Your message dated Thu, 7 May 2015 19:12:21 +0200
with message-id
<[email protected]>
and subject line Re: Bug#784670: jessie-pu: package pound/2.6-6+deb8u1
has caused the Debian Bug report #784670,
regarding jessie-pu: package pound/2.6-6+deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
784670: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784670
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu
Hi,
I'd like to update pound in jessie to fix the ability to disable ssl client
renegotiation (#765649). The same patch has been uploaded to sid a few days ago.
Wheezy and earlier are not affected by this specific issue.
After this patch is applied I can get an "A" score at SSLlabs with pound.
Cheers,
Thijs
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
diff -Nru pound-2.6/debian/changelog pound-2.6/debian/changelog
--- pound-2.6/debian/changelog 2014-10-19 23:49:01.000000000 +0000
+++ pound-2.6/debian/changelog 2015-05-07 16:30:55.000000000 +0000
@@ -1,3 +1,11 @@
+pound (2.6-6+deb8u1) jessie; urgency=medium
+
+ * Non-maintainer upload by the security team with maintainer approval.
+ * Add missing part of anti_beast patch to fix disabling of client
+ renegotiation. (Closes: #765649)
+
+ -- Thijs Kinkhorst <[email protected]> Tue, 05 May 2015 13:27:06 +0000
+
pound (2.6-6) unstable; urgency=low
* Add options to disable SSLv2 and SSLv3.
diff -Nru pound-2.6/debian/patches/0008-disable_client_initiated_renegotiation.patch pound-2.6/debian/patches/0008-disable_client_initiated_renegotiation.patch
--- pound-2.6/debian/patches/0008-disable_client_initiated_renegotiation.patch 1970-01-01 00:00:00.000000000 +0000
+++ pound-2.6/debian/patches/0008-disable_client_initiated_renegotiation.patch 2015-05-07 16:30:22.000000000 +0000
@@ -0,0 +1,120 @@
+Added the missing parts that makes the option SSLAllowClientRenegotiation
+work as advertised, allowing client initiated renegotiation to be turned off.
+This patch is a compliment to the changes introduced in the 0001-anti_beast.patch,
+which was missing the changes to http.c as seen in the original patch from
+Joe Gooch <[email protected]> at:
+http://goochfriend.org/pound_2.6f_ssl_renegotiation_and_ciphers.patch
+
+--- a/http.c
++++ b/http.c
+@@ -273,6 +273,11 @@
+
+ static int err_to = -1;
+
++typedef struct {
++ int timeout;
++ RENEG_STATE *reneg_state;
++} BIO_ARG;
++
+ /*
+ * Time-out for client read/gets
+ * the SSL manual says not to do it, but it works well enough anyway...
+@@ -280,6 +285,7 @@
+ static long
+ bio_callback(BIO *const bio, const int cmd, const char *argp, int argi, long argl, long ret)
+ {
++ BIO_ARG *bio_arg;
+ struct pollfd p;
+ int to, p_res, p_err;
+
+@@ -287,11 +293,22 @@
+ return ret;
+
+ /* a time-out already occured */
+- if((to = *((int *)BIO_get_callback_arg(bio)) * 1000) < 0) {
++ if((bio_arg = (BIO_ARG*)BIO_get_callback_arg(bio))==NULL) return ret;
++ if((to = bio_arg->timeout * 1000) < 0) {
+ errno = ETIMEDOUT;
+ return -1;
+ }
+
++ /* Renegotiations */
