef USE_SSL
@@ -279,7 +267,7 @@
            }
            if (n == ERROR) {           /* do normal USER/PASS */
                printf("SSL not available\n");
-@@ -2133,6 +2175,31 @@ ssl_init(void)
+@@ -2133,6 +2172,31 @@ ssl_init(void)
                }
            } else if (n == CONTINUE || n == COMPLETE ) {
                /* do SSL */
@@ -311,7 +299,7 @@
                ssl_con=(SSL *)SSL_new(ssl_ctx);
                if (!ssl_con) {
                    ERR_print_errors_fp(stderr);
-@@ -2142,37 +2209,60 @@ ssl_init(void)
+@@ -2142,37 +2206,60 @@ ssl_init(void)
                SSL_set_fd(ssl_con,fileno(cout));
                set_ssl_trace(ssl_con);
  
@@ -381,7 +369,7 @@
                    fflush(stderr);
                    ssl_active_flag=1;
                }
-@@ -2187,6 +2277,8 @@ ssl_init(void)
+@@ -2187,6 +2274,8 @@ ssl_init(void)
                    fprintf(stderr, "Data connection security level 
refused.\n");
                    return ERROR;
                }

--- End Message ---

--- Begin Message ---

On Thu, Feb 09, 2017 at 07:28:55PM +0100, Mats Erik Andersson wrote:
> Being the maintainer of netkit-ftp-ssl, I request an unblocking
> of netkit-ftp-ssl in version 0.17.34+0.2-4. This upload resolves
> successfully the bug #854460 of severity 'important'.

Unblocked, thanks.

-- 
Jonathan Wiltshire                                      [email protected]
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

--- End Message ---

Bug#854711: marked as done (unblock: netkit-ftp-ssl/0.17.34+0.2-4)

Reply via email to