Re: Status of the t64 transition
On 2024-04-18 Sebastian Ramacher wrote: [...] > Let's start with the first category. Those are packages that could be > binNMUed, but there are issues that make those rebuilds not have the > desired effect. This list include packages that > * are BD-Uninstallabe, > * FTBFS but with out ftbfs-tagged RC bug, > * have hard-coded dependencies on pre-t64 libraries, > * have $oldlib | $newlib dependencies (those are at least wrong on >armel/armhf and violate policy 2.2.1 once the pre-t64 libraries are >decrufted), > * have been rebuilt before all dependencies were built, > * have broken symbols/shlibs files producing incorrect dependencies, > * or might just be missing the binNMU (but those should be few). > hugin [...] Good morning, thanks for the update. Looking at hugin, I think it is fine on all release-architectures, none of the problems noted above apply here. Am I missing something? TIA, cu Andreas PS: fakeroot seems to be an important blocker not in the list.
Bug#1067729: nmu: exim4_4.97-5
On 2024-03-26 Andreas Metzler wrote: [...] > nmu exim4_4.97-5 . armel armhf hppa m68k . unstable . -m "Rebuild against > libspf2-dev >= 1.2.10-8.1 (64-bit time_t transition)" > The first t64-changed libspf2 was uninstallable on the 32bit archs, > which is why exim4 was not bin-nmued successfully there yet. This is > fixed now. > This can only be done successfully after libtirpc 1.3.4+ds-1.2 has > passed NEW processing. libtirpc has been accepted. :-) The exim4 changelog entry should refer to -8.2, though: nmu exim4_4.97-5 . armel armhf hppa m68k . unstable . -m "Rebuild against libspf2-dev 1.2.10-8.2 (64-bit time_t transition)" cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#1067729: nmu: exim4_4.97-5
Package: release.debian.org Severity: normal Control: affects -1 + src:exim4 User: release.debian@packages.debian.org Usertags: binnmu Hello, nmu exim4_4.97-5 . armel armhf hppa m68k . unstable . -m "Rebuild against libspf2-dev >= 1.2.10-8.1 (64-bit time_t transition)" The first t64-changed libspf2 was uninstallable on the 32bit archs, which is why exim4 was not bin-nmued successfully there yet. This is fixed now. This can only be done successfully after libtirpc 1.3.4+ds-1.2 has passed NEW processing. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#1061190: bullseye-pu: package gnutls28/3.7.1-5+deb11u5
On 2024-03-01 Salvatore Bonaccorso wrote: > On Thu, Feb 01, 2024 at 06:35:38AM +, Adam D. Barratt wrote: >> Control: tags -1 + confirmed >> On Sat, 2024-01-20 at 15:53 +0100, Andreas Metzler wrote: >>> I would like to fix both CVE-2024-0567 and CVE-2024-0553 via a >>> oldstable-updates since they do not require a DSA. >> Please go ahead. > Andreas did you saw the ack from Adam? > FTR, please keep the CVE references now as we have the incomplete fix > in bullseye for CVE-2023-5981 with the 3.7.1-5+deb11u4 . Good Morning, Thank you for the reminder, looks like I only did a "dput -s" instead of the actual dput. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#1061190: bullseye-pu: package gnutls28/3.7.1-5+deb11u5
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: gnutl...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:gnutls28 Hello, I would like to fix both CVE-2024-0567 and CVE-2024-0553 via a oldstable-updates since they do not require a DSA. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru gnutls28-3.7.1/debian/changelog gnutls28-3.7.1/debian/changelog --- gnutls28-3.7.1/debian/changelog 2023-11-30 11:37:44.0 +0100 +++ gnutls28-3.7.1/debian/changelog 2024-01-20 07:56:15.0 +0100 @@ -1,3 +1,13 @@ +gnutls28 (3.7.1-5+deb11u5) bullseye; urgency=medium + + * Cherrypick two CVE fixes from 3.8.3: +Fix assertion failure when verifying a certificate chain with a cycle of +cross signatures. CVE-2024-0567 GNUTLS-SA-2024-01-09 Closes: #1061045 +Fix more timing side-channel inside RSA-PSK key exchange. CVE-2024-0553 +GNUTLS-SA-2024-01-14 Closes: #1061046 + + -- Andreas Metzler Sat, 20 Jan 2024 07:56:15 +0100 + gnutls28 (3.7.1-5+deb11u4) bullseye; urgency=medium * Backport fix for CVE-2023-5981 / GNUTLS-SA-2023-10-23 (timing sidechannel diff -Nru gnutls28-3.7.1/debian/patches/63-x509-detect-loop-in-certificate-chain.patch gnutls28-3.7.1/debian/patches/63-x509-detect-loop-in-certificate-chain.patch --- gnutls28-3.7.1/debian/patches/63-x509-detect-loop-in-certificate-chain.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.7.1/debian/patches/63-x509-detect-loop-in-certificate-chain.patch 2024-01-20 07:56:15.0 +0100 @@ -0,0 +1,188 @@ +From 9edbdaa84e38b1bfb53a7d72c1de44f8de373405 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Thu, 11 Jan 2024 15:45:11 +0900 +Subject: [PATCH 1/2] x509: detect loop in certificate chain +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +There can be a loop in a certificate chain, when multiple CA +certificates are cross-signed with each other, such as A → B, B → C, +and C → A. Previously, the verification logic was not capable of +handling this scenario while sorting the certificates in the chain in +_gnutls_sort_clist, resulting in an assertion failure. This patch +properly detects such loop and aborts further processing in a graceful +manner. + +Signed-off-by: Daiki Ueno +--- + lib/x509/common.c | 4 ++ + tests/test-chains.h | 125 + 2 files changed, 129 insertions(+) + +--- a/lib/x509/common.c b/lib/x509/common.c +@@ -1794,10 +1794,14 @@ unsigned int _gnutls_sort_clist(gnutls_x + prev = issuer[prev]; + if (prev < 0) { /* no issuer */ + break; + } + ++ if (insorted[prev]) { /* loop detected */ ++ break; ++ } ++ + sorted[i] = clist[prev]; + insorted[prev] = 1; + } + + /* append the remaining certs */ +--- a/tests/test-chains.h b/tests/test-chains.h +@@ -4261,10 +4261,133 @@ static const char *rsa_sha1_not_in_trust + "tnYFXKC0Q+QUf38horqG2Mc3/uh8MOm0eYUXwGJOdXYD\n" + "-END CERTIFICATE-\n", + NULL + }; + ++static const char *cross_signed[] = { ++ /* server (signed by A1) */ ++ "-BEGIN CERTIFICATE-\n" ++ "MIIBqDCCAVqgAwIBAgIUejlil+8DBffazcnMNwyOOP6yCCowBQYDK2VwMBoxGDAW\n" ++ "BgNVBAMTD0ludGVybWVkaWF0ZSBBMTAgFw0yNDAxMTEwNjI3MjJaGA85OTk5MTIz\n" ++ "MTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgYDVQQD\n" ++ "Ew90ZXN0LmdudXRscy5vcmcwKjAFBgMrZXADIQA1ZVS0PcNeTPQMZ+FuVz82AHrj\n" ++ "qL5hWEpCDgpG4M4fxaOBkjCBjzAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCD3Rl\n" ++ "c3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMC\n" ++ "B4AwHQYDVR0OBBYEFGtEUv+JSt+zPoO3lu0IiObZVoiNMB8GA1UdIwQYMBaAFPnY\n" ++ "v6Pw0IvKSqIlb6ewHyEAmTA3MAUGAytlcANBAAS2lyc87kH/aOvNKzPjqDwUYxPA\n" ++ "CfYjyaKea2d0DZLBM5+Bjnj/4aWwTKgVTJzWhLJcLtaSdVHrXqjr9NhEhQ0=\n" ++ "-END CERTIFICATE-\n", ++ /* A1 (signed by A) */ ++ "-BEGIN CERTIFICATE-\n" ++ "MIIBUjCCAQSgAwIBAgIUe/R+NVp04e74ySw2qgI6KZgFR20wBQYDK2VwMBExDzAN\n" ++ "BgNVBAMTBlJvb3QgQTAgFw0yNDAxMTEwNjI1MDFaGA85OTk5MTIzMTIzNTk1OVow\n" ++ "GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEExMCowBQYDK2VwAyEAlkTNqwz973sy\n" ++ "u3whMjSiUMs77CZu5YA7Gi5KcakExrKjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD\n" ++ "VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT52L+j8NCLykqiJW+nsB8hAJkwNzAfBgNV\n" ++ "HSMEGDAWgBRbYgOkRGsd3Z74+CauX4htzLg0lzAFBgMrZXADQQBM0NBaFVPd3cTJ\n" ++ "DSaZNT34fsHuJk4eagpn8mBxKQpghq4s8Ap+nYtp
Bug#1061189: bookworm-pu: package gnutls28/3.7.9-2+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: gnutl...@packages.debian.org, t...@security.debian.org, gnutl...@packages.debian.org Control: affects -1 + src:gnutls28 Hello, I would like to fix both CVE-2024-0567 and CVE-2024-0553 via a stable-updates since they do not require a DSA. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable cu Andreas diff -Nru gnutls28-3.7.9/debian/changelog gnutls28-3.7.9/debian/changelog --- gnutls28-3.7.9/debian/changelog 2023-11-30 07:50:48.0 +0100 +++ gnutls28-3.7.9/debian/changelog 2024-01-19 18:28:37.0 +0100 @@ -1,3 +1,13 @@ +gnutls28 (3.7.9-2+deb12u2) bookworm; urgency=medium + + * Cherrypick two CVE fixes from 3.8.3: +Fix assertion failure when verifying a certificate chain with a cycle of +cross signatures. CVE-2024-0567 GNUTLS-SA-2024-01-09 Closes: #1061045 +Fix more timing side-channel inside RSA-PSK key exchange. CVE-2024-0553 +GNUTLS-SA-2024-01-14 Closes: #1061046 + + -- Andreas Metzler Fri, 19 Jan 2024 18:28:37 +0100 + gnutls28 (3.7.9-2+deb12u1) bookworm; urgency=medium * Backport fix for CVE-2023-5981 / GNUTLS-SA-2023-10-23 (timing sidechannel diff -Nru gnutls28-3.7.9/debian/patches/61-x509-detect-loop-in-certificate-chain.patch gnutls28-3.7.9/debian/patches/61-x509-detect-loop-in-certificate-chain.patch --- gnutls28-3.7.9/debian/patches/61-x509-detect-loop-in-certificate-chain.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.7.9/debian/patches/61-x509-detect-loop-in-certificate-chain.patch 2024-01-19 18:28:07.0 +0100 @@ -0,0 +1,188 @@ +From 9edbdaa84e38b1bfb53a7d72c1de44f8de373405 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Thu, 11 Jan 2024 15:45:11 +0900 +Subject: [PATCH 1/2] x509: detect loop in certificate chain +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +There can be a loop in a certificate chain, when multiple CA +certificates are cross-signed with each other, such as A → B, B → C, +and C → A. Previously, the verification logic was not capable of +handling this scenario while sorting the certificates in the chain in +_gnutls_sort_clist, resulting in an assertion failure. This patch +properly detects such loop and aborts further processing in a graceful +manner. + +Signed-off-by: Daiki Ueno +--- + lib/x509/common.c | 4 ++ + tests/test-chains.h | 125 + 2 files changed, 129 insertions(+) + +--- a/lib/x509/common.c b/lib/x509/common.c +@@ -1794,10 +1794,14 @@ unsigned int _gnutls_sort_clist(gnutls_x + prev = issuer[prev]; + if (prev < 0) { /* no issuer */ + break; + } + ++ if (insorted[prev]) { /* loop detected */ ++ break; ++ } ++ + sorted[i] = clist[prev]; + insorted[prev] = 1; + } + + /* append the remaining certs */ +--- a/tests/test-chains.h b/tests/test-chains.h +@@ -4261,10 +4261,133 @@ static const char *rsa_sha1_not_in_trust + "tnYFXKC0Q+QUf38horqG2Mc3/uh8MOm0eYUXwGJOdXYD\n" + "-END CERTIFICATE-\n", + NULL + }; + ++static const char *cross_signed[] = { ++ /* server (signed by A1) */ ++ "-BEGIN CERTIFICATE-\n" ++ "MIIBqDCCAVqgAwIBAgIUejlil+8DBffazcnMNwyOOP6yCCowBQYDK2VwMBoxGDAW\n" ++ "BgNVBAMTD0ludGVybWVkaWF0ZSBBMTAgFw0yNDAxMTEwNjI3MjJaGA85OTk5MTIz\n" ++ "MTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgYDVQQD\n" ++ "Ew90ZXN0LmdudXRscy5vcmcwKjAFBgMrZXADIQA1ZVS0PcNeTPQMZ+FuVz82AHrj\n" ++ "qL5hWEpCDgpG4M4fxaOBkjCBjzAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCD3Rl\n" ++ "c3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMC\n" ++ "B4AwHQYDVR0OBBYEFGtEUv+JSt+zPoO3lu0IiObZVoiNMB8GA1UdIwQYMBaAFPnY\n" ++ "v6Pw0IvKSqIlb6ewHyEAmTA3MAUGAytlcANBAAS2lyc87kH/aOvNKzPjqDwUYxPA\n" ++ "CfYjyaKea2d0DZLBM5+Bjnj/4aWwTKgVTJzWhLJcLtaSdVHrXqjr9NhEhQ0=\n" ++ "-END CERTIFICATE-\n", ++ /* A1 (signed by A) */ ++ "-BEGIN CERTIFICATE-\n" ++ "MIIBUjCCAQSgAwIBAgIUe/R+NVp04e74ySw2qgI6KZgFR20wBQYDK2VwMBExDzAN\n" ++ "BgNVBAMTBlJvb3QgQTAgFw0yNDAxMTEwNjI1MDFaGA85OTk5MTIzMTIzNTk1OVow\n" ++ "GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEExMCowBQYDK2VwAyEAlkTNqwz973sy\n" ++ "u3whMjSiUMs77CZu5YA7Gi5KcakExrKjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD\n" ++ "VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT52L+j8NCLykqiJW+nsB8hAJkwNzAfBgNV\n" ++ "HSMEGDAWgBRbYgOkRGsd3Z74+CauX4htzLg0lzAFBgMrZXADQQBM0NBaFVPd3cTJ\n" ++ "DSaZNT34fsHuJk4eagpn8mBxKQpghq4s8Ap+nYtp2KiXjcizss53PeLXVnkfyLi0\n" ++ "TLVBHvUJ\n" ++ "-END CERTIFICATE-\n", ++ /* A (signed by B) */ ++ "-BE
Bug#1057137: bullseye-pu: package gnutls28/3.7.1-5+deb11u4
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu Control: affects -1 + src:gnutls28 Hello, I would like to fix CVE-2023-5981 / GNUTLS-SA-2023-10-23 for oldstable (no DSA forthcoming, to fixed by stable update.) The patch is cherrypicked from upstream 3.8.2 release. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru gnutls28-3.7.1/debian/changelog gnutls28-3.7.1/debian/changelog --- gnutls28-3.7.1/debian/changelog 2023-02-12 13:59:45.0 +0100 +++ gnutls28-3.7.1/debian/changelog 2023-11-30 11:37:44.0 +0100 @@ -1,3 +1,10 @@ +gnutls28 (3.7.1-5+deb11u4) bullseye; urgency=medium + + * Backport fix for CVE-2023-5981 / GNUTLS-SA-2023-10-23 (timing sidechannel +in RSA-PSK key exchange) from 3.8.2. Closes: #1056188 + + -- Andreas Metzler Thu, 30 Nov 2023 11:37:44 +0100 + gnutls28 (3.7.1-5+deb11u3) bullseye-security; urgency=high * Fix timing sidechannel vulnerability in RSA decryption. diff -Nru gnutls28-3.7.1/debian/patches/62-auth-rsa_psk-side-step-potential-side-channel.patch gnutls28-3.7.1/debian/patches/62-auth-rsa_psk-side-step-potential-side-channel.patch --- gnutls28-3.7.1/debian/patches/62-auth-rsa_psk-side-step-potential-side-channel.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.7.1/debian/patches/62-auth-rsa_psk-side-step-potential-side-channel.patch 2023-11-30 11:37:44.0 +0100 @@ -0,0 +1,229 @@ +From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 23 Oct 2023 09:26:57 +0900 +Subject: [PATCH] auth/rsa_psk: side-step potential side-channel + +This removes branching that depends on secret data, porting changes +for regular RSA key exchange from +4804febddc2ed958e5ae774de2a8f85edeeff538 and +80a6ce8ddb02477cd724cd5b2944791aaddb702a. This also removes the +allow_wrong_pms as it was used sorely to control debug output +depending on the branching. + +Signed-off-by: Daiki Ueno +--- + lib/auth/rsa.c | 2 +- + lib/auth/rsa_psk.c | 90 ++ + lib/gnutls_int.h | 4 --- + lib/priority.c | 1 - + 4 files changed, 35 insertions(+), 62 deletions(-) + +--- a/lib/auth/rsa.c b/lib/auth/rsa.c +@@ -205,11 +205,11 @@ proc_rsa_client_kx(gnutls_session_t sess + gnutls_privkey_decrypt_data2(session->internals.selected_key, + 0, , session->key.key.data, + session->key.key.size); + /* After this point, any conditional on failure that cause differences + * in execution may create a timing or cache access pattern side +- * channel that can be used as an oracle, so treat very carefully */ ++ * channel that can be used as an oracle, so tread carefully */ + + /* Error handling logic: + * In case decryption fails then don't inform the peer. Just use the + * random key previously generated. (in order to avoid attack against + * pkcs-1 formatting). +--- a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c +@@ -262,18 +262,17 @@ static int + _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, + size_t _data_size) + { + gnutls_datum_t username; + psk_auth_info_t info; +- gnutls_datum_t plaintext; + gnutls_datum_t ciphertext; + gnutls_datum_t pwd_psk = { NULL, 0 }; + int ret, dsize; +- int randomize_key = 0; + ssize_t data_size = _data_size; + gnutls_psk_server_credentials_t cred; + gnutls_datum_t premaster_secret = { NULL, 0 }; ++ volatile uint8_t ver_maj, ver_min; + + cred = (gnutls_psk_server_credentials_t) + _gnutls_get_cred(session, GNUTLS_CRD_PSK); + + if (cred == NULL) { +@@ -325,75 +324,53 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + ciphertext.size = dsize; + +- ret = +- gnutls_privkey_decrypt_data(session->internals.selected_key, 0, +- , ); +- if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) { +- /* In case decryption fails then don't inform +- * the peer. Just use a random key. (in order to avoid +- * attack against pkcs-1 formatting). +- */ +- gnutls_assert(); +- _gnutls_debug_log +- ("auth_rsa_psk: Possible PKCS #1 format attack\n"); +- if (ret >= 0) { +- gnutls_free(plaintext.data); +- } +- randomize_key = 1; +- } else { +- /* If the secret was properly formatted, then +- * check the version number. +- */ +- if (_gnutls_get_adv_version_major(session) != +- plaintext.data[0] +- || (session->internals.allow_wrong_pms == 0 +- && _gnutls_get_adv_version_minor(session) != +- plaintext.data[1])) { +- /* No error is returned here, if the version
