Package: release.debian.org Severity: normal Tags: buster User: [email protected] Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This update proposes to fix bug #961984. Pagekite shipped certificates internally which are now expired (as of 2020-05-31). All users of Pagekite are unable to use the package securely as it can no longer make TLS connections to frontend servers. This update makes Pagekite use Debian certificate database instead of internal certificates (by shipping an additional configuration file). Further information from upstream: https://pagekite.wordpress.com/2020/05/30/tls-certificate-validation-issues/ The fix has been uploaded to unstable as part of pagekite/1.5.2.200531-1. Source debdiff is attached. The patch has been tested as follows: Installed and configured Pagekite on Debian Buster. In logs it shows that it is unable to connect to the frontend server due TLS connection failures. Upgraded to Pagkite with fix. Pagekite automatically restarts and connects properly to the frontend server as per logs. The services on the Pagekite domain become available after that. This is an urgent fix that must go into stable-updates because the package becomes unusable to most users without the fix. Please let know if you need any more information. Thanks, - -- Sunil - -- System Information: Debian Release: 10.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-9-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_IN.UTF-8, LC_CTYPE=en_IN.UTF-8 (charmap=UTF-8), LANGUAGE=en_IN.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEE5xPDY9ZyWnWupXSBQ+oc/wqnxfIFAl7Yb5oRHHN1bmlsQG1l ZGhhcy5vcmcACgkQQ+oc/wqnxfJEtRAAgQZWqu+XGN6HSgnZzoJdAhHreeHmqqNQ S55/Du+xKopP0nx9Inup65SkdUwXCbwKqfdOMrgpvApAkMNa05abxcR9SQ8fi+ex 3kaaQm7DoC9tmlFnVe7bDyozHXbkOYoywj+bBbdTMYpQkezrSNNgZv7w14Du3wio 44acL6gqiUUPoG5wsBg664aWVtNpGKO7FQZpLN72FsTeE8XGN5seERIb/Cw6xU9m S9/1qF5C/HajuZLkkcVPQBXDt+MGc5KS8L3PJiKqyNcxnfZ+x/WFcSfBrXDLoLVJ Ga1ZMcs8U4gggEzSjgZTYn0oy5kWeRcAofhmTBjecRS64SUcHLM41KZHfir9Gkd+ QrZH8PMJSapzUiORA1ahhE1tvX5VYeHfLXpSts4nK8z+NTIjpuRiT86nN11vOSag 9eN6gh3INiD7RbmBGtOpTkSV6Dv33bP7YQxwIRns0YZ6d73Gocjby14d1NuUwcNQ shgK2wXt3PwadKYaadBv2YPZIgtJDat/niVb9mMbJJl/EqUxou5vfiOqJzhdXYI0 IHjYBeSAZGJwrmUGO4IwO/SMkMViJwuODsJjVS++Ws4ba4ubeBuWfAWarxcXQwtL Lhu6aZxTlecPUTLYghWY1jOqe67Xy9nfp6SMNt6hizy9tN9QntInzk2pbbWzi01m oqSgncIG2A0= =MHb2 -----END PGP SIGNATURE-----
diff -Nru pagekite-0.5.9.3/debian/changelog pagekite-0.5.9.3/debian/changelog --- pagekite-0.5.9.3/debian/changelog 2018-03-30 07:54:06.000000000 -0700 +++ pagekite-0.5.9.3/debian/changelog 2020-06-03 18:10:32.000000000 -0700 @@ -1,3 +1,10 @@ +pagekite (0.5.9.3-2+deb10u1) UNRELEASED; urgency=medium + + * Fix issue with expired internal certificates. Use + Debian certificates instead of internal certificate. (Closes: #961984) + + -- Sunil Mohan Adapa <[email protected]> Wed, 03 Jun 2020 18:10:32 -0700 + pagekite (0.5.9.3-2) unstable; urgency=medium [ Petter Reinholdtsen ] diff -Nru pagekite-0.5.9.3/debian/control pagekite-0.5.9.3/debian/control --- pagekite-0.5.9.3/debian/control 2018-03-30 07:54:06.000000000 -0700 +++ pagekite-0.5.9.3/debian/control 2020-06-03 18:10:32.000000000 -0700 @@ -23,6 +23,7 @@ Package: pagekite Architecture: all Depends: ${misc:Depends}, ${python:Depends} + , ca-certificates , daemon (>= 0.6) , python-socksipychain (>= 2.0.15) , python-openssl diff -Nru pagekite-0.5.9.3/debian/patches/0002-use-debian-certificates.patch pagekite-0.5.9.3/debian/patches/0002-use-debian-certificates.patch --- pagekite-0.5.9.3/debian/patches/0002-use-debian-certificates.patch 1969-12-31 16:00:00.000000000 -0800 +++ pagekite-0.5.9.3/debian/patches/0002-use-debian-certificates.patch 2020-06-03 18:10:32.000000000 -0700 @@ -0,0 +1,18 @@ +Description: Use Debian certificates instead of internal certificates + This is to make Pagekite use certificates shipped by Debian. Otherwise by + default, it uses internallly shipped certificates that may be outdated. See: + https://pagekite.wordpress.com/2020/05/30/tls-certificate-validation-issues/ +Author: Sunil Mohan Adapa <[email protected]> + +--- /dev/null ++++ b/etc/pagekite.d/90_debian_certs.rc +@@ -0,0 +1,9 @@ ++# ++# This is to make Pagekite use certificates shipped by Debian. Otherwise by ++# default, it uses internallly shipped certificates that may be outdated. See: ++# https://pagekite.wordpress.com/2020/05/30/tls-certificate-validation-issues/ ++# ++# If you wish to override this setting, create another file starting with a ++# number higher than 90. ++# ++ca_certs = /etc/ssl/certs/ca-certificates.crt diff -Nru pagekite-0.5.9.3/debian/patches/series pagekite-0.5.9.3/debian/patches/series --- pagekite-0.5.9.3/debian/patches/series 2018-03-30 07:54:06.000000000 -0700 +++ pagekite-0.5.9.3/debian/patches/series 2020-06-03 18:10:32.000000000 -0700 @@ -1,2 +1,3 @@ 002-reproducible-build.patch 003-manpage-no-ver-in-whatis.patch +0002-use-debian-certificates.patch
