Bug#933369: buster-pu: package dma/0.11-1+deb10u1

Mon, 29 Jul 2019 12:18:24 -0700 

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

Hi,

dma currently use the TLSv1_client_method() function that means that it
only support TLS 1.0 which is considered deprecated (and forbidden by
PCI certification).

For what I can read, major providers are planning to remove support for
TLS 1.0 and TLS 1.1 current 2020.

The attached patches (cherry-picked from upstream) are switching to the
"version-flexible" function (TLS_client_method())

Could this be included in buster?

Kind regards,

Laurent Bigonville

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy

diff -Nru dma-0.11/debian/changelog dma-0.11/debian/changelog
--- dma-0.11/debian/changelog   2016-05-29 12:29:47.000000000 +0200
+++ dma-0.11/debian/changelog   2019-07-29 20:56:49.000000000 +0200
@@ -1,3 +1,12 @@
+dma (0.11-1+deb10u1) buster; urgency=medium
+
+  * d/p/0002-crypto-Don-t-limit-to-TLSv1-only.patch: Do not limit SSL
+    connection to TLSv1 (Closes: #871429)
+  * d/p/0003-properly-deal-with-SSL_connect-return-value.patch: Properly check
+    the return code of SSL_connect()
+
+ -- Laurent Bigonville <bi...@debian.org>  Mon, 29 Jul 2019 20:56:49 +0200
+
 dma (0.11-1) unstable; urgency=medium
 
   [ Arno Töll ]
diff -Nru dma-0.11/debian/patches/0002-crypto-Don-t-limit-to-TLSv1-only.patch 
dma-0.11/debian/patches/0002-crypto-Don-t-limit-to-TLSv1-only.patch
--- dma-0.11/debian/patches/0002-crypto-Don-t-limit-to-TLSv1-only.patch 
1970-01-01 01:00:00.000000000 +0100
+++ dma-0.11/debian/patches/0002-crypto-Don-t-limit-to-TLSv1-only.patch 
2019-07-29 20:56:49.000000000 +0200
@@ -0,0 +1,27 @@
+From: Michael Tremer <michael.tre...@ipfire.org>
+Date: Sun, 11 Feb 2018 11:05:43 +0000
+Subject: crypto: Don't limit to TLSv1 only
+
+Signed-off-by: Michael Tremer <michael.tre...@ipfire.org>
+---
+ crypto.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/crypto.c b/crypto.c
+index 897b55b..440c882 100644
+--- a/crypto.c
++++ b/crypto.c
+@@ -93,7 +93,12 @@ smtp_init_crypto(int fd, int feature)
+       SSL_library_init();
+       SSL_load_error_strings();
+ 
+-      meth = TLSv1_client_method();
++      // Allow any possible version
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
++      meth = TLS_client_method();
++#else
++      meth = SSLv23_client_method();
++#endif
+ 
+       ctx = SSL_CTX_new(meth);
+       if (ctx == NULL) {
diff -Nru 
dma-0.11/debian/patches/0003-properly-deal-with-SSL_connect-return-value.patch 
dma-0.11/debian/patches/0003-properly-deal-with-SSL_connect-return-value.patch
--- 
dma-0.11/debian/patches/0003-properly-deal-with-SSL_connect-return-value.patch  
    1970-01-01 01:00:00.000000000 +0100
+++ 
dma-0.11/debian/patches/0003-properly-deal-with-SSL_connect-return-value.patch  
    2019-07-29 20:56:49.000000000 +0200
@@ -0,0 +1,22 @@
+From: Simon Schubert <2...@0x2c.org>
+Date: Thu, 13 Sep 2018 16:44:50 +0200
+Subject: properly deal with SSL_connect() return value
+
+Submitted-by: lc3412
+---
+ crypto.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto.c b/crypto.c
+index 440c882..ef08144 100644
+--- a/crypto.c
++++ b/crypto.c
+@@ -160,7 +160,7 @@ smtp_init_crypto(int fd, int feature)
+ 
+       /* Open SSL connection */
+       error = SSL_connect(config.ssl);
+-      if (error < 0) {
++      if (error != 1) {
+               syslog(LOG_ERR, "remote delivery deferred: SSL handshake failed 
fatally: %s",
+                      ssl_errstr());
+               return (1);
diff -Nru dma-0.11/debian/patches/series dma-0.11/debian/patches/series
--- dma-0.11/debian/patches/series      2016-05-29 12:29:47.000000000 +0200
+++ dma-0.11/debian/patches/series      2019-07-29 20:56:49.000000000 +0200
@@ -1,2 +1,3 @@
 03-debian-locations.patch
-#10-liblockfile.patch
+0002-crypto-Don-t-limit-to-TLSv1-only.patch
+0003-properly-deal-with-SSL_connect-return-value.patch

Reply via email to