Bug#1057128: bookworm-pu: package gnutls28/3.7.9-2+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu Control: affects -1 + src:gnutls28 Hello, I would like to fix CVE-2023-5981 / GNUTLS-SA-2023-10-23 for stable (no DSA forthcoming, to fixed by stable update.) The patch is cherrypicked from upstream 3.8.2 release. Ubuntu's 3.7.8-5ubuntu1.1 has the same patch (except for being U3 instead of U5 format). [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru gnutls28-3.7.9/debian/changelog gnutls28-3.7.9/debian/changelog --- gnutls28-3.7.9/debian/changelog 2023-04-15 13:45:57.0 +0200 +++ gnutls28-3.7.9/debian/changelog 2023-11-30 07:50:48.0 +0100 @@ -1,3 +1,10 @@ +gnutls28 (3.7.9-2+deb12u1) bookworm; urgency=medium + + * Backport fix for CVE-2023-5981 / GNUTLS-SA-2023-10-23 (timing sidechannel +in RSA-PSK key exchange) from 3.8.2. Closes: #1056188 + + -- Andreas Metzler Thu, 30 Nov 2023 07:50:48 +0100 + gnutls28 (3.7.9-2) unstable; urgency=medium * CI: Do not try to run tests/ktls.sh, it uses a helper binary. (Plus gnutls diff -Nru gnutls28-3.7.9/debian/patches/60-auth-rsa_psk-side-step-potential-side-channel.patch gnutls28-3.7.9/debian/patches/60-auth-rsa_psk-side-step-potential-side-channel.patch --- gnutls28-3.7.9/debian/patches/60-auth-rsa_psk-side-step-potential-side-channel.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.7.9/debian/patches/60-auth-rsa_psk-side-step-potential-side-channel.patch 2023-11-30 07:50:48.0 +0100 @@ -0,0 +1,229 @@ +From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 23 Oct 2023 09:26:57 +0900 +Subject: [PATCH] auth/rsa_psk: side-step potential side-channel + +This removes branching that depends on secret data, porting changes +for regular RSA key exchange from +4804febddc2ed958e5ae774de2a8f85edeeff538 and +80a6ce8ddb02477cd724cd5b2944791aaddb702a. This also removes the +allow_wrong_pms as it was used sorely to control debug output +depending on the branching. + +Signed-off-by: Daiki Ueno +--- + lib/auth/rsa.c | 2 +- + lib/auth/rsa_psk.c | 90 ++ + lib/gnutls_int.h | 4 --- + lib/priority.c | 1 - + 4 files changed, 35 insertions(+), 62 deletions(-) + +--- a/lib/auth/rsa.c b/lib/auth/rsa.c +@@ -205,11 +205,11 @@ proc_rsa_client_kx(gnutls_session_t sess + gnutls_privkey_decrypt_data2(session->internals.selected_key, + 0, , session->key.key.data, + session->key.key.size); + /* After this point, any conditional on failure that cause differences + * in execution may create a timing or cache access pattern side +- * channel that can be used as an oracle, so treat very carefully */ ++ * channel that can be used as an oracle, so tread carefully */ + + /* Error handling logic: + * In case decryption fails then don't inform the peer. Just use the + * random key previously generated. (in order to avoid attack against + * pkcs-1 formatting). +--- a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c +@@ -262,18 +262,17 @@ static int + _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, + size_t _data_size) + { + gnutls_datum_t username; + psk_auth_info_t info; +- gnutls_datum_t plaintext; + gnutls_datum_t ciphertext; + gnutls_datum_t pwd_psk = { NULL, 0 }; + int ret, dsize; +- int randomize_key = 0; + ssize_t data_size = _data_size; + gnutls_psk_server_credentials_t cred; + gnutls_datum_t premaster_secret = { NULL, 0 }; ++ volatile uint8_t ver_maj, ver_min; + + cred = (gnutls_psk_server_credentials_t) + _gnutls_get_cred(session, GNUTLS_CRD_PSK); + + if (cred == NULL) { +@@ -327,75 +326,53 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + ciphertext.size = dsize; + +- ret = +- gnutls_privkey_decrypt_data(session->internals.selected_key, 0, +- , ); +- if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) { +- /* In case decryption fails then don't inform +- * the peer. Just use a random key. (in order to avoid +- * attack against pkcs-1 formatting). +- */ +- gnutls_assert(); +- _gnutls_debug_log +- ("auth_rsa_psk: Possible PKCS #1 format attack\n"); +- if (ret >= 0) { +- gnutls_free(plaintext.data); +- } +- randomize_key = 1; +- } else { +- /* If the secret was properly formatted, then +- * check the version number. +- */ +- if (_gnutls_get_adv_version_major(session) != +- plaintext.data[0] +- || (session->internals.allow_wrong_pms == 0 +- && _gnutls_get_adv_version_
Bug#1055155: bookworm-pu: package exim4/4.96-15+deb12u3 (2nd try for new bug)
On 2023-11-04 Andreas Metzler wrote: [...] > Thank you, updated. Another iteration, adding + 76-14-Lookups-Fix-dnsdb-lookup-of-multi-chunk-TXT.-Bug-305.patch Fix regression in dnsdb in CVE-2023-42119 fix. (Upstream bug 3054) dnsdb lookups were swallowing the last character of multiline TXT records, as shown with /usr/sbin/exim4 -be '${lookup dnsdb{>\n; txt=exim.org}}' outputting "cumi" instead of "cumin" cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru exim4-4.96/debian/changelog exim4-4.96/debian/changelog --- exim4-4.96/debian/changelog 2023-09-29 22:38:02.0 +0200 +++ exim4-4.96/debian/changelog 2023-11-18 11:07:57.0 +0100 @@ -1,3 +1,31 @@ +exim4 (4.96-15+deb12u3) bookworm; urgency=medium + + * Multiple bugfixes from upstream GIT master: ++ 75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch ++ 75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch + (Upstream bug 2998) ++ 75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch ++ 75_79-Fix-recipients-expansion-when-used-within-run.-.-Bug.patch + (Upstream bug 3013) ++ 75_82-GnuTLS-fix-autogen-cert-expiry-date.-Bug-3014.patch: Fix on-demand + TLS cert expiry date. Closes: #1043233 + (Upstream bug 3014) ++ 75_83-Re-fix-live-variable-value-free.-The-inital-fix-resu.patch ++ 76-10-Fix-tr.-and-empty-strings.-Bug-3023.patch ((Upstream bug 3023) ++ 76-12-DNS-more-hardening-against-crafted-responses.patch ++ 76-14-Lookups-Fix-dnsdb-lookup-of-multi-chunk-TXT.-Bug-305.patch Fix + regression in dnsdb in CVE-2023-42119 fix. (Upstream bug 3054) + * tests/basic: Add isolation-container restriction (needs a running +exim daemon). + * Add ${run } expansion test to tests/basic. + * Update code to 4.96.2, fixing issues with the proxy protocol +(CVE-2023-42117) and the `dnsdb` lookup subsystem (CVE-2023-42119). It +also includes additional hardening for spf lookups, however CVE-2023-42118 +was diagnosed as a vulnerability in the libspf2 library and needs to be +addressed there. Closes: #1053310 + + -- Andreas Metzler Wed, 18 Nov 2023 11:07:57 +0100 + exim4 (4.96-15+deb12u2) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch --- exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch 1970-01-01 01:00:00.0 +0100 +++ exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch 2023-11-18 11:07:57.0 +0100 @@ -0,0 +1,35 @@ +From 4d108ee9b8e5fb212c31812fef61529cd414 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Mon, 12 Jun 2023 22:13:46 +0100 +Subject: [PATCH] Cancel early-pipe on an observed advertising change + +--- + src/transports/smtp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/transports/smtp.c b/src/transports/smtp.c +index c72028ce9..24ee577a2 100644 +--- a/src/transports/smtp.c b/src/transports/smtp.c +@@ -,15 +,18 @@ if (pending_EHLO) + *(tls_out.active.sock < 0 + ? >ehlo_resp.cleartext_features : >ehlo_resp.crypted_features) = + peer_offered; + *ap = authbits; + write_ehlo_cache_entry(sx); + } + else ++ { + invalidate_ehlo_cache_entry(sx); ++ sx->early_pipe_active = FALSE; /* cancel further early-pipe on this conn */ ++ } + + return OK; /* just carry on */ + } + # ifdef EXPERIMENTAL_ESMTP_LIMITS + /* If we are handling LIMITS, compare the actual EHLO LIMITS values with the + cached values and invalidate cache if different. OK to carry on with + connect since values are advisory. */ +-- +2.40.1 + diff -Nru exim4-4.96/debian/patches/75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch exim4-4.96/debian/patches/75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch --- exim4-4.96/debian/patches/75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch 1970-01-01 01:00:00.0 +0100 +++ exim4-4.96/debian/patches/75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch 2023-11-18 11:07:57.0 +0100 @@ -0,0 +1,99 @@ +From 1209e3e19e292cee517e43a2ccfe9b44b33bb1dc Mon Sep 17 00:00:00 2001 +From: Jasen Betts +Date: Sun, 23 Jul 2023 13:43:59 +0100 +Subject: [PATCH] Expansions: disallow UTF-16 surrogates from ${utf8clean:...}. + Bug 2998 + +--- + doc/ChangeLog | 4 + src/expand.c | 27 +-- + 2 files changed, 21 insertions(+), 10 deletions(-) + +--- a/src/expand.c b/src/expand.c +@@ -7731,11 +7731,11 @@ NOT_ITEM: ; + + case EOP_UTF8CLEAN: + { + int seq_len = 0, index = 0; + int by
Bug#1055155: bookworm-pu: package exim4/4.96-15+deb12u3 (2nd try for new bug)
On 2023-11-04 Salvatore Bonaccorso wrote: > On Wed, Nov 01, 2023 at 12:03:37PM +0100, Andreas Metzler wrote: [...] > > * Update code to 4.96.2, fixing issues with the proxy protocol > > (CVE-2023-42117) and the `dnsdb` lookup subsystem (CVE-2023-42219). It > > also includes additional hardening for spf lookups, however CVE-2023-42218 > The mentioned CVEs have a typo. I believe this should be > CVE-2023-42117 and CVE-2023-42119 (and for completeness about the > libspf2 mentioning CVE-2023-42118). Thank you, updated. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru exim4-4.96/debian/changelog exim4-4.96/debian/changelog --- exim4-4.96/debian/changelog 2023-09-29 22:38:02.0 +0200 +++ exim4-4.96/debian/changelog 2023-11-01 07:07:57.0 +0100 @@ -1,3 +1,29 @@ +exim4 (4.96-15+deb12u3) bookworm; urgency=medium + + * Multiple bugfixes from upstream GIT master: ++ 75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch ++ 75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch + (Upstream bug 2998) ++ 75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch ++ 75_79-Fix-recipients-expansion-when-used-within-run.-.-Bug.patch + (Upstream bug 3013) ++ 75_82-GnuTLS-fix-autogen-cert-expiry-date.-Bug-3014.patch: Fix on-demand + TLS cert expiry date. Closes: #1043233 + (Upstream bug 3014) ++ 75_83-Re-fix-live-variable-value-free.-The-inital-fix-resu.patch ++ 76-10-Fix-tr.-and-empty-strings.-Bug-3023.patch ((Upstream bug 3023) ++ 76-12-DNS-more-hardening-against-crafted-responses.patch + * tests/basic: Add isolation-container restriction (needs a running +exim daemon). + * Add ${run } expansion test to tests/basic. + * Update code to 4.96.2, fixing issues with the proxy protocol +(CVE-2023-42117) and the `dnsdb` lookup subsystem (CVE-2023-42119). It +also includes additional hardening for spf lookups, however CVE-2023-42118 +was diagnosed as a vulnerability in the libspf2 library and needs to be +addressed there. Closes: #1053310 + + -- Andreas Metzler Wed, 01 Nov 2023 07:07:57 +0100 + exim4 (4.96-15+deb12u2) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch --- exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch 1970-01-01 01:00:00.0 +0100 +++ exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch 2023-11-01 07:03:21.0 +0100 @@ -0,0 +1,35 @@ +From 4d108ee9b8e5fb212c31812fef61529cd414 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Mon, 12 Jun 2023 22:13:46 +0100 +Subject: [PATCH] Cancel early-pipe on an observed advertising change + +--- + src/transports/smtp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/transports/smtp.c b/src/transports/smtp.c +index c72028ce9..24ee577a2 100644 +--- a/src/transports/smtp.c b/src/transports/smtp.c +@@ -,15 +,18 @@ if (pending_EHLO) + *(tls_out.active.sock < 0 + ? >ehlo_resp.cleartext_features : >ehlo_resp.crypted_features) = + peer_offered; + *ap = authbits; + write_ehlo_cache_entry(sx); + } + else ++ { + invalidate_ehlo_cache_entry(sx); ++ sx->early_pipe_active = FALSE; /* cancel further early-pipe on this conn */ ++ } + + return OK; /* just carry on */ + } + # ifdef EXPERIMENTAL_ESMTP_LIMITS + /* If we are handling LIMITS, compare the actual EHLO LIMITS values with the + cached values and invalidate cache if different. OK to carry on with + connect since values are advisory. */ +-- +2.40.1 + diff -Nru exim4-4.96/debian/patches/75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch exim4-4.96/debian/patches/75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch --- exim4-4.96/debian/patches/75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch 1970-01-01 01:00:00.0 +0100 +++ exim4-4.96/debian/patches/75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch 2023-11-01 07:03:21.0 +0100 @@ -0,0 +1,99 @@ +From 1209e3e19e292cee517e43a2ccfe9b44b33bb1dc Mon Sep 17 00:00:00 2001 +From: Jasen Betts +Date: Sun, 23 Jul 2023 13:43:59 +0100 +Subject: [PATCH] Expansions: disallow UTF-16 surrogates from ${utf8clean:...}. + Bug 2998 + +--- + doc/ChangeLog | 4 + src/expand.c | 27 +-- + 2 files changed, 21 insertions(+), 10 deletions(-) + +--- a/src/expand.c b/src/expand.c +@@ -7731,11 +7731,11 @@ NOT_ITEM: ; + + case EOP_UTF8CLEAN: + { + int seq_len = 0, index = 0; + int bytes_left = 0; +- long codepoint = -1;
Bug#1055155: bookworm-pu: package exim4/4.96-15+deb12u3 (2nd try for new bug)
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu Control: affects -1 + src:exim4 Hello, I would like to push another round of cherry-picked upstream fixes to bookworm, including the update to 4.96.2 to fix two non-DSA minor security issues. The changes are included in the new upstream (4.97 rc) uploads to sid which= are present in sid and testing. * Multiple bugfixes from upstream GIT master: + 75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch + 75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch (Upstream bug 2998) + 75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch + 75_79-Fix-recipients-expansion-when-used-within-run.-.-Bug.patch (Upstream bug 3013) > ${run expansion breakage, similar to #1025420. + 75_82-GnuTLS-fix-autogen-cert-expiry-date.-Bug-3014.patch: Fix on-demand TLS cert expiry date. Closes: #1043233 (Upstream bug 3014) > This is major hickup, bordering on RC. + 75_83-Re-fix-live-variable-value-free.-The-inital-fix-resu.patch > Another patch for ${run} expansion breakage. + 76-10-Fix-tr.-and-empty-strings.-Bug-3023.patch ((Upstream bug 3023) + 76-12-DNS-more-hardening-against-crafted-responses.patch * tests/basic: Add isolation-container restriction (needs a running exim daemon). * Add ${run } expansion test to tests/basic. * Update code to 4.96.2, fixing issues with the proxy protocol (CVE-2023-42117) and the `dnsdb` lookup subsystem (CVE-2023-42219). It also includes additional hardening for spf lookups, however CVE-2023-42218 was diagnosed as a vulnerability in the libspf2 library and needs to be addressed there. Closes: #1053310 cu Andreas diff -Nru exim4-4.96/debian/changelog exim4-4.96/debian/changelog --- exim4-4.96/debian/changelog 2023-09-29 22:38:02.0 +0200 +++ exim4-4.96/debian/changelog 2023-11-01 07:07:57.0 +0100 @@ -1,3 +1,29 @@ +exim4 (4.96-15+deb12u3) bookworm; urgency=medium + + * Multiple bugfixes from upstream GIT master: ++ 75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch ++ 75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch + (Upstream bug 2998) ++ 75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch ++ 75_79-Fix-recipients-expansion-when-used-within-run.-.-Bug.patch + (Upstream bug 3013) ++ 75_82-GnuTLS-fix-autogen-cert-expiry-date.-Bug-3014.patch: Fix on-demand + TLS cert expiry date. Closes: #1043233 + (Upstream bug 3014) ++ 75_83-Re-fix-live-variable-value-free.-The-inital-fix-resu.patch ++ 76-10-Fix-tr.-and-empty-strings.-Bug-3023.patch ((Upstream bug 3023) ++ 76-12-DNS-more-hardening-against-crafted-responses.patch + * tests/basic: Add isolation-container restriction (needs a running +exim daemon). + * Add ${run } expansion test to tests/basic. + * Update code to 4.96.2, fixing issues with the proxy protocol +(CVE-2023-42117) and the `dnsdb` lookup subsystem (CVE-2023-42219). It +also includes additional hardening for spf lookups, however CVE-2023-42218 +was diagnosed as a vulnerability in the libspf2 library and needs to be +addressed there. Closes: #1053310 + + -- Andreas Metzler Wed, 01 Nov 2023 07:07:57 +0100 + exim4 (4.96-15+deb12u2) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch --- exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch 1970-01-01 01:00:00.0 +0100 +++ exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch 2023-11-01 07:03:21.0 +0100 @@ -0,0 +1,35 @@ +From 4d108ee9b8e5fb212c31812fef61529cd414 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Mon, 12 Jun 2023 22:13:46 +0100 +Subject: [PATCH] Cancel early-pipe on an observed advertising change + +--- + src/transports/smtp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/transports/smtp.c b/src/transports/smtp.c +index c72028ce9..24ee577a2 100644 +--- a/src/transports/smtp.c b/src/transports/smtp.c +@@ -,15 +,18 @@ if (pending_EHLO) + *(tls_out.active.sock < 0 + ? >ehlo_resp.cleartext_features : >ehlo_resp.crypted_features) = + peer_offered; + *ap = authbits; + write_ehlo_cache_entry(sx); + } + else ++ { + invalidate_ehlo_cache_entry(sx); ++ sx->early_pipe_active = FALSE; /* cancel further early-pipe on this conn */ ++ } + + return OK; /* just carry on */ + } + # ifdef EXPERIMENTAL_ESMTP_LIMITS + /* If we are handling LIMITS, compare the actual EHLO LIMITS values with the + cached values and invalidate cache if different. OK to carry on with + connect since values are advisory. */ +--
Bug#1049899: bookworm-pu: package exim4/4.96-15+deb12u3
