Bug#772634: marked as done (unblock: resiprocate/1.9.7-2)

Wed, 10 Dec 2014 15:00:44 -0800 

Your message dated Wed, 10 Dec 2014 23:57:17 +0100
with message-id <[email protected]>
and subject line Re: Bug#772634: resiprocate_1.9.7-2_amd64.changes REJECTED
has caused the Debian Bug report #772634,
regarding unblock: resiprocate/1.9.7-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
772634: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772634
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
User: [email protected]
UserTags: unblock


This is a proposed upload to testing-proposed-updates

It is a far more concise and targeted fix than the upstream 1.9.8
release discussed previously.

The main reason for this unblock request:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772632

based on the outcome of discussion on the debian-security list:

  https://lists.debian.org/debian-security/2014/12/msg00032.html

This update enables TLS v1.1 and v1.2 when acting as a server and
enables v1.1 when acting as a client.

This is achieved by using the generic SSLv23_method instead of the
discouraged TLSv1_method.  This approach ensures that if the OpenSSL
maintainers add or remove protocol versions because of future
vulnerabilities, this package will benefit from those changes without
needing to be patched further or recompiled.

The (much smaller) debdiff is attached, it was generated with filterdiff
to remove autotools stuff:


debdiff resiprocate_1.9.7-1.dsc resiprocate_1.9.7-2.dsc | filterdiff -x
'*/aclocal.m4' -x '*/config.*' -x '*/configure' -x '*/depcomp' -x
'*/*.in' -x '*/install-sh' -x '*/ltmain.sh' -x '*/m4/*' -x '*/missing'
 -x '*/resiprocate.spec'  > /tmp/resiprocate-1.9.7-2.debdiff