++ if (bio_arg->reneg_state != NULL && *bio_arg->reneg_state == RENEG_ABORT) {
++ logmsg(LOG_NOTICE, "REJECTING renegotiated session");
++ errno = ECONNABORTED;
++ return -1;
++ }
++
++ //logmsg(LOG_NOTICE, "TO %d", to);
++ if (to == 0) return ret;
++
+ for(;;) {
+ memset(&p, 0, sizeof(p));
+ BIO_get_fd(bio, &p.fd);
+@@ -326,7 +343,7 @@
+ return -1;
+ case 0:
+ /* timeout - mark the BIO as unusable for the future */
+- BIO_set_callback_arg(bio, (char *)&err_to);
++ bio_arg->timeout = err_to;
+ #ifdef EBUG
+ logmsg(LOG_WARNING, "(%lx) CALLBACK timeout poll after %d secs: %s",
+ pthread_self(), to / 1000, strerror(p_err));
+@@ -531,6 +548,15 @@
+ struct linger l;
+ double start_req, end_req;
+
++ RENEG_STATE reneg_state;
++ BIO_ARG ba1, ba2;
++
++ reneg_state = RENEG_INIT;
++ ba1.reneg_state = &reneg_state;
++ ba2.reneg_state = &reneg_state;
++ ba1.timeout = 0;
++ ba2.timeout = 0;
++
+ from_host = ((thr_arg *)arg)->from_host;
+ memcpy(&from_host_addr, from_host.ai_addr, from_host.ai_addrlen);
+ from_host.ai_addr = (struct sockaddr *)&from_host_addr;
+@@ -539,6 +565,8 @@
+ free(((thr_arg *)arg)->from_host.ai_addr);
+ free(arg);
+
++ if(lstn->allow_client_reneg) reneg_state = RENEG_ALLOW;
++
+ n = 1;
+ setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&n, sizeof(n));
+ l.l_onoff = 1;
+@@ -562,10 +590,10 @@
+ close(sock);
+ return;
+ }
+- if(lstn->to > 0) {
+- BIO_set_callback_arg(cl, (char *)&lstn->to);
+- BIO_set_callback(cl, bio_callback);
+- }
++
++ ba1.timeout = lstn->to;
++ BIO_set_callback_arg(cl, (char *)&ba1);
++ BIO_set_callback(cl, bio_callback);
+
+ if(lstn->ctx != NULL) {
+ if((ssl = SSL_new(lstn->ctx->ctx)) == NULL) {
+@@ -574,6 +602,7 @@
+ BIO_free_all(cl);
+ return;
+ }
++ SSL_set_app_data(ssl, &reneg_state);
+ SSL_set_bio(ssl, cl, cl);
+ if((bb = BIO_new(BIO_f_ssl())) == NULL) {
+ logmsg(LOG_WARNING, "(%lx) BIO_new(Bio_f_ssl()) failed", pthread_self());
+@@ -875,7 +904,8 @@
+ }
+ BIO_set_close(be, BIO_CLOSE);
+ if(backend->to > 0) {
+- BIO_set_callback_arg(be, (char *)&backend->to);
++ ba2.timeout = backend->to;
++ BIO_set_callback_arg(be, (char *)&ba2);
+ BIO_set_callback(be, bio_callback);
+ }
+ if(backend->ctx != NULL) {
diff -Nru pound-2.6/debian/patches/series pound-2.6/debian/patches/series
--- pound-2.6/debian/patches/series 2014-10-19 23:50:51.000000000 +0000
+++ pound-2.6/debian/patches/series 2015-05-07 16:30:22.000000000 +0000
@@ -5,3 +5,4 @@
0005-wait_on_semaphore_fix.patch
0006-add_mkcalendar_support.patch
0007-anti_poodle.patch
+0008-disable_client_initiated_renegotiation.patch
--- End Message ---
--- Begin Message ---
Hi,
On Thu, May 7, 2015 18:43, Thijs Kinkhorst wrote:
> I'd like to update pound in jessie to fix the ability to disable ssl
> client renegotiation (#765649).
Sorry, I'm retracting this. Since the issue does in fact affect wheezy,
contrary to what I thought, and a security update was required for other
issues in wheezy anyway, we can release this update simulaneously though
stable-security.
Cheers,
Thijs
--- End Message ---