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu Control: affects -1 + src:exim4 Hello, I would like to push another round of cherry-picked upstream fixes to bookworm, including the update to 4.96.2 to fix two non-DSA minor security issues. The changes are included in the new upstream (4.97 rc) uploads to sid which are present in sid and testing. * Multiple bugfixes from upstream GIT master: + 75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch + 75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch (Upstream bug 2998) + 75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch + 75_79-Fix-recipients-expansion-when-used-within-run.-.-Bug.patch (Upstream bug 3013) > ${run expansion breakage, similar to #1025420. + 75_82-GnuTLS-fix-autogen-cert-expiry-date.-Bug-3014.patch: Fix on-demand TLS cert expiry date. Closes: #1043233 (Upstream bug 3014) > This is major hickup, bordering on RC. + 75_83-Re-fix-live-variable-value-free.-The-inital-fix-resu.patch > Another patch for ${run} expansion breakage. + 76-10-Fix-tr.-and-empty-strings.-Bug-3023.patch ((Upstream bug 3023) + 76-12-DNS-more-hardening-against-crafted-responses.patch * tests/basic: Add isolation-container restriction (needs a running exim daemon). * Add ${run } expansion test to tests/basic. * Update code to 4.96.2, fixing issues with the proxy protocol (CVE-2023-42117) and the `dnsdb` lookup subsystem (CVE-2023-42219). It also includes additional hardening for spf lookups, however CVE-2023-42218 was diagnosed as a vulnerability in the libspf2 library and needs to be addressed there. Closes: #1053310 cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru exim4-4.96/debian/changelog exim4-4.96/debian/changelog --- exim4-4.96/debian/changelog 2023-09-29 22:38:02.0 +0200 +++ exim4-4.96/debian/changelog 2023-11-01 07:07:57.0 +0100 @@ -1,3 +1,29 @@ +exim4 (4.96-15+deb12u3) bookworm; urgency=medium + + * Multiple bugfixes from upstream GIT master: ++ 75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch ++ 75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch + (Upstream bug 2998) ++ 75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch ++ 75_79-Fix-recipients-expansion-when-used-within-run.-.-Bug.patch + (Upstream bug 3013) ++ 75_82-GnuTLS-fix-autogen-cert-expiry-date.-Bug-3014.patch: Fix on-demand + TLS cert expiry date. Closes: #1043233 + (Upstream bug 3014) ++ 75_83-Re-fix-live-variable-value-free.-The-inital-fix-resu.patch ++ 76-10-Fix-tr.-and-empty-strings.-Bug-3023.patch ((Upstream bug 3023) ++ 76-12-DNS-more-hardening-against-crafted-responses.patch + * tests/basic: Add isolation-container restriction (needs a running +exim daemon). + * Add ${run } expansion test to tests/basic. + * Update code to 4.96.2, fixing issues with the proxy protocol +(CVE-2023-42117) and the `dnsdb` lookup subsystem (CVE-2023-42219). It +also includes additional hardening for spf lookups, however CVE-2023-42218 +was diagnosed as a vulnerability in the libspf2 library and needs to be +addressed there. Closes: #1053310 + + -- Andreas Metzler Wed, 01 Nov 2023 07:07:57 +0100 + exim4 (4.96-15+deb12u2) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch --- exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch 1970-01-01 01:00:00.0 +0100 +++ exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch 2023-11-01 07:03:21.0 +0100 @@ -0,0 +1,35 @@ +From 4d108ee9b8e5fb212c31812fef61529cd414 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Mon, 12 Jun 2023 22:13:46 +0100 +Subject: [PATCH] Cancel early-pipe on an observed advertising change + +--- + src/transports/smtp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/transports/smtp.c b/src/transports/smtp.c +index c72028ce9..24ee577a2 100644 +--- a/src/transports/smtp.c b/src/transports/smtp.c +@@ -,15 +,18 @@ if (pending_EHLO) + *(tls_out.active.sock < 0 + ? >ehlo_resp.cleartext_features : >ehlo_resp.crypted_features) = + peer_offered; + *ap = authbits; + write_ehlo_cache_entry(sx); + } + else ++ { + invalidate_ehlo_cache_entry(sx); ++ sx->early_pipe_active = FALSE; /* cancel further early-pipe on this conn */ ++ } + + return OK; /* just carry on */ + } + # ifdef EXPERIMENTAL_ESMTP_LIMITS + /* If we are handling LIMITS, compare the actu
Bug#1049899: bookworm-pu: package exim4/4.96-15+deb12u2
On 2023-10-07 Jonathan Wiltshire wrote: [...] > The version number in this request matches one we've had via a DSA (5512); > are they the same or does the proposed upload supercede it? [...] Hello, I will need to rebase the proposed changes version on top of the DSA. I got early notice that a security update was going to be needed and expected that the timing had very good chance to conflict with the stable update. (Which it did.) I therefore did not actually upload the stable update. I only sent off-list notice about a delay (to Adam) because the security issue was embargoed. As of now there are still three open exim issues with too little info but I still expect two more patches to exim and one for libspf. So I will wait a little bit more before proposing another stable-upload. - Is it alright to keep this bug open or should I close this one and reopen another one when I am ready? cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#1049899: bookworm-pu: package exim4/4.96-15+deb12u2
On 2023-08-16 Andreas Metzler wrote: [...] > I would like to push another round of cherry-picked upstream fixes to > bookworm. They have been part of the uploads to sid up to and including > 4.96-19. [...] Hello, I had to update the update since 75_78-Fix-free-of-value-after-run.patch broke a specific expansion. While at it I also pulled the CI related changes from -21. cu Andreas diff -Nru exim4-4.96/debian/changelog exim4-4.96/debian/changelog --- exim4-4.96/debian/changelog 2023-07-02 14:56:17.0 +0200 +++ exim4-4.96/debian/changelog 2023-09-03 13:34:15.0 +0200 @@ -1,3 +1,22 @@ +exim4 (4.96-15+deb12u2) bookworm; urgency=medium + + * Multiple bugfixes from upstream GIT master: ++ 75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch ++ 75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch + (Upstream bug 2998) ++ 75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch ++ 75_79-Fix-recipients-expansion-when-used-within-run.-.-Bug.patch + (Upstream bug 3013) ++ 75_82-GnuTLS-fix-autogen-cert-expiry-date.-Bug-3014.patch: Fix on-demand + TLS cert expiry date. Closes: #1043233 + (Upstream bug 3014) ++ 75_83-Re-fix-live-variable-value-free.-The-inital-fix-resu.patch + * tests/basic: Add isolation-container restriction (needs a running +exim daemon). + * Add ${run } expansion test to tests/basic. + + -- Andreas Metzler Sun, 03 Sep 2023 13:34:15 +0200 + exim4 (4.96-15+deb12u1) bookworm; urgency=medium * 75_42-Fix-run-arg-parsing.patch (From upstream GIT master, backported by diff -Nru exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch --- exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch 1970-01-01 01:00:00.0 +0100 +++ exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch 2023-08-16 17:44:32.0 +0200 @@ -0,0 +1,35 @@ +From 4d108ee9b8e5fb212c31812fef61529cd414 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Mon, 12 Jun 2023 22:13:46 +0100 +Subject: [PATCH] Cancel early-pipe on an observed advertising change + +--- + src/transports/smtp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/transports/smtp.c b/src/transports/smtp.c +index c72028ce9..24ee577a2 100644 +--- a/src/transports/smtp.c b/src/transports/smtp.c +@@ -,15 +,18 @@ if (pending_EHLO) + *(tls_out.active.sock < 0 + ? >ehlo_resp.cleartext_features : >ehlo_resp.crypted_features) = + peer_offered; + *ap = authbits; + write_ehlo_cache_entry(sx); + } + else ++ { + invalidate_ehlo_cache_entry(sx); ++ sx->early_pipe_active = FALSE; /* cancel further early-pipe on this conn */ ++ } + + return OK; /* just carry on */ + } + # ifdef EXPERIMENTAL_ESMTP_LIMITS + /* If we are handling LIMITS, compare the actual EHLO LIMITS values with the + cached values and invalidate cache if different. OK to carry on with + connect since values are advisory. */ +-- +2.40.1 + diff -Nru exim4-4.96/debian/patches/75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch exim4-4.96/debian/patches/75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch --- exim4-4.96/debian/patches/75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch 1970-01-01 01:00:00.0 +0100 +++ exim4-4.96/debian/patches/75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch 2023-09-03 13:16:57.0 +0200 @@ -0,0 +1,99 @@ +From 1209e3e19e292cee517e43a2ccfe9b44b33bb1dc Mon Sep 17 00:00:00 2001 +From: Jasen Betts +Date: Sun, 23 Jul 2023 13:43:59 +0100 +Subject: [PATCH] Expansions: disallow UTF-16 surrogates from ${utf8clean:...}. + Bug 2998 + +--- + doc/ChangeLog | 4 + src/expand.c | 27 +-- + 2 files changed, 21 insertions(+), 10 deletions(-) + +--- a/src/expand.c b/src/expand.c +@@ -7731,11 +7731,11 @@ NOT_ITEM: ; + + case EOP_UTF8CLEAN: + { + int seq_len = 0, index = 0; + int bytes_left = 0; +- long codepoint = -1; ++ ulong codepoint = (ulong)-1; + int complete; + uschar seq_buff[4]; /* accumulate utf-8 here */ + + /* Manually track tainting, as we deal in individual chars below */ + +@@ -7761,40 +7761,47 @@ NOT_ITEM: ; + codepoint = (codepoint << 6) | (c & 0x3f); + seq_buff[index++] = c; + if (--bytes_left == 0) /* codepoint complete */ + if(codepoint > 0x10) /* is it too large? */ + complete = -1; /* error (RFC3629 limit) */ ++ else if ( (codepoint & 0x1FF800 ) == 0xD800 ) /* surrogate */ ++ /* A UTF-16 surrogate (which should be one of a pair that ++ encode a Unicode codepoint that is outside the Basic ++ Multilingual Plane). Error, not UTF8. ++ RFC2279.2 is slight
Bug#1049899: bookworm-pu: package exim4/4.96-15+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu Control: affects -1 + src:exim4 Hello, I would like to push another round of cherry-picked upstream fixes to bookworm. They have been part of the uploads to sid up to and including 4.96-19. This was mainly triggered by + 75_82-GnuTLS-fix-autogen-cert-expiry-date.-Bug-3014.patch: Fix on-demand TLS cert expiry date. Closes: #1043233 which borders on RC and + 75_79-Fix-recipients-expansion-when-used-within-run.-.-Bug.patch (Upstream bug 3013) which is similar to #1025420. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru exim4-4.96/debian/changelog exim4-4.96/debian/changelog --- exim4-4.96/debian/changelog 2023-07-02 14:56:17.0 +0200 +++ exim4-4.96/debian/changelog 2023-08-16 15:12:39.0 +0200 @@ -1,3 +1,19 @@ +exim4 (4.96-15+deb12u2) bookworm; urgency=medium + + * Multiple bugfixes from upstream GIT master: ++ 75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch ++ 75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch + (Upstream bug 2998) ++ 75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch ++ 75_78-Fix-free-of-value-after-run.patch ++ 75_79-Fix-recipients-expansion-when-used-within-run.-.-Bug.patch + (Upstream bug 3013) ++ 75_82-GnuTLS-fix-autogen-cert-expiry-date.-Bug-3014.patch: Fix on-demand + TLS cert expiry date. Closes: #1043233 + (Upstream bug 3014) + + -- Andreas Metzler Wed, 16 Aug 2023 15:12:39 +0200 + exim4 (4.96-15+deb12u1) bookworm; urgency=medium * 75_42-Fix-run-arg-parsing.patch (From upstream GIT master, backported by diff -Nru exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch --- exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch 1970-01-01 01:00:00.0 +0100 +++ exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch 2023-08-16 14:59:06.0 +0200 @@ -0,0 +1,35 @@ +From 4d108ee9b8e5fb212c31812fef61529cd414 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Mon, 12 Jun 2023 22:13:46 +0100 +Subject: [PATCH] Cancel early-pipe on an observed advertising change + +--- + src/transports/smtp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/transports/smtp.c b/src/transports/smtp.c +index c72028ce9..24ee577a2 100644 +--- a/src/transports/smtp.c b/src/transports/smtp.c +@@ -,15 +,18 @@ if (pending_EHLO) + *(tls_out.active.sock < 0 + ? >ehlo_resp.cleartext_features : >ehlo_resp.crypted_features) = + peer_offered; + *ap = authbits; + write_ehlo_cache_entry(sx); + } + else ++ { + invalidate_ehlo_cache_entry(sx); ++ sx->early_pipe_active = FALSE; /* cancel further early-pipe on this conn */ ++ } + + return OK; /* just carry on */ + } + # ifdef EXPERIMENTAL_ESMTP_LIMITS + /* If we are handling LIMITS, compare the actual EHLO LIMITS values with the + cached values and invalidate cache if different. OK to carry on with + connect since values are advisory. */ +-- +2.40.1 + diff -Nru exim4-4.96/debian/patches/75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch exim4-4.96/debian/patches/75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch --- exim4-4.96/debian/patches/75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch 1970-01-01 01:00:00.0 +0100 +++ exim4-4.96/debian/patches/75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch 2023-08-16 15:11:54.0 +0200 @@ -0,0 +1,99 @@ +From 1209e3e19e292cee517e43a2ccfe9b44b33bb1dc Mon Sep 17 00:00:00 2001 +From: Jasen Betts +Date: Sun, 23 Jul 2023 13:43:59 +0100 +Subject: [PATCH] Expansions: disallow UTF-16 surrogates from ${utf8clean:...}. + Bug 2998 + +--- + doc/ChangeLog | 4 + src/expand.c | 27 +-- + 2 files changed, 21 insertions(+), 10 deletions(-) + +--- a/src/expand.c b/src/expand.c +@@ -7731,11 +7731,11 @@ NOT_ITEM: ; + + case EOP_UTF8CLEAN: + { + int seq_len = 0, index = 0; + int bytes_left = 0; +- long codepoint = -1; ++ ulong codepoint = (ulong)-1; + int complete; + uschar seq_buff[4]; /* accumulate utf-8 here */ + + /* Manually track tainting, as we deal in individual chars below */ + +@@ -7761,40 +7761,47 @@ NOT_ITEM: ; + codepoint = (codepoint << 6) | (c & 0x3f); + seq_buff[index++] = c; + if (--bytes_left == 0) /* codepoint complete */ + if(codepoint > 0x10) /* is it too large? */ + complete = -1; /* error (RFC3629 limit) */ ++ else if ( (codepoint & 0x1FF800 ) == 0xD800 ) /* surrogate */ ++ /* A UTF-16 surrogate (
Bug#1040139: bookworm-pu: package exim4/4.96-15
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: ex...@packages.debian.org Control: affects -1 + src:exim4 Hello, I would like to get most of the changes from 4.96-16 (unstable/testing) into bookworm: * 75_42-Fix-run-arg-parsing.patch (From upstream GIT master, backported by Bryce Harrington for Ubuntu): Fix argument parsing for ${run } expansion. Previously, when an argument included a close-brace character (eg. it itself used an expansion) an error occurred. Closes: #1025420 * 75_68-Fix-srs_encode-.-for-mod-1024-day-zero.patch from upstream GIT master: Fix ${srs_encode ..}. Previously it would give a bad result for one day every 1024 days. The former is something has already popped up a couple of times on the upstream user support mailing list. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff --git a/debian/changelog b/debian/changelog index fbbb8c20..0231dc69 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +exim4 (4.96-15+deb12u1) bookworm; urgency=medium + + * 75_42-Fix-run-arg-parsing.patch (From upstream GIT master, backported by +Bryce Harrington for Ubuntu): Fix argument parsing for ${run } expansion. +Previously, when an argument included a close-brace character (eg. it +itself used an expansion) an error occurred. Closes: #1025420 + * 75_68-Fix-srs_encode-.-for-mod-1024-day-zero.patch from upstream GIT +master: Fix ${srs_encode ..}. Previously it would give a bad result for +one day every 1024 days. + + -- Andreas Metzler Sun, 02 Jul 2023 14:56:17 +0200 + exim4 (4.96-15) unstable; urgency=medium * Pull from upstream GIT master: diff --git a/debian/patches/75_42-Fix-run-arg-parsing.patch b/debian/patches/75_42-Fix-run-arg-parsing.patch new file mode 100644 index ..79e55d61 --- /dev/null +++ b/debian/patches/75_42-Fix-run-arg-parsing.patch @@ -0,0 +1,100 @@ +From 44b6e099b76f403a55e77650821f8a69e9d2682e Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Sat, 3 Dec 2022 23:13:53 + +Subject: [PATCH] Fix ${run } arg parsing + . + Backported by Bryce Harrington for Ubuntu + +Broken-by: cfe6acff2ddc +--- + doc/ChangeLog| 4 + src/expand.c | 13 ++--- + src/transport.c | 4 +++- + test/scripts/-Basic/0002 | 2 ++ + test/stdout/0002 | 2 ++ + 5 files changed, 21 insertions(+), 4 deletions(-) + +--- a/doc/ChangeLog b/doc/ChangeLog +@@ -28,10 +28,14 @@ JH/13 Bug 2929: Fix using $recipients af + JH/14 Bug 2933: Fix regex substring match variables for null matches. Since 4.96 + a capture group which obtained no text (eg. "(abc)*" matching zero + occurrences) could cause a segfault if the corresponding $ was + expanded. + ++JH/15 Fix argument parsing for ${run } expansion. Previously, when an argument ++ included a close-brace character (eg. it itself used an expansion) an ++ error occurred. ++ + + + Exim version 4.96 + - + +--- a/src/expand.c b/src/expand.c +@@ -5529,11 +5529,11 @@ while (*s) + { + FILE * f; + const uschar * arg, ** argv; + BOOL late_expand = TRUE; + +- if ((expand_forbid & RDO_RUN) != 0) ++ if (expand_forbid & RDO_RUN) + { + expand_string_message = US"running a command is not permitted"; + goto EXPAND_FAILED; + } + +@@ -5561,16 +5561,22 @@ while (*s) + } + s++; + + if (late_expand) /* this is the default case */ + { +- int n = Ustrcspn(s, "}"); ++ int n; ++ const uschar * t; ++ /* Locate the end of the args */ ++ (void) expand_string_internal(s, TRUE, , TRUE, TRUE, NULL); ++ n = t - s; + arg = skipping ? NULL : string_copyn(s, n); + s += n; + } + else + { ++ DEBUG(D_expand) ++ debug_printf_indent("args string for ${run} expand before split\n"); + if (!(arg = expand_string_internal(s, TRUE, , skipping, TRUE, ))) + goto EXPAND_FAILED; + Uskip_whitespace(); + } + /*{*/ +--- a/src/transport.c b/src/transport.c +@@ -2187,10 +2187,12 @@ if (expand_arguments) + BOOL allow_dollar_recipients = addr && addr->parent + && Ustrcmp(addr->parent->address, "system-filter") == 0; + + for (int i = 0; argv[i]; i++) + { ++DEBUG(D_expand) debug_printf_indent("arg %d\n", i); ++ + /* Handle special fudge for passing an address list */ + + if (addr && + (Ustrcmp(argv[i], "$pipe_addresses") == 0 || + Ustrcmp(argv[i], "${pipe_addresses}") == 0)) +@@ -2361,11 +2363,11 @@ if (expand_arguments) + } + else *errptr = msg; + return FALSE; + } + +- if ( f.running_in_test_harness && is_tainted(ex