diff -Nru resiprocate-1.9.7/debian/changelog resiprocate-1.9.7/debian/changelog
--- resiprocate-1.9.7/debian/changelog  2014-05-31 12:51:11.000000000 +0200
+++ resiprocate-1.9.7/debian/changelog  2014-12-09 11:56:59.000000000 +0100
@@ -1,3 +1,10 @@
+resiprocate (1.9.7-2) testing-proposed-updates; urgency=medium
+
+  * Use SSLv23_method instead of TLSv1_method and
+    avoid TLS 1.2 when acting as client. (Closes: #772632)
+
+ -- Daniel Pocock <[email protected]>  Tue, 09 Dec 2014 11:34:48 +0100
+
 resiprocate (1.9.7-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru resiprocate-1.9.7/debian/patches/0001-use-SSLv23_method.patch 
resiprocate-1.9.7/debian/patches/0001-use-SSLv23_method.patch
--- resiprocate-1.9.7/debian/patches/0001-use-SSLv23_method.patch       
1970-01-01 01:00:00.000000000 +0100
+++ resiprocate-1.9.7/debian/patches/0001-use-SSLv23_method.patch       
2014-12-09 11:30:51.000000000 +0100
@@ -0,0 +1,50 @@
+diff --git a/repro/ReproRunner.cxx b/repro/ReproRunner.cxx
+index 929392b..a2f09de 100644
+--- a/repro/ReproRunner.cxx
++++ b/repro/ReproRunner.cxx
+@@ -1338,6 +1338,7 @@ ReproRunner::addTransports(bool& 
allTransportsSpecifyRecordRoute)
+       wsCookieContextFactory.reset(new 
BasicWsCookieContextFactory(infoCookieName, extraCookieName, macCookieName));
+    }
+ 
++   SecurityTypes::SSLType defaultSSLType = SecurityTypes::SSLv23;
+    try
+    {
+       // Check if advanced transport settings are provided
+@@ -1448,7 +1449,7 @@ ReproRunner::addTransports(bool& 
allTransportsSpecifyRecordRoute)
+                                  ipAddr,       // interface to bind to
+                                  tlsDomain,
+                                  Data::Empty,  // private key passphrase - 
not currently used
+-                                 SecurityTypes::TLSv1, // sslType
++                                 defaultSSLType, // sslType
+                                  0,            // transport flags
+                                  tlsCertificate, tlsPrivateKey,
+                                  cvm,          // tls client verification mode
+@@ -1576,8 +1577,8 @@ ReproRunner::addTransports(bool& 
allTransportsSpecifyRecordRoute)
+          }
+          if (tlsPort)
+          {
+-            if (mUseV4) mSipStack->addTransport(TLS, tlsPort, V4, 
StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, 
tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP);
+-            if (mUseV6) mSipStack->addTransport(TLS, tlsPort, V6, 
StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, 
tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP);
++            if (mUseV4) mSipStack->addTransport(TLS, tlsPort, V4, 
StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, 
tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP);
++            if (mUseV6) mSipStack->addTransport(TLS, tlsPort, V6, 
StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, 
tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP);
+          }
+          if (wsPort)
+          {
+@@ -1586,13 +1587,13 @@ ReproRunner::addTransports(bool& 
allTransportsSpecifyRecordRoute)
+          }
+          if (wssPort)
+          {
+-            if (mUseV4) mSipStack->addTransport(WSS, wssPort, V4, 
StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, 
tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, 
wsCookieContextFactory);
+-            if (mUseV6) mSipStack->addTransport(WSS, wssPort, V6, 
StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, 
tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, 
wsCookieContextFactory);
++            if (mUseV4) mSipStack->addTransport(WSS, wssPort, V4, 
StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, 
tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, 
wsCookieContextFactory);
++            if (mUseV6) mSipStack->addTransport(WSS, wssPort, V6, 
StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, 
tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, 
wsCookieContextFactory);
+          }
+          if (dtlsPort)
+          {
+-            if (mUseV4) mSipStack->addTransport(DTLS, dtlsPort, V4, 
StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, 
tlsCertificate, tlsPrivateKey);
+-            if (mUseV6) mSipStack->addTransport(DTLS, dtlsPort, V6, 
StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, 
tlsCertificate, tlsPrivateKey);
++            if (mUseV4) mSipStack->addTransport(DTLS, dtlsPort, V4, 
StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, 
tlsCertificate, tlsPrivateKey);
++            if (mUseV6) mSipStack->addTransport(DTLS, dtlsPort, V6, 
StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, 
tlsCertificate, tlsPrivateKey);
+          }
+       }
+    }
diff -Nru resiprocate-1.9.7/debian/patches/0002-client-avoid-TLSv1_2.patch 
resiprocate-1.9.7/debian/patches/0002-client-avoid-TLSv1_2.patch
--- resiprocate-1.9.7/debian/patches/0002-client-avoid-TLSv1_2.patch    
1970-01-01 01:00:00.000000000 +0100
+++ resiprocate-1.9.7/debian/patches/0002-client-avoid-TLSv1_2.patch    
2014-12-09 11:33:41.000000000 +0100
@@ -0,0 +1,16 @@
+diff --git a/resip/stack/ssl/TlsConnection.cxx 
b/resip/stack/ssl/TlsConnection.cxx
+index c3537aa..145d089 100644
+--- a/resip/stack/ssl/TlsConnection.cxx
++++ b/resip/stack/ssl/TlsConnection.cxx
+@@ -122,6 +122,11 @@ TlsConnection::TlsConnection( Transport* transport, const 
Tuple& tuple,
+       }
+       SSL_set_verify(mSsl, verify_mode, 0);
+    }
++   else
++   {
++      // some TLS v1.2 servers have been troublesome
++      SSL_set_options(mSsl, SSL_OP_NO_TLSv1_2);
++   }
+ 
+    mBio = BIO_new_socket((int)fd,0/*close flag*/);
+    assert( mBio );
diff -Nru resiprocate-1.9.7/debian/patches/series 
resiprocate-1.9.7/debian/patches/series
--- resiprocate-1.9.7/debian/patches/series     1970-01-01 01:00:00.000000000 
+0100
+++ resiprocate-1.9.7/debian/patches/series     2014-12-09 11:33:48.000000000 
+0100
@@ -0,0 +1,2 @@
+0001-use-SSLv23_method.patch
+0002-client-avoid-TLSv1_2.patch

--- End Message ---
--- Begin Message --- 
Hi Daniel,

On Tue, Dec 09, 2014 at 09:15:25PM +0100, Daniel Pocock wrote:
> Ok, thanks for the feedback, 1:1.9.7-3 has been uploaded signed by the
> other key and I've pushed the subkey with the extended expiry.

Unblocked resiprocate/1:1.9.7-4 (which finally built on mips).

Cheers,

Ivo

--- End Message ---

Reply via email to