Package: release.debian.org User: release.debian....@packages.debian.org Usertags: unblock Severity: normal
The 2.1.8 release is a security fix that addresses a vulnerability
found in the previous release.
Debdiff from the current version in testing 2.1.7-3 is attached.
No other changes than addressing the vulnerability is part of the new
release. The upstream changelog entry for the release (as can be seen
in the attached debdiff) is:
2.1.8-1
- Security fix to verify certificates properly (EGI RT #12276):
- Treat untrusted certificates properly in proxy_verify_cert_chain()
- Override only openssl errors relevant to X.509 handling
Mattias
diff -Nru canl-c-2.1.7/ChangeLog canl-c-2.1.8/ChangeLog --- canl-c-2.1.7/ChangeLog 2016-08-19 10:20:47.000000000 +0200 +++ canl-c-2.1.8/ChangeLog 2017-02-23 22:16:26.000000000 +0100 @@ -135,3 +135,7 @@ 2.1.7-1 - Quick fix to prevent RFC Proxy DN forgery (RT #11476) +2.1.8-1 +- Security fix to verify certificates properly (EGI RT #12276): + - Treat untrusted certificates properly in proxy_verify_cert_chain() + - Override only openssl errors relevant to X.509 handling diff -Nru canl-c-2.1.7/debian/changelog canl-c-2.1.8/debian/changelog --- canl-c-2.1.7/debian/changelog 2016-12-23 15:14:18.000000000 +0100 +++ canl-c-2.1.8/debian/changelog 2017-03-22 15:56:11.000000000 +0100 @@ -1,3 +1,9 @@ +canl-c (2.1.8-1) unstable; urgency=medium + + * Update to version 2.1.8 + + -- Mattias Ellert <mattias.ell...@physics.uu.se> Wed, 22 Mar 2017 15:56:11 +0100 + canl-c (2.1.7-3) unstable; urgency=medium * Reverse the order of conditional dependencies diff -Nru canl-c-2.1.7/debian/control canl-c-2.1.8/debian/control --- canl-c-2.1.7/debian/control 2016-12-23 15:13:43.000000000 +0100 +++ canl-c-2.1.8/debian/control 2017-03-22 15:56:11.000000000 +0100 @@ -4,7 +4,7 @@ Maintainer: Mattias Ellert <mattias.ell...@physics.uu.se> Build-Depends: debhelper, bison, flex, libc-ares-dev, libkrb5-dev, libssl1.0-dev | libssl-dev (<< 1.1), libtool, libtool-bin, pkg-config, texlive-fonts-recommended, texlive-latex-extra, texlive-latex-recommended Standards-Version: 3.9.8 -Homepage: http://www.eu-emi.eu/ +Homepage: https://github.com/CESNET/canl-c Package: libcanl-c2 Section: libs diff -Nru canl-c-2.1.7/debian/copyright canl-c-2.1.8/debian/copyright --- canl-c-2.1.7/debian/copyright 2016-08-25 11:30:50.000000000 +0200 +++ canl-c-2.1.8/debian/copyright 2017-03-22 15:54:02.000000000 +0100 @@ -1,7 +1,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: canl-c Upstream-Contact: CESNET Product Teams <emi...@metacentrum.cz> -Source: http://scientific.zcu.cz/emi/emi.canl.c/canl-c-2.1.7.tar.gz +Source: http://scientific.zcu.cz/emi/emi.canl.c/canl-c-2.1.8.tar.gz Files: * Copyright: 2004-2011 Members of the EGEE Collaboration @@ -26,7 +26,7 @@ PURPOSE. Files: debian/* -Copyright: 2013-2016 Mattias Ellert +Copyright: 2013-2017 Mattias Ellert License: Apache-2.0 License: Apache-2.0 diff -Nru canl-c-2.1.7/project/version.properties canl-c-2.1.8/project/version.properties --- canl-c-2.1.7/project/version.properties 2016-08-19 10:20:47.000000000 +0200 +++ canl-c-2.1.8/project/version.properties 2017-02-23 22:16:26.000000000 +0100 @@ -1,3 +1,3 @@ # $Header: -module.version=2.1.7 +module.version=2.1.8 module.age=1 diff -Nru canl-c-2.1.7/src/proxy/sslutils.c canl-c-2.1.8/src/proxy/sslutils.c --- canl-c-2.1.7/src/proxy/sslutils.c 2016-08-19 10:20:46.000000000 +0200 +++ canl-c-2.1.8/src/proxy/sslutils.c 2017-02-23 22:16:26.000000000 +0100 @@ -1934,20 +1934,7 @@ } #endif -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: - /* - * OpenSSL 1.0 causes the cert to be added twice to - * the store. - */ - if (proxy_check_proxy_name(ctx->cert) && - !X509_cmp(ctx->cert, ctx->current_cert)) - ok = 1; - break; -#endif - case X509_V_ERR_INVALID_CA: - case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: /* * This may happen since proxy issuers are not CAs */ @@ -1966,14 +1953,6 @@ } break; - case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: - case X509_V_ERR_CERT_UNTRUSTED: - if (proxy_check_proxy_name(ctx->current_cert) > 0) { - /* Server side, needed to fully recognize a proxy. */ - ok = 1; - } - break; - #ifdef X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: /* Proxies ARE allowed */ @@ -2291,50 +2270,26 @@ X509_STORE * cert_store = NULL; X509_LOOKUP * lookup = NULL; X509_STORE_CTX csc; - X509 * xcert = NULL; - X509 * scert = NULL; int cscinitialized = 0; - scert = ucert; + if (cert_chain == NULL) + goto err; + + if (ucert == NULL) + ucert = sk_X509_value(cert_chain, 0); + if(!(cert_store = X509_STORE_new())){ goto err; } X509_STORE_set_verify_cb_func(cert_store, proxy_verify_callback); - if (cert_chain != NULL) - { - int i =0; - for (i=0;i<sk_X509_num(cert_chain);i++) - { - xcert = sk_X509_value(cert_chain,i); - if (!scert) - { - scert = xcert; - } - else - { - int j = X509_STORE_add_cert(cert_store, xcert); - if (!j) - { - if ((ERR_GET_REASON(ERR_peek_error()) == - X509_R_CERT_ALREADY_IN_HASH_TABLE)) - { - ERR_clear_error(); - break; - } - else - { - /*DEE need errprhere */ - goto err; - } - } - } - } - } - if ((lookup = X509_STORE_add_lookup(cert_store, - X509_LOOKUP_hash_dir()))) + + lookup = X509_STORE_add_lookup(cert_store, X509_LOOKUP_hash_dir()); + if (lookup == NULL) + goto err; + { X509_LOOKUP_add_dir(lookup,pvd->pvxd->certdir,X509_FILETYPE_PEM); - X509_STORE_CTX_init(&csc,cert_store,scert,NULL); + X509_STORE_CTX_init(&csc, cert_store, ucert, cert_chain); cscinitialized = 1; #if SSLEAY_VERSION_NUMBER >= 0x0090600fL /* override the check_issued with our version */
signature.asc
Description: This is a digitally signed message part