Bug#1036395: RM: python-ooolib/0.0.22-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm X-Debbugs-Cc: python-ooo...@packages.debian.org, ametz...@bebt.de Control: affects -1 + src:python-ooolib Please remove the package from testing, the maintainer was (silently) waiting for it to autormed. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965794#38 cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' signature.asc Description: PGP signature
Bug#1036025: unblock: exim4/4.96-15
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: ex...@packages.debian.org Control: affects -1 + src:exim4 Please unblock package exim4 This fixes an initialzation error which caused a crash in the smtp transport. See https://bugs.exim.org/show_bug.cgi?id=2996 It is a one-line change, I have also removed garbage (unapplied patch) from debian/patches. cu Andreas unblock exim4/4.96-15 cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru exim4-4.96/debian/changelog exim4-4.96/debian/changelog --- exim4-4.96/debian/changelog 2023-02-04 13:33:50.0 +0100 +++ exim4-4.96/debian/changelog 2023-05-10 18:30:35.0 +0200 @@ -1,3 +1,12 @@ +exim4 (4.96-15) unstable; urgency=medium + + * Pull from upstream GIT master: ++ 75_70-Fix-variable-initialisation-in-smtp-transport.-Bug-2.patch + Fix a crash in the smtp transport. + https://bugs.exim.org/show_bug.cgi?id=2996 + + -- Andreas Metzler Wed, 10 May 2023 18:30:35 +0200 + exim4 (4.96-14) unstable; urgency=medium * Pull from upstream GIT master: diff -Nru exim4-4.96/debian/patches/75_42-Fix-run-arg-parsing.patch exim4-4.96/debian/patches/75_42-Fix-run-arg-parsing.patch --- exim4-4.96/debian/patches/75_42-Fix-run-arg-parsing.patch 2022-12-04 08:02:50.0 +0100 +++ exim4-4.96/debian/patches/75_42-Fix-run-arg-parsing.patch 1970-01-01 01:00:00.0 +0100 @@ -1,99 +0,0 @@ -From 44b6e099b76f403a55e77650821f8a69e9d2682e Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Sat, 3 Dec 2022 23:13:53 + -Subject: [PATCH] Fix ${run } arg parsing - -Broken-by: cfe6acff2ddc - doc/ChangeLog| 4 - src/expand.c | 13 ++--- - src/transport.c | 4 +++- - test/scripts/-Basic/0002 | 2 ++ - test/stdout/0002 | 2 ++ - 5 files changed, 21 insertions(+), 4 deletions(-) - a/doc/ChangeLog -+++ b/doc/ChangeLog -@@ -28,10 +28,14 @@ - JH/14 Bug 2933: Fix regex substring match variables for null matches. Since 4.96 - a capture group which obtained no text (eg. "(abc)*" matching zero - occurrences) could cause a segfault if the corresponding $ was - expanded. - -+JH/15 Fix argument parsing for ${run } expansion. Previously, when an argument -+ included a close-brace character (eg. it itself used an expansion) an -+ error occurred. -+ - - - Exim version 4.96 - - - a/src/expand.c -+++ b/src/expand.c -@@ -5529,11 +5529,11 @@ - { - FILE * f; - const uschar * arg, ** argv; - BOOL late_expand = TRUE; - -- if ((expand_forbid & RDO_RUN) != 0) -+ if (expand_forbid & RDO_RUN) - { - expand_string_message = US"running a command is not permitted"; - goto EXPAND_FAILED; - } - -@@ -5561,16 +5561,23 @@ - } - s++; - - if (late_expand) /* this is the default case */ - { -- int n = Ustrcspn(s, "}"); -+ int n; -+ const uschar * t; -+ /* Locate the end of the args */ -+ (void) expand_string_internal(s, -+ ESI_BRACE_ENDS | ESI_HONOR_DOLLAR | ESI_SKIPPING, , NULL, NULL); -+ n = t - s; - arg = skipping ? NULL : string_copyn(s, n); - s += n; - } - else - { -+ DEBUG(D_expand) -+ debug_printf_indent("args string for ${run} expand before split\n"); - if (!(arg = expand_string_internal(s, TRUE, , skipping, TRUE, ))) - goto EXPAND_FAILED; - Uskip_whitespace(); - } - /*{*/ a/src/transport.c -+++ b/src/transport.c -@@ -2187,10 +2187,12 @@ - BOOL allow_dollar_recipients = addr && addr->parent - && Ustrcmp(addr->parent->address, "system-filter") == 0; - - for (int i = 0; argv[i]; i++) - { -+DEBUG(D_expand) debug_printf_indent("arg %d\n", i); -+ - /* Handle special fudge for passing an address list */ - - if (addr && - (Ustrcmp(argv[i], "$pipe_addresses") == 0 || - Ustrcmp(argv[i], "${pipe_addresses}") == 0)) -@@ -2361,11 +2363,11 @@ - } - else *errptr = msg; - return FALSE; - } - -- if ( f.running_in_test_harness && is_tainted(expanded_arg) -+ if ( f.running_in_test_harness && is_tainted(expanded_arg) - && Ustrcmp(etext, "queryprogram router") == 0) - { /* hack, would be good to not need it */ - DEBUG(D_transport) - debug_printf("SPECIFIC TESTSUITE EXEMPTION: tainted arg '%s'\n", - expanded_arg); diff -Nru exim4-4.96/debian/patches/75_70-Fix-variable-initialisation-in-smtp-transport.-Bug-2.patch exim4-4.96/debian/patches/75_70-Fix-variable-initialisation-in-smtp-transport.-Bug-2.patch --- exim4-4.96/debian/patches/75_70-Fix-variable-initialisation-in-smtp-transport.-Bug-2.patch 1970-01-01 01:00:00.
Bug#1036005: unblock: pcp/6.0.3-1.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: p...@packages.debian.org, ametz...@bebt.de Control: affects -1 + src:pcp Hello, Please unblock package pcp, this just adds missing Replaces: for upgrades from stable to testing. The NMU was originally uploaded to the delayed queue but I later got the go ahead from the package maintainer(s) to move to 0-day. unblock pcp/6.0.3-1.1 cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru pcp-6.0.3/debian/changelog pcp-6.0.3/debian/changelog --- pcp-6.0.3/debian/changelog 2023-02-23 00:52:31.0 +0100 +++ pcp-6.0.3/debian/changelog 2023-05-07 11:36:37.0 +0200 @@ -1,3 +1,18 @@ +pcp (6.0.3-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Add missing replaces on pcp (<< 5.3.0): ++ pcp-export-pcp2elasticsearch Closes: #1034998 ++ pcp-export-pcp2json Closes: #1034983 ++ pcp-export-pcp2spark Closes: #1034932 ++ pcp-export-pcp2xml Closes: #1034922 ++ pcp-export-pcp2zabbix Closes: #1034973 ++ pcp-doc Closes: #1034966 ++ pcp-zeroconf Closes: #1034895 ++ pcp-export-pcp2xlsx (unfiled) + + -- Andreas Metzler Sun, 07 May 2023 11:36:37 +0200 + pcp (6.0.3-1) unstable; urgency=low * New release (full details in CHANGELOG). diff -Nru pcp-6.0.3/debian/control pcp-6.0.3/debian/control --- pcp-6.0.3/debian/control 2023-02-23 00:52:31.0 +0100 +++ pcp-6.0.3/debian/control 2023-05-07 07:37:15.0 +0200 @@ -385,6 +385,7 @@ Package: pcp-export-pcp2elasticsearch Depends: python3-pcp, python3-requests, ${python:Depends}, ${misc:Depends}, ${shlibs:Depends} Breaks: pcp (<< 5.3.0) +Replaces: pcp (<< 5.3.0) Architecture: any Description: Tool for exporting data from PCP to Elasticsearch Performance Co-Pilot (PCP) front-end tool for exporting data from PCP @@ -409,6 +410,7 @@ Package: pcp-export-pcp2json Depends: python3-pcp, ${python:Depends}, ${misc:Depends}, ${shlibs:Depends} Breaks: pcp (<< 5.3.0) +Replaces: pcp (<< 5.3.0) Architecture: any Description: Tool for exporting data from PCP to JSON Performance Co-Pilot (PCP) front-end tool for exporting data from PCP @@ -417,6 +419,7 @@ Package: pcp-export-pcp2spark Depends: python3-pcp, python3-requests, ${python:Depends}, ${misc:Depends}, ${shlibs:Depends} Breaks: pcp (<< 5.3.0) +Replaces: pcp (<< 5.3.0) Architecture: any Description: Tool for exporting data from PCP to Apache Spark Performance Co-Pilot (PCP) front-end tools for exporting metric values @@ -425,6 +428,7 @@ Package: pcp-export-pcp2xml Depends: python3-pcp, ${python:Depends}, ${misc:Depends}, ${shlibs:Depends} Breaks: pcp (<< 5.3.0) +Replaces: pcp (<< 5.3.0) Architecture: any Description: Tool for exporting data from PCP to XML Performance Co-Pilot (PCP) front-end tool for exporting data from PCP @@ -433,6 +437,7 @@ Package: pcp-export-pcp2zabbix Depends: python3-pcp, ${python:Depends}, ${misc:Depends}, ${shlibs:Depends} Breaks: pcp (<< 5.3.0) +Replaces: pcp (<< 5.3.0) Architecture: any Description: Tool for exporting data from PCP to Zabbix Performance Co-Pilot (PCP) front-end tool for exporting data from PCP @@ -449,7 +454,7 @@ Section: doc Depends: ${misc:Depends} Breaks: pcp (<< 5.3.0), pcp-gui (<< 1.5.13) -Replaces: pcp-gui (<< 1.5.13) +Replaces: pcp (<< 5.3.0), pcp-gui (<< 1.5.13) Suggests: pcp, pcp-gui Architecture: all Description: Documentation and tutorial for the Performance Co-Pilot @@ -462,6 +467,7 @@ Package: pcp-zeroconf Depends: ${misc:Depends}, ${shlibs:Depends}, pcp (= ${binary:Version}) Breaks: pcp (<< 5.3.0) +Replaces: pcp (<< 5.3.0) Architecture: any Description: Performance Co-Pilot (PCP) Zeroconf Package Contains configuration tweaks and files that increase metrics gathering @@ -511,6 +517,7 @@ Package: pcp-export-pcp2xlsx Depends: ${python:Depends}, ${misc:Depends}, ${shlibs:Depends} Breaks: pcp (<< 5.3.0) +Replaces: pcp (<< 5.3.0) Architecture: any Description: Tool for exporting data from PCP to Excel spreadsheets Performance Co-Pilot (PCP) front-end tool for exporting data from PCP signature.asc Description: PGP signature
Re: SONAME bumps (transitions) always via experimental
On 2023-01-10 Sam Hartman wrote: > > "Graham" == Graham Inggs writes: > Graham> Hi All > Graham> On Fri, 6 Jan 2023 at 00:33, Bastian Blank > wrote: > Graham> Would it be a bad thing to require all uploads that need to > Graham> go through NEW (source and binary) to target experimental? > Graham> I have been doing this for my own, and sponsored, uploads > Graham> for some years already. [...] > Also, I'm less convinced there's a good reason for source new uploads to > target experimental. > If it's a new package with entirely new binary packages, it shouldn't be > involved in any transitions. [...] Afaiui Graham's *question* was in response to Bastian's "However, please describe an actionable plan." Obviously it would be a lot easier if we could require to have all NEW uploads go to experimental instead of trying to filter for soname bumps. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Re: Understanding what is blocking spamassassin 4.0.0 testing migration
On 2022-12-29 "Adam D. Barratt" wrote: > On Thu, 2022-12-29 at 07:21 +0100, Andreas Metzler wrote: [...] > > removing spamassassin/4.0.0~rc4-1/amd64 from testing makes claws- [...] > That's due to the arch:all build failing, which means there is no > "spamassassin" binary package in unstable currently when combined with > dak's feature of hiding arch:all packages that don't correspond to the > version of arch-dep packages. See #915948 for further details on > similar issues. > Looking at previous build failures, it looks like the arch:all build > has issues with IPv6-only buildds. I've given it back, so let's see > what happens. Thank you (and Paul) for the explanation. I did not get that "removing spamassassin" was talking about the binary. The retried build succeeded. :-) cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Understanding what is blocking spamassassin 4.0.0 testing migration
Hello, I do not understand why spamassassin 4.0.0 does not prpagate to testing. Tracker/excuses https://qa.debian.org/excuses.php?package=spamassassin says: Issues preventing migration: [...] removing spamassassin/4.0.0~rc4-1/amd64 from testing makes claws-mail-spamassassin/4.1.1-2/amd64 uninstallable removing spamassassin/4.0.0~rc4-1/amd64 from testing makes evolution-plugin-spamassassin/3.46.2-1/amd64 uninstallable [ list of more spamassassin rdeps which would be uninstallable if ] Note that it only talks about "removing" instead of "upgrading". Which obviously cannot work. https://release.debian.org/britney/update_output.txt does not mention spamassassin at all. It also seems very short, not like a full run with less than 1000 lines. TIA, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#1023261: bullseye-pu: package libtasn1-6/4.16.0-2+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: libtasn...@packages.debian.org, t...@security.debian.org Hello, I would like to fix CVE-2021-46848 in bullseye. This was fixed in sid/testing by new upstream 4.19.0. I already had some correspondence with debian-security, no DSA is planned. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru libtasn1-6-4.16.0/debian/changelog libtasn1-6-4.16.0/debian/changelog --- libtasn1-6-4.16.0/debian/changelog 2020-02-15 17:38:59.0 +0100 +++ libtasn1-6-4.16.0/debian/changelog 2022-11-01 11:57:42.0 +0100 @@ -1,3 +1,10 @@ +libtasn1-6 (4.16.0-2+deb11u1) bullseye; urgency=medium + + * Fix ETYPE_OK out of bounds read. CVE-2021-46848 +10_Fix-ETYPE_OK-off-by-one-array-size-check.-Closes-32.patch + + -- Andreas Metzler Tue, 01 Nov 2022 11:57:42 +0100 + libtasn1-6 (4.16.0-2) unstable; urgency=low * Upload to unstable. diff -Nru libtasn1-6-4.16.0/debian/patches/10_Fix-ETYPE_OK-off-by-one-array-size-check.-Closes-32.patch libtasn1-6-4.16.0/debian/patches/10_Fix-ETYPE_OK-off-by-one-array-size-check.-Closes-32.patch --- libtasn1-6-4.16.0/debian/patches/10_Fix-ETYPE_OK-off-by-one-array-size-check.-Closes-32.patch 1970-01-01 01:00:00.0 +0100 +++ libtasn1-6-4.16.0/debian/patches/10_Fix-ETYPE_OK-off-by-one-array-size-check.-Closes-32.patch 2022-10-30 13:02:08.0 +0100 @@ -0,0 +1,29 @@ +From 44a700d2051a666235748970c2df047ff207aeb5 Mon Sep 17 00:00:00 2001 +From: Simon Josefsson +Date: Wed, 17 Aug 2022 12:25:06 +0200 +Subject: [PATCH] Fix ETYPE_OK off by one array size check. Closes: #32. + +Reported by David Trabish in +<https://gitlab.com/gnutls/libtasn1/-/issues/32>. + +Signed-off-by: Simon Josefsson +--- + NEWS | 1 + + lib/int.h | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/lib/int.h b/lib/int.h +@@ -95,11 +95,11 @@ + case ASN1_ETYPE_SET_OF + + #define ETYPE_TAG(etype) (_asn1_tags[etype].tag) + #define ETYPE_CLASS(etype) (_asn1_tags[etype].class) + #define ETYPE_OK(etype) (((etype) != ASN1_ETYPE_INVALID && \ +- (etype) <= _asn1_tags_size && \ ++ (etype) < _asn1_tags_size && \ + _asn1_tags[(etype)].desc != NULL)?1:0) + + #define ETYPE_IS_STRING(etype) ((etype == ASN1_ETYPE_GENERALSTRING || \ + etype == ASN1_ETYPE_NUMERIC_STRING || etype == ASN1_ETYPE_IA5_STRING || \ + etype == ASN1_ETYPE_TELETEX_STRING || etype == ASN1_ETYPE_PRINTABLE_STRING || \ diff -Nru libtasn1-6-4.16.0/debian/patches/series libtasn1-6-4.16.0/debian/patches/series --- libtasn1-6-4.16.0/debian/patches/series 1970-01-01 01:00:00.0 +0100 +++ libtasn1-6-4.16.0/debian/patches/series 2022-11-01 11:57:42.0 +0100 @@ -0,0 +1 @@ +10_Fix-ETYPE_OK-off-by-one-array-size-check.-Closes-32.patch signature.asc Description: PGP signature
Bug#1019876: nmu: atlas-ecmwf_0.30.0-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu X-Debbugs-Cc: ametz...@bebt.de, dh-fortran-...@packages.debian.org Hello, according to https://binarycontrol.debian.net/?q=%5Ermdir+--ignore-fail-on-non-empty+%2Fusr%2Flib%2F%5C%24multiarch%2Ffortran%2Fgfortran= there are still 4 packages built with broken dh-fortran-mod. nmu atlas-ecmwf_0.30.0-3 . ANY . unstable . -m "Rebuild with fixed dh-fortran-mod (See #1019050)" nmu cdo_2.0.6-2 . ANY . unstable . -m "Rebuild with fixed dh-fortran-mod (See #1019050)" nmu petsc_3.17.4+dfsg1-1 . ANY . unstable . -m "Rebuild with fixed dh-fortran-mod (See #1019050)" nmu slepc_3.17.2+dfsg1-2 . ANY . unstable . -m "Rebuild with fixed dh-fortran-mod (See #1019050)" TIA, cu Andreas
Bug#1014474: nmu: sa-exim_4.2.1-20
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu sa-exim_4.2.1-20 . ANY . unstable . -m "rebuild against exim4 4.96" Please rebuild sa-exim allowing exim4 4.96-1 to propagate to testing. TIA, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' signature.asc Description: PGP signature
Bug#1012033: bullseye-pu: package gnutls28/3.7.1-5+deb11u1
