Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Closes: #768266 (Severity: serious; RC)

In addition to fixing the above bug, the update also applies a patch to
enable TLS. The previous package used SSLv3 only, which is no longer
appropriate. Some of the tests in the test suite failed without the
patch because Debian's openssl 1.0.1j-1 has disabled SSLv3. With the
patch the test suite passes.

        Mattias

diff -Nru myproxy-6.0/debian/changelog myproxy-6.0/debian/changelog
--- myproxy-6.0/debian/changelog	2014-09-27 17:27:12.000000000 +0200
+++ myproxy-6.0/debian/changelog	2014-11-08 06:41:39.000000000 +0100
@@ -1,3 +1,10 @@
+myproxy (6.0-2) unstable; urgency=medium
+
+  * Properly handle symlink-to-dir conversion in doc package (Closes: #768266)
+  * Enable TLS - debian's openssl has disabled SSLv3 by default
+
+ -- Mattias Ellert <mattias.ell...@fysast.uu.se>  Fri, 07 Nov 2014 23:51:15 +0100
+
 myproxy (6.0-1) unstable; urgency=medium
 
   * Update to 6.0, adapt to Globus Toolkit 6
diff -Nru myproxy-6.0/debian/libmyproxy-doc.postinst myproxy-6.0/debian/libmyproxy-doc.postinst
--- myproxy-6.0/debian/libmyproxy-doc.postinst	1970-01-01 01:00:00.000000000 +0100
+++ myproxy-6.0/debian/libmyproxy-doc.postinst	2014-11-07 23:49:50.000000000 +0100
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+#DEBHELPER#
+
+dpkg-maintscript-helper symlink_to_dir \
+    /usr/share/doc/libmyproxy-doc \
+    libmyproxy-dev 6.0-2~ \
+    libmyproxy-doc -- "$@"
diff -Nru myproxy-6.0/debian/libmyproxy-doc.postrm myproxy-6.0/debian/libmyproxy-doc.postrm
--- myproxy-6.0/debian/libmyproxy-doc.postrm	1970-01-01 01:00:00.000000000 +0100
+++ myproxy-6.0/debian/libmyproxy-doc.postrm	2014-11-07 23:49:50.000000000 +0100
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+#DEBHELPER#
+
+dpkg-maintscript-helper symlink_to_dir \
+    /usr/share/doc/libmyproxy-doc \
+    libmyproxy-dev 6.0-2~ \
+    libmyproxy-doc -- "$@"
diff -Nru myproxy-6.0/debian/libmyproxy-doc.preinst myproxy-6.0/debian/libmyproxy-doc.preinst
--- myproxy-6.0/debian/libmyproxy-doc.preinst	1970-01-01 01:00:00.000000000 +0100
+++ myproxy-6.0/debian/libmyproxy-doc.preinst	2014-11-07 23:49:50.000000000 +0100
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+#DEBHELPER#
+
+dpkg-maintscript-helper symlink_to_dir \
+    /usr/share/doc/libmyproxy-doc \
+    libmyproxy-dev 6.0-2~ \
+    libmyproxy-doc -- "$@"
diff -Nru myproxy-6.0/debian/patches/myproxy-tls.patch myproxy-6.0/debian/patches/myproxy-tls.patch
--- myproxy-6.0/debian/patches/myproxy-tls.patch	1970-01-01 01:00:00.000000000 +0100
+++ myproxy-6.0/debian/patches/myproxy-tls.patch	2014-11-08 06:12:14.000000000 +0100
@@ -0,0 +1,53 @@
+diff --git a/myproxy.c b/myproxy.c
+index 24e744f..9f2fb65 100644
+--- a/myproxy.c
++++ b/myproxy.c
+@@ -544,8 +544,9 @@ myproxy_bootstrap_trust(myproxy_socket_attrs_t *attrs)
+     }
+ 
+     /* get trust root(s) from the myproxy-server */
+-    ctx = SSL_CTX_new(SSLv3_client_method());
+-    SSL_CTX_set_options(ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
++    ctx = SSL_CTX_new(SSLv23_client_method());
++    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 |
++			SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+ 
+     if (!(sbio = BIO_new_ssl_connect(ctx))) goto error;
+     if ( (sockfd = get_connected_myproxy_host_socket(
+diff --git a/myproxy_ocsp.c b/myproxy_ocsp.c
+index 440f6ef..d39e1dc 100644
+--- a/myproxy_ocsp.c
++++ b/myproxy_ocsp.c
+@@ -311,11 +311,12 @@ int myproxy_ocsp_verify(X509 *cert, X509 *issuer) {
+     goto end;
+   }
+   X509_LOOKUP_add_dir(lookup, certdir, X509_FILETYPE_PEM);
+-  ctx = SSL_CTX_new(SSLv3_client_method());
++  ctx = SSL_CTX_new(SSLv23_client_method());
+   if (ctx == NULL) {
+     result = MYPROXY_OCSPRESULT_ERROR_OUTOFMEMORY;
+     goto end;
+   }
++  SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+   SSL_CTX_set_cert_store(ctx, store);
+   SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL);
+ 
+diff --git a/ssl_utils.c b/ssl_utils.c
+index 0749e5b..4ff5aa5 100644
+--- a/ssl_utils.c
++++ b/ssl_utils.c
+@@ -2146,12 +2146,13 @@ ssl_verify_gsi_chain(SSL_CREDENTIALS *chain)
+    X509_LOOKUP_add_dir(lookup, certdir, X509_FILETYPE_PEM);
+    X509_STORE_CTX_init(&csc, cert_store, chain->certificate, NULL);
+    
+-   sslContext = SSL_CTX_new(SSLv3_server_method());
++   sslContext = SSL_CTX_new(SSLv23_server_method());
+    if (sslContext == NULL) {
+       verror_put_string("Initializing SSL_CTX");
+       ssl_error_to_verror();
+       goto end;
+    }
++   SSL_CTX_set_options(sslContext, SSL_OP_NO_SSLv2);
+ 
+    SSL_CTX_set_purpose(sslContext, X509_PURPOSE_ANY);
+ 
diff -Nru myproxy-6.0/debian/patches/series myproxy-6.0/debian/patches/series
--- myproxy-6.0/debian/patches/series	2014-09-27 18:31:26.000000000 +0200
+++ myproxy-6.0/debian/patches/series	2014-11-08 06:05:21.000000000 +0100
@@ -2,3 +2,5 @@
 myproxy-pathmax.patch
 # Missing depandencies
 myproxy-deps.patch
+# Enable TLS
+myproxy-tls.patch

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to