Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Dear SRMs,
I'd like to update ganeti in Stretch once more, fixing the following
issues:
- The fix for #895599 that was included in +deb9u2 unfortunately was
incomplete; I failed to cherry-pick an additional patch rendering the
fix ineffective.
- Ganeti uses an embedded CA to establish trust between cluster nodes.
This CA signs certificates using SHA-1 digests by default and
SHA-1-signed certificates are not acceptable by OpenSSL when a
security level of 2 or higher is in effect. OpenSSL in Buster will
(most probably) have a security level of 2 on by default, meaning
that upon upgrading to Buster ganeti clusters will experience
breakage. Since SHA-1 is weak and deprecated anyway, I would like to
backport a change from unstable to make the CA use SHA-256 for
certificate signatures, to allow cluster administrators to upgrade
their crypto before actually upgrading to Buster. See #907216 and
#907569 for more information.
- The bash completion script shipped in Stretch is ineffective.
Although nothing changed on Ganeti's side between Jessie and Stretch,
bash completion stopped working when dh_bash-completion stopped
placing scripts in /etc/bash_completion.d/ (see #668254) and moved to
/usr/share/bash-completion/ instead. This change broke ganeti's
completion because it is not autoloadable: there's only one script
which does not match any command name (see #864755). This has already
been fixed in unstable by symlinking the completion file to all
supported command names. This being really a regression from a
functional point of view, I would like to backport the fix to
Stretch.
Attached is the full source debdiff for the proposed update. I might
update the wording in d/NEWS and the `gnt-cluster verify' output before
uploading, but functionally I don't expect any further changes.
Regards,
Apollon
diff -Nru ganeti-2.15.2/debian/changelog ganeti-2.15.2/debian/changelog
--- ganeti-2.15.2/debian/changelog 2018-06-11 17:42:10.0 +0300
+++ ganeti-2.15.2/debian/changelog 2018-09-08 20:22:03.0 +0300
@@ -1,3 +1,14 @@
+ganeti (2.15.2-7+deb9u3) stretch; urgency=medium
+
+ * Properly verify SSL certificates during VM export (#2) (Closes: #895599,
#908112)
+ * Sign generated certificates using SHA256 instead of SHA1 (Closes: #907569)
++ d/NEWS: ask users to run gnt-cluster renew-crypto
++ cluster verify: warn about weak certificates
+ * Make bash completions autoloadable (Closes: #864755)
++ Cleanup obsolete /etc/bash_completion.d/ganeti
+
+ -- Apollon Oikonomopoulos Sat, 08 Sep 2018 20:22:03
+0300
+
ganeti (2.15.2-7+deb9u2) stretch; urgency=medium
* Properly verify SSL certificates during VM export (Closes: #895599)
diff -Nru ganeti-2.15.2/debian/ganeti.maintscript
ganeti-2.15.2/debian/ganeti.maintscript
--- ganeti-2.15.2/debian/ganeti.maintscript 1970-01-01 02:00:00.0
+0200
+++ ganeti-2.15.2/debian/ganeti.maintscript 2018-09-08 20:22:03.0
+0300
@@ -0,0 +1 @@
+rm_conffile /etc/bash_completion.d/ganeti 2.15.2-7+deb9u3~
diff -Nru ganeti-2.15.2/debian/gbp.conf ganeti-2.15.2/debian/gbp.conf
--- ganeti-2.15.2/debian/gbp.conf 2018-06-11 17:42:10.0 +0300
+++ ganeti-2.15.2/debian/gbp.conf 2018-09-08 20:22:03.0 +0300
@@ -4,6 +4,8 @@
upstream-tag = v%(version)s
upstream-tree = tag
upstream-branch = stable-2.15
+debian-branch = debian/stable/stretch
+dist = stretch
[git-buildpackage]
export-dir = ../build-area/
diff -Nru ganeti-2.15.2/debian/NEWS ganeti-2.15.2/debian/NEWS
--- ganeti-2.15.2/debian/NEWS 2018-06-11 17:42:10.0 +0300
+++ ganeti-2.15.2/debian/NEWS 2018-09-08 20:22:03.0 +0300
@@ -1,3 +1,27 @@
+ganeti (2.15.2-7+deb9u2) stretch; urgency=medium
+
+ This version changes Ganeti's internal CA, which is used to secure
+ intra-cluster RPC, to use SHA256 digests when signing certificates.
+ Previously issued certificates were signed using SHA1 and will be rejected
+ by newer OpenSSL versions, causing cluster malfunction. This will be a
+ problem with the upcoming Debian Buster release, so Ganeti's CA must be
+ switched over to SHA-256 before upgrading to Buster.
+
+ After upgrading all nodes to this package version, please run
+
+gnt-cluster renew-crypto --new-cluster-certificate
+
+ at a convenient time to re-generate the cluster's certificates using the new
+ signing algorithm. This operation does not incur any instance downtime,
+ however you will not be able to issue any gnt-* commands while renew-crypto
+ is running.
+
+ If you are using built-in certificates for RAPI and/or spice, please
+ consider adding --new-rapi-certificate and --new-spice-certificate
+ respectively to the above command.
+
+ -- Apollon Oikonomopoulos Mon, 03 Sep 2018 14:36:39
+0300
+
ganeti (2