On 2022-05-29 Andreas Metzler wrote: [...] > as requested in #1011246 I would like fix miscalculation of SHA384 in > the SSA accelarated implementation. > It is a one-line change and was part of the 3.7.3 release. [...] Actually this seems like a good opportunity to fix a minor CVE, which was also fixed in 3.7.3. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru gnutls28-3.7.1/debian/changelog gnutls28-3.7.1/debian/changelog --- gnutls28-3.7.1/debian/changelog 2021-05-29 12:14:30.0 +0200 +++ gnutls28-3.7.1/debian/changelog 2022-06-14 18:55:44.0 +0200 @@ -1,3 +1,12 @@ +gnutls28 (3.7.1-5+deb11u1) bullseye; urgency=medium + + * 56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch: Backport SSSE3 SHA384 +miscalculation fix from 3.7.3. Closes: #1011246 + * 56_45-wrap_nettle_hash_fast-avoid-calling-_update-with-zer.patch from +3.7.3: Fix null-pointer dereference flaw. CVE-2021-4209 + + -- Andreas Metzler Tue, 14 Jun 2022 18:55:44 +0200 + gnutls28 (3.7.1-5) unstable; urgency=medium * Another fix from 3.7.2: diff -Nru gnutls28-3.7.1/debian/patches/56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch gnutls28-3.7.1/debian/patches/56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch --- gnutls28-3.7.1/debian/patches/56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.7.1/debian/patches/56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch 2022-06-14 10:55:13.0 +0200 @@ -0,0 +1,34 @@ +From acdfeb4b3f0c64ad20f28513618e9903bfb81426 Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar +Date: Wed, 1 Sep 2021 15:48:27 +0200 +Subject: [PATCH] fix SSSE3 SHA384 to work more than once + +The output function called sha512_digest() instead of sha384_digest(), +which caused the hash context to be reinitialized for SHA512 instead of +SHA384 and all following digests using the hash handle were wrong. + +Signed-off-by: Miroslav Lichvar +--- + lib/accelerated/x86/sha-x86-ssse3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/accelerated/x86/sha-x86-ssse3.c b/lib/accelerated/x86/sha-x86-ssse3.c +index 8ea4e54aee..1d442e97e7 100644 +--- a/lib/accelerated/x86/sha-x86-ssse3.c b/lib/accelerated/x86/sha-x86-ssse3.c +@@ -258,11 +258,11 @@ static int _ctx_init(gnutls_digest_algorithm_t algo, + ctx->length = SHA256_DIGEST_SIZE; + break; + case GNUTLS_DIG_SHA384: + sha384_init(>ctx.sha384); + ctx->update = (update_func) x86_sha512_update; +- ctx->digest = (digest_func) sha512_digest; ++ ctx->digest = (digest_func) sha384_digest; + ctx->init = (init_func) sha384_init; + ctx->ctx_ptr = >ctx.sha384; + ctx->length = SHA384_DIGEST_SIZE; + break; + case GNUTLS_DIG_SHA512: +-- +2.35.1 + diff -Nru gnutls28-3.7.1/debian/patches/56_45-wrap_nettle_hash_fast-avoid-calling-_update-with-zer.patch gnutls28-3.7.1/debian/patches/56_45-wrap_nettle_hash_fast-avoid-calling-_update-with-zer.patch --- gnutls28-3.7.1/debian/patches/56_45-wrap_nettle_hash_fast-avoid-calling-_update-with-zer.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.7.1/debian/patches/56_45-wrap_nettle_hash_fast-avoid-calling-_update-with-zer.patch 2022-06-14 10:58:46.0 +0200 @@ -0,0 +1,32 @@ +From 3db352734472d851318944db13be73da61300568 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 22 Dec 2021 09:12:25 +0100 +Subject: [PATCH] wrap_nettle_hash_fast: avoid calling _update with zero-length + input + +As Nettle's hash update functions internally call memcpy, providing +zero-length input may cause undefined behavior. + +Signed-off-by: Daiki Ueno +--- + lib/nettle/mac.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/nettle/mac.c b/lib/nettle/mac.c +index f9d4d7a8df..35e070fab0 100644 +--- a/lib/nettle/mac.c b/lib/nettle/mac.c +@@ -788,7 +788,9 @@ static int wrap_nettle_hash_fast(gnutls_digest_algorithm_t algo, + if (ret < 0) + return gnutls_assert_val(ret); + +- ctx.update(, text_size, text); ++ if (text_size > 0) { ++ ctx.update(, text_size, text); ++ } + ctx.digest(, ctx.length, digest); + + return 0; +-- +2.35.1 + diff -Nru gnutls28-3.7.1/debian/patches/series gnutls28-3.7.1/debian/patches/series --- gnutls28-3.7.1/debian/patches/series2021-05-29 11:37:38.0 +0200 +++ gnutls28-3.7.1/debian/patches/series2022-06-14 10:59:12.0 +0200 @@ -18,3 +18,5 @@ 56_28-handshake-fix-timing-of-sending-early-data.patch 56_30-x509-verify-treat-SHA-1-signed-CA-in-the-trusted-set.patch 56_33-serv-stop-setting-AI_ADDRCONFIG-on-getaddrinfo.patch +56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch
Bug#1012033: bullseye-pu: package gnutls28/3.7.1-5+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: Dmitry Baryshkov , gnutl...@packages.debian.org Hello, as requested in #1011246 I would like fix miscalculation of SHA384 in the SSA accelarated implementation. It is a one-line change and was part of the 3.7.3 release. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru gnutls28-3.7.1/debian/changelog gnutls28-3.7.1/debian/changelog --- gnutls28-3.7.1/debian/changelog 2021-05-29 12:14:30.0 +0200 +++ gnutls28-3.7.1/debian/changelog 2022-05-22 13:04:01.0 +0200 @@ -1,3 +1,10 @@ +gnutls28 (3.7.1-5+deb11u1) bullseye; urgency=medium + + * 56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch: Backport SSSE3 SHA384 +miscalculation fix from 3.7.3. Closes: #1011246 + + -- Andreas Metzler Sun, 22 May 2022 13:04:01 +0200 + gnutls28 (3.7.1-5) unstable; urgency=medium * Another fix from 3.7.2: diff -Nru gnutls28-3.7.1/debian/patches/56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch gnutls28-3.7.1/debian/patches/56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch --- gnutls28-3.7.1/debian/patches/56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.7.1/debian/patches/56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch 2022-05-22 13:04:01.0 +0200 @@ -0,0 +1,34 @@ +From acdfeb4b3f0c64ad20f28513618e9903bfb81426 Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar +Date: Wed, 1 Sep 2021 15:48:27 +0200 +Subject: [PATCH] fix SSSE3 SHA384 to work more than once + +The output function called sha512_digest() instead of sha384_digest(), +which caused the hash context to be reinitialized for SHA512 instead of +SHA384 and all following digests using the hash handle were wrong. + +Signed-off-by: Miroslav Lichvar +--- + lib/accelerated/x86/sha-x86-ssse3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/accelerated/x86/sha-x86-ssse3.c b/lib/accelerated/x86/sha-x86-ssse3.c +index 8ea4e54aee..1d442e97e7 100644 +--- a/lib/accelerated/x86/sha-x86-ssse3.c b/lib/accelerated/x86/sha-x86-ssse3.c +@@ -258,11 +258,11 @@ static int _ctx_init(gnutls_digest_algorithm_t algo, + ctx->length = SHA256_DIGEST_SIZE; + break; + case GNUTLS_DIG_SHA384: + sha384_init(>ctx.sha384); + ctx->update = (update_func) x86_sha512_update; +- ctx->digest = (digest_func) sha512_digest; ++ ctx->digest = (digest_func) sha384_digest; + ctx->init = (init_func) sha384_init; + ctx->ctx_ptr = >ctx.sha384; + ctx->length = SHA384_DIGEST_SIZE; + break; + case GNUTLS_DIG_SHA512: +-- +2.35.1 + diff -Nru gnutls28-3.7.1/debian/patches/series gnutls28-3.7.1/debian/patches/series --- gnutls28-3.7.1/debian/patches/series 2021-05-29 11:37:38.0 +0200 +++ gnutls28-3.7.1/debian/patches/series 2022-05-22 13:04:01.0 +0200 @@ -18,3 +18,4 @@ 56_28-handshake-fix-timing-of-sending-early-data.patch 56_30-x509-verify-treat-SHA-1-signed-CA-in-the-trusted-set.patch 56_33-serv-stop-setting-AI_ADDRCONFIG-on-getaddrinfo.patch +56_40-fix-SSSE3-SHA384-to-work-more-than-once.patch signature.asc Description: PGP signature
Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
X-Debbugs-Cc: gnutl...@packages.debian.org, Kurt Roeckx , Paul Gevers , Sebastian Andrzej Siewior On 2022-03-21 Sebastian Andrzej Siewior wrote: > On 2022-03-21 00:12:11 [+0100], To Kurt Roeckx wrote: > > doesn't help here but > > -cipher "ALL:@SECLEVEL=1" > > does. > Only debci is affected. The package builds because this testsuite is not > part of the build process. > I prepared a NMU against Buster for gnutls. I can open later today a > buster-pu and do the upload unless someone objects or gnutls folks have > something in their queue. > Please let me know. Hello Sebastian, thanks for taking care, feel free to NMU. cu Andreas PS: Style nitpick: As can be see from "ls debian/patches/" I think it is a very good idea to use patch filenames with obvious sorting. signature.asc Description: PGP signature
Bug#991397: unblock: exim4/4.94.2-7
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: ex...@packages.debian.org, Adrian Bunk Please unblock package exim4 This is release fixes a single bug by pulling the respective fix from upstream's +fixes branch. When control=fakereject is used with a custom error message the respective non-safe data was expanded. With allow_insecure_tainted_data not set this only causes a entry in paniclog, otherwise the actual expansion might happen. Debian's default exim configuration does not use control=fakereject but still I would consider this an important bug that I would like to see fixed. unblock exim4/4.94.2-7 Thanks, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru exim4-4.94.2/debian/changelog exim4-4.94.2/debian/changelog --- exim4-4.94.2/debian/changelog 2021-05-26 18:49:44.0 +0200 +++ exim4-4.94.2/debian/changelog 2021-07-13 18:04:57.0 +0200 @@ -1,3 +1,10 @@ +exim4 (4.94.2-7) unstable; urgency=medium + + * 73_05-Fix-tainted-message-for-fakereject.patch from upstream +fixes +branch: Fix re-expansion of custom message with control=fakereject. + + -- Andreas Metzler Tue, 13 Jul 2021 18:04:57 +0200 + exim4 (4.94.2-6) unstable; urgency=medium * Cherrypick diff -Nru exim4-4.94.2/debian/patches/73_05-Fix-tainted-message-for-fakereject.patch exim4-4.94.2/debian/patches/73_05-Fix-tainted-message-for-fakereject.patch --- exim4-4.94.2/debian/patches/73_05-Fix-tainted-message-for-fakereject.patch 1970-01-01 01:00:00.0 +0100 +++ exim4-4.94.2/debian/patches/73_05-Fix-tainted-message-for-fakereject.patch 2021-07-13 18:03:04.0 +0200 @@ -0,0 +1,44 @@ +From c819f3bcad02bcb06004ae2ad135b68fab0ae888 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Wed, 7 Jul 2021 22:19:07 +0100 +Subject: [PATCH 5/5] Fix tainted message for fakereject + +(cherry picked from commit a9ac2d7fc219e41a353abf1f599258b9b9d21b7e) +--- + doc/ChangeLog | 4 + src/acl.c | 4 +++- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/doc/ChangeLog b/doc/ChangeLog +index e60c1cad5..3e93f653f 100644 +--- a/doc/ChangeLog b/doc/ChangeLog +@@ -227,6 +227,10 @@ JH/53 Bug 2743: fix immediate-delivery via named queue. Previously this would + fail with a taint-check on the spoolfile name, and leave the message + queued. + ++JH/57 Fix control=fakreject for a custom message containing tainted data. ++ Previously this resulted in a log complaint, due to a re-expansion present ++ since fakereject was originally introduced. ++ + + Exim version 4.94 + - +diff --git a/src/acl.c b/src/acl.c +index 7061230b4..65324405c 100644 +--- a/src/acl.c b/src/acl.c +@@ -3137,7 +3137,9 @@ for (; cb; cb = cb->next) + { + const uschar *pp = p + 1; + while (*pp) pp++; +- fake_response_text = expand_string(string_copyn(p+1, pp-p-1)); ++ /* The entire control= line was expanded at top so no need to expand ++ the part after the / */ ++ fake_response_text = string_copyn(p+1, pp-p-1); + p = pp; + } + else /* Explicitly reset to default string */ +-- +2.30.2 + diff -Nru exim4-4.94.2/debian/patches/series exim4-4.94.2/debian/patches/series --- exim4-4.94.2/debian/patches/series 2021-05-22 13:27:33.0 +0200 +++ exim4-4.94.2/debian/patches/series 2021-07-13 18:03:23.0 +0200 @@ -10,6 +10,7 @@ 73_02-Fix-ipv6norm.patch 73_03-Named-Queues-fix-immediate-delivery.-Bug-2743.patch 73_04-Fix-host_name_lookup-Close-2747.patch +73_05-Fix-tainted-message-for-fakereject.patch 75_01-Introduce-main-config-option-allow_insecure_tainted_.patch 75_02-search.patch 75_03-dbstuff.patch signature.asc Description: PGP signature
Bug#990919: unblock: exim4/4.94.2-6
On 2021-07-11 Adrian Bunk wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > Please unblock package exim4 > * Cherrypick > 78_01-Command-line-option-for-no-notifier-socket.-Bug-2616.patch from > upstream GIT master. This allows one to disable creation of a > daemon notifier socket by either setting notifier_socket to a empty value > or specifying -oY commandline option. > * Init script: For QUEUERUNNER='separate' start daemons with -oY commandline > option to disable daemon notifier socket. Enforce lockstep ugrade of -base > and *daemon* by temporarily adding a versioned Breaks to exim4-base on > older *daemon*. Closes: #988844 > (change by Andreas Metzler) > This fixes a regression from buster. > Maintainer and bug submitter are in Cc, ack/nak would be appreciated. [...] Hello, Thank you Adrian, this upload is indeed targeted for bullseyw but I forgot to submit the unblock request. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' signature.asc Description: PGP signature
Bug#989422: buster-pu: package libgcrypt20/1.8.4-5+deb10u1
On 2021-06-12 "Adam D. Barratt" wrote: [...] > As we're getting close to the window for 10.10 closing, please feel > free to upload the package and we'll handle the d-i coordination from > there. Thanks for the heads-up. Done. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#989422: buster-pu: package libgcrypt20/1.8.4-5+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: libgcryp...@packages.debian.org,secur...@debian.org Hello, I would like to fix the non-DSA CVE-2021-33560 for buster by cherrypicking the respective commit from 1.8.8. This is about weak ElGamal encyption when a key not generated by libgcrypt/gnupg is used. This was fixed in unstable's 1.8.7-6, with bullseye unblock request #989421 sent a couple of minutes ago. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru libgcrypt20-1.8.4/debian/changelog libgcrypt20-1.8.4/debian/changelog --- libgcrypt20-1.8.4/debian/changelog 2019-01-20 14:47:23.0 +0100 +++ libgcrypt20-1.8.4/debian/changelog 2021-05-29 13:32:02.0 +0200 @@ -1,3 +1,11 @@ +libgcrypt20 (1.8.4-5+deb10u1) buster; urgency=medium + + * 31_cipher-Fix-ElGamal-encryption-for-other-implementati.patch from +upstream LIBGCRYPT-1.8-BRANCH: Fix weak ElGamal encryption with keys *not* +generated by GnuPG/libgcrypt. CVE-2021-33560 + + -- Andreas Metzler Sat, 29 May 2021 13:32:02 +0200 + libgcrypt20 (1.8.4-5) unstable; urgency=medium * 30_doc-Fix-library-initialization-examples.patch from upstream diff -Nru libgcrypt20-1.8.4/debian/patches/31_cipher-Fix-ElGamal-encryption-for-other-implementati.patch libgcrypt20-1.8.4/debian/patches/31_cipher-Fix-ElGamal-encryption-for-other-implementati.patch --- libgcrypt20-1.8.4/debian/patches/31_cipher-Fix-ElGamal-encryption-for-other-implementati.patch 1970-01-01 01:00:00.0 +0100 +++ libgcrypt20-1.8.4/debian/patches/31_cipher-Fix-ElGamal-encryption-for-other-implementati.patch 2021-05-29 13:16:14.0 +0200 @@ -0,0 +1,105 @@ +From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Fri, 21 May 2021 11:15:07 +0900 +Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations. + +* cipher/elgamal.c (gen_k): Remove support of smaller K. +(do_encrypt): Never use smaller K. +(sign): Folllow the change of gen_k. + +-- + +Cherry-pick master commit of: + 632d80ef30e13de6926d503aa697f92b5dbfbc5e + +This change basically reverts encryption changes in two commits: + + 74386120dad6b3da62db37f7044267c8ef34689b + 78531373a342aeb847950f404343a05e36022065 + +Use of smaller K for ephemeral key in ElGamal encryption is only good, +when we can guarantee that recipient's key is generated by our +implementation (or compatible). + +For detail, please see: + +Luca De Feo, Bertram Poettering, Alessandro Sorniotti, +"On the (in)security of ElGamal in OpenPGP"; +in the proceedings of CCS'2021. + +CVE-id: CVE-2021-33560 +GnuPG-bug-id: 5328 +Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti +Signed-off-by: NIIBE Yutaka +--- + cipher/elgamal.c | 24 ++-- + 1 file changed, 6 insertions(+), 18 deletions(-) + +diff --git a/cipher/elgamal.c b/cipher/elgamal.c +index 4eb52d62..ae7a631e 100644 +--- a/cipher/elgamal.c b/cipher/elgamal.c +@@ -66,7 +66,7 @@ static const char *elg_names[] = + + + static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie); +-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k); ++static gcry_mpi_t gen_k (gcry_mpi_t p); + static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits, + gcry_mpi_t **factors); + static int check_secret_key (ELG_secret_key *sk); +@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie ) + + / + * Generate a random secret exponent k from prime p, so that k is +- * relatively prime to p-1. With SMALL_K set, k will be selected for +- * better encryption performance - this must never be used signing! ++ * relatively prime to p-1. + */ + static gcry_mpi_t +-gen_k( gcry_mpi_t p, int small_k ) ++gen_k( gcry_mpi_t p ) + { + gcry_mpi_t k = mpi_alloc_secure( 0 ); + gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) ); +@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k ) + unsigned int nbits, nbytes; + char *rndbuf = NULL; + +- if (small_k) +-{ +- /* Using a k much lesser than p is sufficient for encryption and +- * it greatly improves the encryption performance. We use +- * Wiener's table and add a large safety margin. */ +- nbits = wiener_map( orig_nbits ) * 3 / 2; +- if( nbits >= orig_nbits ) +-BUG(); +-} +- else +-nbits = orig_nbits; +- ++ nbits = orig_nbits; + + nbytes = (nbits+7)/8; + if( DBG_CIPHER ) +@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) +* error code. +*/ + +- k = gen_k( pkey->p, 1 ); ++ k = gen_k( pkey->p ); + mpi_powm (a, pkey->g, k, pkey->p); + + /* b = (y^k * input) mod p +@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t in
Bug#989421: unblock: libgcrypt20/1.8.7-6
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: libgcryp...@packages.debian.org Please unblock package libgcrypt20. Compared to 1.8.7-3 this pulls a 4 commits from 1.8.8, including 30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch (CVE-2021-33560) which fixes weak ElGamal encryption with keys *not* generated by libgcrypt/gnupg. It does not warrant a DSA (already doublechecked with debian-security) but should still be fixed. I will also prepare an upload for buster. unblock libgcrypt20/1.8.7-6 cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru libgcrypt20-1.8.7/debian/changelog libgcrypt20-1.8.7/debian/changelog --- libgcrypt20-1.8.7/debian/changelog 2021-02-14 15:27:13.0 +0100 +++ libgcrypt20-1.8.7/debian/changelog 2021-05-27 18:07:38.0 +0200 @@ -1,3 +1,26 @@ +libgcrypt20 (1.8.7-6) unstable; urgency=medium + + * Update from LIBGCRYPT-1.8-BRANCH: ++ 30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch + + -- Andreas Metzler Thu, 27 May 2021 18:07:38 +0200 + +libgcrypt20 (1.8.7-5) unstable; urgency=medium + + * Pull fix for ECC decyryption regression (caused by +30_08-ecc-Check-the-input-length-for-the-point.patch) from +LIBGCRYPT-1.8-BRANCH. Closes: #987956 + + -- Andreas Metzler Thu, 06 May 2021 18:06:14 +0200 + +libgcrypt20 (1.8.7-4) unstable; urgency=medium + + * Update from LIBGCRYPT-1.8-BRANCH: ++ 30_07-Fix-previous-commit.patch ++ 30_08-ecc-Check-the-input-length-for-the-point.patch + + -- Andreas Metzler Sun, 02 May 2021 13:58:47 +0200 + libgcrypt20 (1.8.7-3) unstable; urgency=medium * Update from LIBGCRYPT-1.8-BRANCH: diff -Nru libgcrypt20-1.8.7/debian/patches/30_07-Fix-previous-commit.patch libgcrypt20-1.8.7/debian/patches/30_07-Fix-previous-commit.patch --- libgcrypt20-1.8.7/debian/patches/30_07-Fix-previous-commit.patch 1970-01-01 01:00:00.0 +0100 +++ libgcrypt20-1.8.7/debian/patches/30_07-Fix-previous-commit.patch 2021-05-02 13:52:17.0 +0200 @@ -0,0 +1,41 @@ +From a5799f1618aaf1bbb52e7e121275228dd4a3ac8b Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Sun, 14 Feb 2021 18:54:40 +0100 +Subject: [PATCH 7/8] Fix previous commit + +* src/global.c (_gcry_get_config): Append the Nul only in the !what +case. +-- + +Fixes-commit: 3f42f727a0699f7274a99ea39def7f9b4c3b0c1e +Actually this was my fault - I stripped off the test which Jussi did in +his original fix on master. And did not run make check. + +Signed-off-by: Werner Koch +--- + src/global.c | 9 +++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/global.c b/src/global.c +index 7d634095..95daedac 100644 +--- a/src/global.c b/src/global.c +@@ -419,8 +419,13 @@ _gcry_get_config (int mode, const char *what) + + print_config (what, fp); + +- /* Make sure the output is null terminated. */ +- gpgrt_fwrite ("", 1, 1, fp); ++ /* Make sure the output is null terminated if no specific item was ++ * requested. This is needed because tests/version.c expects that ++ * the function fails with the !data case below. For the specific ++ * test an extra nul is not required because we always have a LF ++ * which is then replaced right at the end of this function. */ ++ if (!what) ++gpgrt_fwrite ("", 1, 1, fp); + + if (gpgrt_ferror (fp)) + { +-- +2.30.2 + diff -Nru libgcrypt20-1.8.7/debian/patches/30_08-ecc-Check-the-input-length-for-the-point.patch libgcrypt20-1.8.7/debian/patches/30_08-ecc-Check-the-input-length-for-the-point.patch --- libgcrypt20-1.8.7/debian/patches/30_08-ecc-Check-the-input-length-for-the-point.patch 1970-01-01 01:00:00.0 +0100 +++ libgcrypt20-1.8.7/debian/patches/30_08-ecc-Check-the-input-length-for-the-point.patch 2021-05-02 13:52:32.0 +0200 @@ -0,0 +1,80 @@ +From 3f48e3ea37adf84aae7335b8367012d70bb3f132 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Tue, 27 Apr 2021 17:24:16 +0900 +Subject: [PATCH 8/8] ecc: Check the input length for the point. + +* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Check the length +of valid point representation. + +-- + +Backport the commit of master: + + 060c378c050e7ec6206358c681a313d6e1967dcf + +In the use case of GnuPG, ECDH decryption for anonymous recipient may +try to decrypt with different curves. When the input data of +ephemeral key does not match one of the private key, it should return +GPG_ERR_INV_OBJ. + +Signed-off-by: NIIBE Yutaka +--- + cipher/ecc-misc.c | 18 ++ + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c +index 34dd6804..b89dcfa6 100644 +--- a/cipher/ecc-misc.c b/cipher/ecc-misc.c +@@ -294,6 +294,7 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result) + { + unsigned char *rawmpi; + un
Bug#988508: buster-pu: package gnutls28/3.6.7-4+deb10u7
b10u6),-] {+3.6.7-4+deb10u7),+} libgnutls30 (= [-3.6.7-4+deb10u6),-] {+3.6.7-4+deb10u7),+} libgnutlsxx28 (= [-3.6.7-4+deb10u6),-] {+3.6.7-4+deb10u7),+} libidn2-dev, libp11-kit-dev (>= 0.23.10), libtasn1-6-dev, nettle-dev (>= 3.4.1~rc1) Installed-Size: [-4316-] {+4317+} Version: [-3.6.7-4+deb10u6-] {+3.6.7-4+deb10u7+} Control files of package libgnutls30: lines which differ (wdiff format) --- Installed-Size: [-2648-] {+2649+} Version: [-3.6.7-4+deb10u6-] {+3.6.7-4+deb10u7+} Control files of package libgnutls30-dbgsym: lines which differ (wdiff format) -- Build-Ids: [-bce53405fc0dd81c8428113ca15f83b4a0ef10de-] {+bf7d77672d078e8b8e4ce26a48e80e3770237d37+} Depends: libgnutls30 (= [-3.6.7-4+deb10u6)-] {+3.6.7-4+deb10u7)+} Version: [-3.6.7-4+deb10u6-] {+3.6.7-4+deb10u7+} Control files of package libgnutlsxx28: lines which differ (wdiff format) - Depends: libgnutls30 (= [-3.6.7-4+deb10u6),-] {+3.6.7-4+deb10u7),+} libc6 (>= 2.14), libgcc1 (>= 1:3.0), libstdc++6 (>= 5) Version: [-3.6.7-4+deb10u6-] {+3.6.7-4+deb10u7+} Control files of package libgnutlsxx28-dbgsym: lines which differ (wdiff format) Depends: libgnutlsxx28 (= [-3.6.7-4+deb10u6)-] {+3.6.7-4+deb10u7)+} Version: [-3.6.7-4+deb10u6-] {+3.6.7-4+deb10u7+} diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog --- gnutls28-3.6.7/debian/changelog 2021-01-02 18:10:33.0 +0100 +++ gnutls28-3.6.7/debian/changelog 2021-05-14 13:33:38.0 +0200 @@ -1,3 +1,25 @@ +gnutls28 (3.6.7-4+deb10u7) buster; urgency=medium + + * 46_handshake-reject-no_renegotiation-alert-if-handshake.patch pulled from +3.6.15: It was found by oss-fuzz that the server sending a +"no_renegotiation" alert in an unexpected timing, followed by an invalid +second handshake can cause a TLS 1.3 client to crash via a null-pointer +dereference. The crash happens in the application's error handling path, +where the gnutls_deinit function is called after detecting a handshake +failure. +GNUTLS-SA-2020-09-04 CVE-2020-24659 Closes: #969547 + * Pull multiple fixes designated for 3.6.15 bugfix release: ++ 47_rel3.6.16_01-gnutls_buffer_append_data-remove-duplicated-code.patch ++ 47_rel3.6.16_02-_gnutls_buffer_resize-add-option-to-use-allocation-s.patch ++ 47_rel3.6.16_03-key_share-avoid-use-after-free-around-realloc.patch + (CVE-2021-20231) and + 47_rel3.6.16_04-pre_shared_key-avoid-use-after-free-around-realloc.patch + (CVE-2021-20232), both together GNUTLS-SA-2021-03-10. ++ 47_rel3.6.16_05-_gnutls_buffer_resize-account-for-unused-area-if-AGG.patch ++ 47_rel3.6.16_06-str-suppress-Wunused-function-if-AGGRESSIVE_REALLOC-.patch + + -- Andreas Metzler Fri, 14 May 2021 13:33:38 +0200 + gnutls28 (3.6.7-4+deb10u6) buster; urgency=medium * 45_4.7.0plus-01_testpkcs11-use-datefudge-to-trick-certificate-expiry.patch diff -Nru gnutls28-3.6.7/debian/patches/46_handshake-reject-no_renegotiation-alert-if-handshake.patch gnutls28-3.6.7/debian/patches/46_handshake-reject-no_renegotiation-alert-if-handshake.patch --- gnutls28-3.6.7/debian/patches/46_handshake-reject-no_renegotiation-alert-if-handshake.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.6.7/debian/patches/46_handshake-reject-no_renegotiation-alert-if-handshake.patch 2021-05-11 18:08:00.0 +0200 @@ -0,0 +1,112 @@ +From 521e6492b9bbc8ec1519924526942cf2fc719497 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sat, 22 Aug 2020 17:19:39 +0200 +Subject: [PATCH] handshake: reject no_renegotiation alert if handshake is + incomplete + +If the initial handshake is incomplete and the server sends a +no_renegotiation alert, the client should treat it as a fatal error +even if its level is warning. Otherwise the same handshake +state (e.g., DHE parameters) are reused in the next gnutls_handshake +call, if it is called in the loop idiom: + + do { + ret = gnutls_handshake(session); + } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); + +Signed-off-by: Daiki Ueno +--- + ...a04b3d3f7dcc0ab4571cf0df3b67ab7e1005e9e7a8 | Bin 0 -> 671 bytes + ...1da801fb3c6d1f7f846f227721e221adea08aa319c | Bin 0 -> 729 bytes + lib/gnutls_int.h | 1 + + lib/handshake.c | 48 +- + 4 files changed, 36 insertions(+), 13 deletions(-) + create mode 100644 fuzz/gnutls_client_fuzzer.in/00ea40761ce11e769f1817a04b3d3f7dcc0ab4571cf0df3b67ab7e1005e9e7a8 + create mode 100644 fuzz/gnutls_psk_client_fuzzer.in/b16434290b77e13d7a983d1da801fb3c6d1f7f846f227721e221adea08aa319c + +--- a/lib/gnutls_int.h b/lib/gnutls_int.h +@@ -1366,6 +1366,8 @@ typedef struct { + #d
Bug#987924: unblock: exim4/4.94-19
... forgot the debdiff. cu Andreas diff -Nru exim4-4.94/debian/changelog exim4-4.94/debian/changelog --- exim4-4.94/debian/changelog 2021-03-18 13:54:47.0 +0100 +++ exim4-4.94/debian/changelog 2021-04-26 18:35:43.0 +0200 @@ -1,3 +1,42 @@ +exim4 (4.94-19) unstable; urgency=medium + + * Further updates from heiko/exim-4.94+fixes+taintwarn: ++ 75_24-Silence-the-compiler.patch ++ 75_26-Disable-taintchecks-for-mkdir-this-isn-t-part-of-4.9.patch + * Upload to unstable. + + -- Andreas Metzler Mon, 26 Apr 2021 18:35:43 +0200 + +exim4 (4.94-18) experimental; urgency=medium + + * Pull patches to temporarily add an option to turn taint errors into +warnings. (See #987133) ++ 75_01-Introduce-main-config-option-allow_insecure_tainted_.patch ++ 75_02-search.patch ++ 75_03-dbstuff.patch ++ 75_04-acl.patch ++ 75_05-parse.patch ++ 75_06-rda.patch ++ 75_07-appendfile.patch ++ 75_08-autoreply.patch ++ 75_09-pipe.patch ++ 75_10-deliver.patch ++ 75_11-directory.patch ++ 75_12-expand.patch ++ 75_13-lf_sqlperform.patch ++ 75_14-rf_get_transport.patch ++ 75_15-deliver.patch ++ 75_16-smtp_out.patch ++ 75_17-smtp.patch ++ 75_18-update-doc.patch ++ 75_20-Set-mainlog_name-and-rejectlog_name-unconditionally.patch ++ 75_21-tidy-log.c.patch ++ 75_22-Silence-compiler.patch ++ 75_23-Do-not-close-the-main-_log-if-we-do-not-see-a-chance.patch + * Update NEWS.Debian to describe the feature. + + -- Andreas Metzler Sun, 25 Apr 2021 07:42:26 +0200 + exim4 (4.94-17) unstable; urgency=medium * Let exim4-config Recommend ca-certificates, needed for certificate diff -Nru exim4-4.94/debian/NEWS exim4-4.94/debian/NEWS --- exim4-4.94/debian/NEWS 2021-03-18 13:53:44.0 +0100 +++ exim4-4.94/debian/NEWS 2021-04-25 08:08:34.0 +0200 @@ -1,19 +1,10 @@ -exim4 (4.94-16) unstable; urgency=medium +exim4 (4.94-18) experimental; urgency=medium - The configuration now enforces certificate verification against the - system trust store on encrypted connections using the - remote_smtp_smarthost transport (smarthost and satellite setups). - Delivery will therefore fail if the host certificates are not verifyable - and non TLS delivery is not available (e.g. because AUTH PLAIN is used). - - -- Andreas Metzler Wed, 17 Mar 2021 13:50:44 +0100 - -exim4 (4.94~RC0-2) experimental; urgency=low - - Please consider this a *major* exim upgrade. It introduces the concept of - tainted data read from untrusted sources, like e.g. message sender or - recipient. This tainted data (e.g. $local_part or $domain) cannot be used - among other things as a file or directory name or command name. + Please consider exim 4.93/4.94 a *major* exim upgrade. It introduces the + concept of tainted data read from untrusted sources, like e.g. message + sender or recipient. This tainted data (e.g. $local_part or $domain) + cannot be used among other things as a file or directory name or command + name. This WILL BREAK configurations which are not updated accordingly. Old Debian exim configuration files also will not work unmodified, the new @@ -32,7 +23,27 @@ lookup in further processing instead of the original (remote provided) value. - -- Andreas Metzler Sun, 10 May 2020 10:27:04 +0200 + To ease upgrading there is a new main configuration option to temporarily + downgrade taint errors to warnings, letting the old configuration work with + the newer exim. To make use of this feature add + .ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA + allow_insecure_tainted_data = yes + .endif + to the exim configuration (e.g. to /etc/exim4/exim4.conf.localmacros) + *before* upgrading to exim 4.93/4.94 and check the logfile for taint + warnings. This is a temporary workaround which will stop working in 4.95. + + -- Andreas Metzler Sun, 25 Apr 2021 07:42:26 +0200 + +exim4 (4.94-16) unstable; urgency=medium + + The configuration now enforces certificate verification against the + system trust store on encrypted connections using the + remote_smtp_smarthost transport (smarthost and satellite setups). + Delivery will therefore fail if the host certificates are not verifyable + and non TLS delivery is not available (e.g. because AUTH PLAIN is used). + + -- Andreas Metzler Wed, 17 Mar 2021 13:50:44 +0100 exim4 (4.87-3) unstable; urgency=medium diff -Nru exim4-4.94/debian/patches/75_01-Introduce-main-config-option-allow_insecure_tainted_.patch exim4-4.94/debian/patches/75_01-Introduce-main-config-option-allow_insecure_tainted_.patch --- exim4-4.94/debian/patches/75_01-Introduce-main-config-option-allow_insecure_tainted_.patch 1970-01-01 01:00:00.0 +0100 +++ exim4-4.94/debian/patches/75_01-Introduce-main-config-option-allow_insecure_tainted_.patch 2021-04-25 07:27:42.0 +0200 @@ -0,0 +1,230 @@ +From ec06d64532e4952fc36429f73e0222d26997ef7c Mon Sep 17 00:00:00 2001 +From: "
Bug#987924: unblock: exim4/4.94-19
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: ex...@packages.debian.org Hello, Please consider exim4/4.94-19 for bullseye. Due to the newly introduced tainting mechanism exim upgrades from buster to bullseye currently require a lockstep upgrade of configuration file and exim binary. The new binary will not run with the old configuration and vice versa. -19 brings a patch that adds an option ("allow_insecure_tainted_data") to let the new daemon work with the old configuration at the price of spamming the logfile. -19 adds the option but has it disabled by default. I thought it fit better to _require_ handholding /now/ at dist-upgrade time. I am open to strong opinions to switch it on by default. I would appreciate a timely feedback on this review request. There is a security release scheduled for May 4th https://lists.exim.org/lurker/message/20210421.123632.08bb711a.en.html and I would like to be able prepare an upload and have it propagate to testing ASAP (on the same day!) and not have to discuss "allow_insecure_tainted_data", then. If you do not think that it is possible/wise to accept allow_insecure_tainted_data that quickly I will base the upload for the security release on -17 and will temporarily revert 17-->19. unblock exim4/4.94-19 TIA, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' signature.asc Description: PGP signature
Bug#985984: unblock: exim4/4.94-17
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: ex...@packages.debian.org Hello release team, Please unblock exim4. The main point of this upload is to fix the issues reported by Jö Fahlke which apply to bullseye. This was fixed for buster in a more conservative way (document instead of improved behavior) in 4.92-8+deb10u5. * README.Debian: Fix typo "tls_verify_certificate" instead of "tls_verify_certificates". * General doc improvements in this area. (Thanks, Jö Fahlke) Closes: #985244 * Enforce certificate verification against the system trust store in the remote SMTP transport by default by setting REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = *. Closes: #985344 * Let exim4-config Recommend ca-certificates, needed for certificate verification. The second important change is * Intensify upgrade warning in NEWS file. I have also synced with upstream's bugfix-only GIT branch. unblock exim4/4.94-17 TIA, cu Andreas diff -Nru exim4-4.94/debian/changelog exim4-4.94/debian/changelog --- exim4-4.94/debian/changelog 2021-02-07 08:13:29.0 +0100 +++ exim4-4.94/debian/changelog 2021-03-18 13:54:47.0 +0100 @@ -1,3 +1,30 @@ +exim4 (4.94-17) unstable; urgency=medium + + * Let exim4-config Recommend ca-certificates, needed for certificate +verification. + + -- Andreas Metzler Thu, 18 Mar 2021 13:54:47 +0100 + +exim4 (4.94-16) unstable; urgency=medium + + * README.Debian: Fix typo "tls_verify_certificate" instead of +"tls_verify_certificates". + * General doc improvements in this area. (Thanks, Jö Fahlke) Closes: #985244 + * Intensify upgrade warning in NEWS file. + * Enforce certificate verification against the system trust store in the +remote SMTP transport by default by setting +REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = *. Closes: #985344 + * Update from exim-4.94+fixes: ++ 74_56-Fix-FreeBSD-13-build.patch ++ 74_57-Fix-weight-calculation-for-spamd_address.-Bug-2694.patch ++ 74_58-Fix-weight-calculation-for-socks_proxy.-Bug-2694.patch ++ 74_59-Fix-build-for-platforms-not-having-ulong.patch ++ 74_60-Fix-list-expansion-for-various-domainlists-having-in.patch ++ 74_61-Bulid-fix-DISABLE_PIPE_CONNECT-build.-Bug-2703.patch ++ 74_62-Docs-fix-description-of-hosts_try_dane.-Bug-2704.patch + + -- Andreas Metzler Wed, 17 Mar 2021 13:50:44 +0100 + exim4 (4.94-15) unstable; urgency=medium * Update from exim-4.94+fixes: diff -Nru exim4-4.94/debian/control exim4-4.94/debian/control --- exim4-4.94/debian/control 2021-01-30 18:21:15.0 +0100 +++ exim4-4.94/debian/control 2021-03-18 13:54:47.0 +0100 @@ -109,6 +109,7 @@ exim4-config-2, ${MTA-Conflicts} Depends: adduser, ${misc:Depends}, ${shlibs:Depends} +Recommends: ca-certificates Description: configuration for the Exim MTA (v4) Exim (v4) is a mail transport agent. exim4-config provides the configuration for the exim4 daemon packages. The configuration framework has been split diff -Nru exim4-4.94/debian/debconf/conf.d/transport/10_exim4-config_transport-macros exim4-4.94/debian/debconf/conf.d/transport/10_exim4-config_transport-macros --- exim4-4.94/debian/debconf/conf.d/transport/10_exim4-config_transport-macros 2020-02-29 15:37:28.0 +0100 +++ exim4-4.94/debian/debconf/conf.d/transport/10_exim4-config_transport-macros 2021-03-18 13:53:44.0 +0100 @@ -14,3 +14,7 @@ REMOTE_SMTP_HELO_DATA=${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}} .endif .endif + +.ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS + REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * +.endif diff -Nru exim4-4.94/debian/NEWS exim4-4.94/debian/NEWS --- exim4-4.94/debian/NEWS 2020-11-03 18:11:40.0 +0100 +++ exim4-4.94/debian/NEWS 2021-03-18 13:53:44.0 +0100 @@ -1,11 +1,36 @@ +exim4 (4.94-16) unstable; urgency=medium + + The configuration now enforces certificate verification against the + system trust store on encrypted connections using the + remote_smtp_smarthost transport (smarthost and satellite setups). + Delivery will therefore fail if the host certificates are not verifyable + and non TLS delivery is not available (e.g. because AUTH PLAIN is used). + + -- Andreas Metzler Wed, 17 Mar 2021 13:50:44 +0100 + exim4 (4.94~RC0-2) experimental; urgency=low - Some Transports now refuse to use tainted data in constructing their - delivery location; this WILL BREAK configurations which are not updated - accordingly. In particular: any Transport use of $local_user which has - been relying upon check_local_user far away in the Router to make it - safe, should be updated to replace $local_user with - $local_part_data. + Please consider this a *major* exim upgrade. It introduces the concept of + tainted data read from untrusted sources, like e.g. message sender or + recipient. This tainted data (e.g. $local_part or $doma
Bug#985466: buster-pu: package libpano13/2.9.19+dfsg-3+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: libpan...@packages.debian.org Hello, I would like to fix 985249 for buster. It is a straightforward format string issue, as documented in the respective report. The issue is fixed in unstable (2.9.20~rc3+dfsg-1) but not yet in testing. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru libpano13-2.9.19+dfsg/debian/changelog libpano13-2.9.19+dfsg/debian/changelog --- libpano13-2.9.19+dfsg/debian/changelog 2017-09-10 14:39:18.0 +0200 +++ libpano13-2.9.19+dfsg/debian/changelog 2021-03-18 14:12:08.0 +0100 @@ -1,3 +1,12 @@ +libpano13 (2.9.19+dfsg-3+deb10u1) buster; urgency=medium + + * 850_f02459498cb4_Prevent_string_vulnerability_by_refusing.diff +cherry-picked from 2.9.20 rc3: Fixes format string bug, pasing along +format strings in user specified output filename to printf. +Closes: #985249 + + -- Andreas Metzler Thu, 18 Mar 2021 14:12:08 +0100 + libpano13 (2.9.19+dfsg-3) unstable; urgency=medium * Move Vcs-* from git/http to https. diff -Nru libpano13-2.9.19+dfsg/debian/patches/850_f02459498cb4_Prevent_string_vulnerability_by_refusing.diff libpano13-2.9.19+dfsg/debian/patches/850_f02459498cb4_Prevent_string_vulnerability_by_refusing.diff --- libpano13-2.9.19+dfsg/debian/patches/850_f02459498cb4_Prevent_string_vulnerability_by_refusing.diff 1970-01-01 01:00:00.0 +0100 +++ libpano13-2.9.19+dfsg/debian/patches/850_f02459498cb4_Prevent_string_vulnerability_by_refusing.diff 2021-03-18 14:12:08.0 +0100 @@ -0,0 +1,40 @@ +# HG changeset patch +# User tmodes +# Date 1615911819 -3600 +# Tue Mar 16 17:23:39 2021 +0100 +# Node ID f02459498cb44c0087900616a7e61563d614c05f +# Parent 2e9ee0a5e32f2ca6e1a5b3f9c2d5c393a41903c3 +Prevent string vulnerability by refusing prefix strings with percentage sign + +diff -r 2e9ee0a5e32f -r f02459498cb4 file.c +--- a/file.c Sun Dec 13 15:37:56 2020 +0100 b/file.c Tue Mar 16 17:23:39 2021 +0100 +@@ -2910,6 +2910,16 @@ + } + strcat(outputPrefix, DEFAULT_PREFIX_NUMBER_FORMAT); + } ++else { ++// TODO: sanitize outputPrefix, only a single format specifier %??d or %??i ++// is allowed, all other should be escaped ++// until this is implemented refuse to process further if prefix string ++// contains a percentage sign to prevent string vulnerability in ++// sprintf(outputFilename, outputPrefix ...) below ++PrintError("Output prefix must not contain a percentage sign"); ++return 0; ++} ++ + + for (i =0; i< filesCount ; i++) { + sprintf( outputFilename, outputPrefix, i ); +diff -r 2e9ee0a5e32f -r f02459498cb4 tools/PTcrop.c +--- a/tools/PTcrop.c Sun Dec 13 15:37:56 2020 +0100 b/tools/PTcrop.c Tue Mar 16 17:23:39 2021 +0100 +@@ -36,7 +36,7 @@ + + #define PT_CROP_USAGE "PTuncrop [options] \n\n" \ + "Options:\n"\ +-"\t-p \tPrefix for output files (defaults to " DEFAULT_PREFIX "%%4d)\n" \ ++"\t-p \tPrefix for output files (defaults to " DEFAULT_PREFIX ")\n" \ + "\t-f\t\tForce processing: Overwrite output files if they exists (use with care)\n" \ + "\t-x\t\tDelete source files (use with care)\n"\ + "\t-q\t\tQuiet run\n"\ diff -Nru libpano13-2.9.19+dfsg/debian/patches/series libpano13-2.9.19+dfsg/debian/patches/series --- libpano13-2.9.19+dfsg/debian/patches/series 1970-01-01 01:00:00.0 +0100 +++ libpano13-2.9.19+dfsg/debian/patches/series 2021-03-18 14:12:08.0 +0100 @@ -0,0 +1 @@ +850_f02459498cb4_Prevent_string_vulnerability_by_refusing.diff signature.asc Description: PGP signature
Bug#985450: buster-pu: package exim4/4.92-8+deb10u5
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: ex...@packages.debian.org, Jorrit Fahlke Hello, [ Reason ] I would like to fix two issues in buster: #1 Fix use of concurrent TLS connections under GnuTLS. When a callout was done during a receiving connection, and both used TLS, global info was used rather than per-connection info for tracking the state of data queued for transmission. This could result in a connection hang. #2 Fix issues related to certificate checking: a) Cherry-pick a bugfix to get proper hostname checking with CNAMES. Without this patch when connecting to a CNAME the server provided cert is checked against the A record instead of the original cname. #985243 b) Document limitation/extent of server certificate checking that is done by default and how to change it. #985244 and #985344 2a and 2b are documented in the respective bug-reports, 2a actually might warant priority serious. #1 has popped up repeatedly on the exim-user mailing list, I would categorize it as important. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru exim4-4.92/debian/changelog exim4-4.92/debian/changelog --- exim4-4.92/debian/changelog 2020-05-13 18:01:31.0 +0200 +++ exim4-4.92/debian/changelog 2021-03-18 09:10:15.0 +0100 @@ -1,3 +1,23 @@ +exim4 (4.92-8+deb10u5) buster; urgency=medium + + * Fix use of concurrent TLS connections under GnuTLS: +80_01-GnuTLS-fix-hanging-callout-connections.patch +80_02-GnuTLS-tls_write-wait-after-uncorking-the-session.patch +80_03-GnuTLS-Do-not-care-about-corked-data-when-uncorking.patch +(Thanks, Heiko Schlittermann for the backport) + * Pull 82_TLS-use-RFC-6125-rules-for-certifucate-name-checks-w.patch from +upstream git (already included in 4.94), on TLS connections to a CNAME +verify the certificate against the original CNAME instead of against +the A record. Closes: #985243 + * In README.Debian explicitly document the limitation/extent of server +certificate checking (authenticity not enforced) in the default +configuration (Thanks, Jö Fahlke). This Closes: #985244 (improved +documentation and Closes: #985344 (Yes, without required cert +checking MitM attacks are possible, but for a stable update documenting +this is the best compromise.) + + -- Andreas Metzler Thu, 18 Mar 2021 09:10:15 +0100 + exim4 (4.92-8+deb10u4) buster-security; urgency=high * Fix authentication bypass in SPA authenticator due to out-of-bound buffer diff -Nru exim4-4.92/debian/patches/80_01-GnuTLS-fix-hanging-callout-connections.patch exim4-4.92/debian/patches/80_01-GnuTLS-fix-hanging-callout-connections.patch --- exim4-4.92/debian/patches/80_01-GnuTLS-fix-hanging-callout-connections.patch 1970-01-01 01:00:00.0 +0100 +++ exim4-4.92/debian/patches/80_01-GnuTLS-fix-hanging-callout-connections.patch 2021-03-18 08:51:35.0 +0100 @@ -0,0 +1,83 @@ +From 97c5e07c220b55d1c506a1798c9ce3ae3105adea Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Thu, 13 Feb 2020 16:45:38 + +Subject: [PATCH 4/6] GnuTLS: fix hanging callout connections + +Broken-by: 925ac8e4f1 +(cherry picked from commit bd95ffc2ba87fbd3c752df17bc8fd9c01586d45a) +--- + doc/ChangeLog | 81 --- + src/tls-gnu.c | 24 +++-- + 2 files changed, 20 insertions(+), 85 deletions(-) + +--- a/doc/ChangeLog b/doc/ChangeLog +@@ -67,6 +67,11 @@ JH/41 Bug 2571: Fix SPA authenticator. + being used. A malicious client could thus cause an out-of-bounds read and + possibly gain authentication. Fix by adding the check. + ++JH/25 Fix use of concurrent TLS connections under GnuTLS. When a callout was ++ done during a receiving connection, and both used TLS, global info was ++ used rather than per-connection info for tracking the state of data ++ queued for transmission. This could result in a connection hang. ++ + + Exim version 4.92 + - +--- a/src/tls-gnu.c b/src/tls-gnu.c +@@ -124,10 +124,17 @@ typedef struct exim_gnutls_state { + enum peer_verify_requirement verify_requirement; + int fd_in; + int fd_out; +- BOOLpeer_cert_verified; +- BOOLpeer_dane_verified; +- BOOLtrigger_sni_changes; +- BOOLhave_set_peerdn; ++ ++ BOOLpeer_cert_verified:1; ++ BOOLpeer_dane_verified:1; ++ BOOLtrigger_sni_changes:1; ++ BOOLhave_set_peerdn:1; ++ BOOLxfer_eof:1; /*XXX never gets set! */ ++ BOOLxfer_error:1; ++#ifdef SUPPORT_CORK ++ BOOLcorked:1
Bug#981581: nmu: sa-exim_4.2.1-19
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu sa-exim_4.2.1-19 . ANY . unstable . -m "Rebuild against current exim localscan ABI. (See #981398)" That is necessary to let sa-exim work again in sid and bulleye. The wrong Provides of exim4-daemon-light in bullseye (#981399) allow installation of sa-exim, but it does not work. Current exim4 fixes this. Details in https://bugs.debian.org/981398 TIA, cu Andreas
Bug#979074: buster-pu: package gnutls28/3.6.7-4+deb10u6
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu [ Reason ] The gnutls28 test tests/testpkcs11.sh uses a test certificate that expired in December 2020, which now causes a testsuite error and FTBFS. If this is not approved the patch will need to be included in case of another DSA for GnuTLS or a stable update. I would rather fix this now to make debian-security's life easier. [ Checklist ] [X] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The patch uses datefudge to avoid the timebomb. It is cherrypicked and adapted (older helper function) from upstream master. TIA, cu Andreas diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog --- gnutls28-3.6.7/debian/changelog 2020-06-07 07:45:55.0 +0200 +++ gnutls28-3.6.7/debian/changelog 2021-01-02 14:15:36.0 +0100 @@ -1,3 +1,11 @@ +gnutls28 (3.6.7-4+deb10u6) UNRELEASED; urgency=medium + + * 45_4.7.0plus-01_testpkcs11-use-datefudge-to-trick-certificate-expiry.patch +Fix test suite error caused by expired certificate. +Closes: #977552 + + -- Andreas Metzler Sat, 02 Jan 2021 14:15:36 +0100 + gnutls28 (3.6.7-4+deb10u5) buster; urgency=medium * 42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch diff -Nru gnutls28-3.6.7/debian/patches/45_4.7.0plus-01_testpkcs11-use-datefudge-to-trick-certificate-expiry.patch gnutls28-3.6.7/debian/patches/45_4.7.0plus-01_testpkcs11-use-datefudge-to-trick-certificate-expiry.patch --- gnutls28-3.6.7/debian/patches/45_4.7.0plus-01_testpkcs11-use-datefudge-to-trick-certificate-expiry.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.6.7/debian/patches/45_4.7.0plus-01_testpkcs11-use-datefudge-to-trick-certificate-expiry.patch 2021-01-02 14:15:36.0 +0100 @@ -0,0 +1,73 @@ +From 2b0f6f3a2ff13153aaa70c764ba7a8b90aef794d Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 28 Dec 2020 16:16:53 +0100 +Subject: [PATCH 3/6] testpkcs11: use datefudge to trick certificate expiry +Origin: https://gitlab.com/gnutls/gnutls/-/commit/2b0f6f3a2ff13153aaa70c764ba7a8b90aef794d +Bug: https://gitlab.com/gnutls/gnutls/-/issues/1135 +Bug-Debian: https://bugs.debian.org/977552 + +The certificates stored in tests/testpkcs11-certs expired on +2020-12-13. To avoid verification failure due to that, use datefudge +to set custom date when calling gnutls-cli, gnutls-serv, and certtool. + +Based on the patch by Andreas Metzler: +https://gitlab.com/gnutls/gnutls/-/issues/1135#note_469682121 + +Signed-off-by: Daiki Ueno +--- + tests/testpkcs11.sh | 12 +++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/tests/testpkcs11.sh b/tests/testpkcs11.sh +@@ -67,6 +67,8 @@ have_ed25519=0 + P11TOOL="${VALGRIND} ${P11TOOL} --batch" + SERV="${SERV} -q" + ++TESTDATE=2020-12-01 ++ + . ${srcdir}/scripts/common.sh + + rm -f "${LOGFILE}" +@@ -79,6 +81,8 @@ exit_error () { + exit 1 + } + ++skip_if_no_datefudge ++ + # $1: token + # $2: PIN + # $3: filename +@@ -510,6 +514,7 @@ write_certificate_test () { + pubkey="$5" + + echo -n "* Generating client certificate... " ++ datefudge -s "$TESTDATE" \ + "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ + --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \ + --load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1 +@@ -887,6 +892,7 @@ use_certificate_test () { + echo -n "* Using PKCS #11 with gnutls-cli (${txt})... " + # start server + eval "${GETPORT}" ++ SERV="datefudge -s $TESTDATE $SERV" \ + launch_pkcs11_server $$ "${ADDITIONAL_PARAM}" --echo --priority NORMAL --x509certfile="${certfile}" \ + --x509keyfile="$keyfile" --x509cafile="${cafile}" \ + --verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1 +@@ -895,13 +901,16 @@ use_certificate_test () { + wait_server ${PID} + + # connect to server using SC ++ datefudge -s "$TESTDATE" \ + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 && \ + fail ${PID} "Connection should have failed!" + ++ datefudge -s "$TESTDATE" \ + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \ + --x509keyfile="$keyfile" --x509cafile="${cafile}" >"${LOGFILE}" 2
Bug#963703: stretch-pu: package gnutls28/3.5.8-5+deb9u5
On 2020-07-02 "Adam D. Barratt" wrote: > Control: tags -1 + confirmed > On Thu, 2020-06-25 at 17:37 +0200, Andreas Metzler wrote: >> I would like to make a last bugfix upload to stretch: >> * Pull fixes for CVE-2019-3836 / [GNUTLS-SA-2019-03-27, #694]. [...] > Please go ahead. Thanks, done.
Bug#963703: stretch-pu: package gnutls28/3.5.8-5+deb9u5
On 2020-06-25 Salvatore Bonaccorso wrote: > On Thu, Jun 25, 2020 at 05:41:42PM +0200, Andreas Metzler wrote: > > On 2020-06-25 Andreas Metzler wrote: > > [...] > > > * Pull fixes for CVE-2019-3836 / [GNUTLS-SA-2019-03-27, #694]. [...] > Only noticed too late, but the above CVE reference should be > CVE-2019-3829 in the "Pull fixes for ..." changelog entry. Thanks, you are right. (The other CVE is also GNUTLS-SA-2019-03-27, but the other upstream bug number #704.) cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#963703: stretch-pu: package gnutls28/3.5.8-5+deb9u5
On 2020-06-25 Andreas Metzler wrote: [...] > * Pull fixes for CVE-2019-3836 / [GNUTLS-SA-2019-03-27, #694]. > + 40_casts_related_to_fix_CVE-2019-3829.patch > + 40_rel3.6.7_01-Automatically-NULLify-after-gnutls_free.patch > + 40_rel3.6.7_01-fuzz-added-fuzzer-for-certificate-verification.patch > + 41_use_datefudge_to_trigger_CVE-2019-3829_testcase.diff > * More important fixes: > + 43_rel3.6.14_10-session_pack-fix-leak-in-error-path.patch > [One-line-fix for memleak] > + 44_rel3.6.14_10-Update-session_ticket.c-to-add-support-for-zero-leng.patch > Handle zero length session tickets, fixing connection errors on TLS1.2 > sessions to some big hosting providers. (See LP 1876286) > [Fixes connections to e.g. verizon popserver.] [...] Here is the missing debdiff. cu Andreas [The following lists of changes regard files as different if they have different names, permissions or owners.] Files only in first set of .debs, found in package gnutls-bin-dbgsym -rw-r--r-- root/root /usr/lib/debug/.build-id/0e/df33e82a82671f7e361a8ffa83b02400337604.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/1d/b976be2d75d79dfd97e68dba3ee84babe5a3cc.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/64/414524cec63b3a8334146aa0c4dab71fae4080.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/6f/0012f94a9f80ef7e652dacc713347841f66907.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/98/eef0a29dcce526336be09fbbb0eccb3ece9f17.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/a5/c92e78a7d0a175b524703387c994518830abfa.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/ad/42bf08cf713e4a18ed1dd04dcc200a1cdafe94.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/c0/cf4951b3020f4fdf0b30c32934e922348e3660.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/f7/a745a4765a1efbfc31d0e21d0b5aca9aa2c5b1.debug Files only in first set of .debs, found in package libgnutls-dane0-dbgsym - -rw-r--r-- root/root /usr/lib/debug/.build-id/1c/399494f95f5e9ff28fcbd0243e96639fad69d3.debug Files only in first set of .debs, found in package libgnutls-openssl27-dbgsym - -rw-r--r-- root/root /usr/lib/debug/.build-id/51/a6d9549543590e69584a2dd9df4e919cd62918.debug Files only in first set of .debs, found in package libgnutls30-dbgsym - -rw-r--r-- root/root /usr/lib/debug/.build-id/1c/1bc93c559cfe2ebd1b5676fa4b355118edf38e.debug Files only in first set of .debs, found in package libgnutlsxx28-dbgsym --- -rw-r--r-- root/root /usr/lib/debug/.build-id/f4/43a08baf0b78f1286c82e9d3e085c83734d37b.debug New files in second set of .debs, found in package gnutls-bin-dbgsym -rw-r--r-- root/root /usr/lib/debug/.build-id/41/3e7554b4f2cfebbd3c79dbdc11815b1a8ce65b.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/4a/7b934e15748037c09f179e902c900edd8f645e.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/84/79ca3705d519462b64cafa740069f5257a1799.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/96/f89b1b2de8078f07e1dceb9a1c9570ce2fefe8.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/9c/a5be6ce0e2ad9359bcc4fa67713fb35451eb4f.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/d9/a524219c966f40c7f8862e5141f95e747ffa87.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/ea/4ce0554a6816fbe557433397e8a3f211063cb0.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/f0/bb902cc0ca2f32c8dbfc88908486ac7a52ca09.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/f0/c69abf17ada32042b18f4b6b240c76965fe456.debug New files in second set of .debs, found in package libgnutls-dane0-dbgsym - -rw-r--r-- root/root /usr/lib/debug/.build-id/a2/c2822b8a615e4e750944c36cfa27e4c39d5448.debug New files in second set of .debs, found in package libgnutls-openssl27-dbgsym - -rw-r--r-- root/root /usr/lib/debug/.build-id/2a/a940233375f7c77955565715aa6404a4334c07.debug New files in second set of .debs, found in package libgnutls30-dbgsym - -rw-r--r-- root/root /usr/lib/debug/.build-id/b6/c9dec4e163583c6c1f2ea1b1ef75b1db2e6a0c.debug New files in second set of .debs, found in package libgnutlsxx28-dbgsym --- -rw-r--r-- root/root /usr/lib/debug/.build-id/e2/00ca7e603a3c2ea4f81f9542ab13919b24b73e.debug Control files of package gnutls-b
Bug#963703: stretch-pu: package gnutls28/3.5.8-5+deb9u5
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hello, I would like to make a last bugfix upload to stretch: * Pull fixes for CVE-2019-3836 / [GNUTLS-SA-2019-03-27, #694]. + 40_casts_related_to_fix_CVE-2019-3829.patch + 40_rel3.6.7_01-Automatically-NULLify-after-gnutls_free.patch + 40_rel3.6.7_01-fuzz-added-fuzzer-for-certificate-verification.patch + 41_use_datefudge_to_trigger_CVE-2019-3829_testcase.diff * More important fixes: + 43_rel3.6.14_10-session_pack-fix-leak-in-error-path.patch [One-line-fix for memleak] + 44_rel3.6.14_10-Update-session_ticket.c-to-add-support-for-zero-leng.patch Handle zero length session tickets, fixing connection errors on TLS1.2 sessions to some big hosting providers. (See LP 1876286) [Fixes connections to e.g. verizon popserver.] TIA, cu Andreas
Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4
Control: tags -1 - moreinfo Control: retitle -1 buster-pu: package gnutls28/3.6.7-4+deb10u5 On 2020-05-26 Andreas Metzler wrote: > Control: tags 960836 + moreinfo > Please hold on approving this. I will probably need to add a fix for > https://gitlab.com/gnutls/gnutls/-/issues/997 Hello, find attached a new version rebased on the latests DSA and featuring these additional fixes: * 44_rel3.6.14_10-Update-session_ticket.c-to-add-support-for-zero-leng.patch from GnuTLS 3.6.14: Handle zero length session tickets, fixing connection errors on TLS1.2 sessions to some big hosting providers. (See LP 1876286) * 44_rel3.6.14_15-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch 44_rel3.6.14_16-x509-trigger-fallback-verification-path-when-cert-is.patch 44_rel3.6.14_17-tests-add-test-case-for-certificate-chain-supersedin.patch backported from GnuTLS 3.6.14: Fix verification error with alternate chains. Closes: #961889 TIA, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog --- gnutls28-3.6.7/debian/changelog 2020-06-05 19:32:17.0 +0200 +++ gnutls28-3.6.7/debian/changelog 2020-06-07 07:45:55.0 +0200 @@ -1,3 +1,24 @@ +gnutls28 (3.6.7-4+deb10u5) buster; urgency=medium + + * 42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch +from GNUTLS 3.6.11: Fix TL1.2 resumption errors. Closes: #956649 + * 47_rel3.6.13_10-session_pack-fix-leak-in-error-path.patch from GNUTLS +3.6.14: One line fix for memory leak. Closes: #958704 + * Rename +44_rel3.6.14_01-stek-differentiate-initial-state-from-valid-time-win.patch +(security upload) to 44_rel3.6.14_90_... to be able to pull earlier fixes +from 3.6.14 and have correct patch filename order. + * 44_rel3.6.14_10-Update-session_ticket.c-to-add-support-for-zero-leng.patch +from GnuTLS 3.6.14: Handle zero length session tickets, fixing connection +errors on TLS1.2 sessions to some big hosting providers. (See LP 1876286) + * 44_rel3.6.14_15-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch +44_rel3.6.14_16-x509-trigger-fallback-verification-path-when-cert-is.patch +44_rel3.6.14_17-tests-add-test-case-for-certificate-chain-supersedin.patch +backported from GnuTLS 3.6.14: Fix verification error with alternate +chains. Closes: #961889 + + -- Andreas Metzler Sun, 07 Jun 2020 07:45:55 +0200 + gnutls28 (3.6.7-4+deb10u4) buster-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch --- gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch 2020-06-07 06:48:47.0 +0200 @@ -0,0 +1,610 @@ +From afa6e340c084542ef416afc96dd0329f5507 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Tue, 8 Oct 2019 07:23:31 +0200 +Subject: [PATCH] session tickets: parse extension during session resumption on + client side + +It is possible for a server to send a new session ticket during +TLS1.2 resumption. To be able to parse it as client we need to +check the extension during resumption as well. + +Resolves: #841 + +Signed-off-by: Nikos Mavrogiannopoulos +--- + NEWS| 3 +++ + lib/ext/alpn.c | 3 ++- + lib/ext/client_cert_type.c | 3 ++- + lib/ext/cookie.c| 3 ++- + lib/ext/dumbfw.c| 3 ++- + lib/ext/early_data.c| 3 ++- + lib/ext/ec_point_formats.c | 3 ++- + lib/ext/etm.c | 3 ++- + lib/ext/ext_master_secret.c | 3 ++- + lib/ext/heartbeat.c | 3 ++- + lib/ext/key_share.c | 3 ++- + lib/ext/max_record.c| 3 ++- + lib/ext/post_handshake.c| 3 ++- + lib/ext/pre_shared_key.c| 3 ++- + lib/ext/psk_ke_modes.c | 3 ++- + lib/ext/record_size_limit.c | 3 ++- + lib/ext/safe_renegotiation.c| 3 ++- + lib/ext/server_cert_type.c | 3 ++- + lib/ext/server_name.c | 3 ++- + lib/ext/session_ticket.c| 7 ++- + lib/ext/signature.c | 3 ++- + lib/ext/srp.c | 3 ++- + lib/ext/srtp.c | 3 ++- + lib/ext/status_request.c| 3 ++- + lib/ext/supported_groups.c | 3 ++- + lib/ext/supported_versions.c| 3 ++- + lib/hello_ext.c | 36 ++--- + lib/hello_ext.h | 3 ++- + lib/includes/gnutls/gnutls.h.in | 4 ++-- + tests/gnutls-cli-resume.sh
Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4
Control: tags 960836 + moreinfo Please hold on approving this. I will probably need to add a fix for https://gitlab.com/gnutls/gnutls/-/issues/997 cu Andreas
Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4
Control: tags 960836 - moreinfo On 2020-05-17 "Adam D. Barratt" wrote: > Control: tags -1 + moreinfo > On Sun, 2020-05-17 at 14:23 +0200, Andreas Metzler wrote: >> I would like to update gnutls to fix #95664 aka >> https://gitlab.com/gnutls/gnutls/-/issues/841 fixing TLS1.2 client >> side resumption errors. > #956649. :-) > I'm assuming this is fixed in at least unstable already, but the BTS > metadata suggests otherwise (potentially not helped by the local > "found" version). > Please could you confirm, and fix either the metadata or unstable. Hello Adam, Yes, it is fixed in both buster and sid, I have corrected the bug metadata accordingly. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hello, I would like to update gnutls to fix #95664 aka https://gitlab.com/gnutls/gnutls/-/issues/841 fixing TLS1.2 client side resumption errors. And while I am at it I would also pick a one-line fix for a memory leak (Fix requested in #958704.) cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog --- gnutls28-3.6.7/debian/changelog 2020-04-03 21:31:50.0 +0200 +++ gnutls28-3.6.7/debian/changelog 2020-05-17 13:45:29.0 +0200 @@ -1,3 +1,12 @@ +gnutls28 (3.6.7-4+deb10u4) buster; urgency=medium + + * 42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch +from GNUTLS 3.6.11: Fix TL1.2 resumption errors. Closes: #956649 + * 47_rel3.6.14_10-session_pack-fix-leak-in-error-path.patch from GNUTLS +3.6.14: One line fix for memory leak. Closes: #958704 + + -- Andreas Metzler Sun, 17 May 2020 13:45:29 +0200 + gnutls28 (3.6.7-4+deb10u3) buster-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch --- gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch 2020-05-17 10:08:09.0 +0200 @@ -0,0 +1,610 @@ +From afa6e340c084542ef416afc96dd0329f5507 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Tue, 8 Oct 2019 07:23:31 +0200 +Subject: [PATCH] session tickets: parse extension during session resumption on + client side + +It is possible for a server to send a new session ticket during +TLS1.2 resumption. To be able to parse it as client we need to +check the extension during resumption as well. + +Resolves: #841 + +Signed-off-by: Nikos Mavrogiannopoulos +--- + NEWS| 3 +++ + lib/ext/alpn.c | 3 ++- + lib/ext/client_cert_type.c | 3 ++- + lib/ext/cookie.c| 3 ++- + lib/ext/dumbfw.c| 3 ++- + lib/ext/early_data.c| 3 ++- + lib/ext/ec_point_formats.c | 3 ++- + lib/ext/etm.c | 3 ++- + lib/ext/ext_master_secret.c | 3 ++- + lib/ext/heartbeat.c | 3 ++- + lib/ext/key_share.c | 3 ++- + lib/ext/max_record.c| 3 ++- + lib/ext/post_handshake.c| 3 ++- + lib/ext/pre_shared_key.c| 3 ++- + lib/ext/psk_ke_modes.c | 3 ++- + lib/ext/record_size_limit.c | 3 ++- + lib/ext/safe_renegotiation.c| 3 ++- + lib/ext/server_cert_type.c | 3 ++- + lib/ext/server_name.c | 3 ++- + lib/ext/session_ticket.c| 7 ++- + lib/ext/signature.c | 3 ++- + lib/ext/srp.c | 3 ++- + lib/ext/srtp.c | 3 ++- + lib/ext/status_request.c| 3 ++- + lib/ext/supported_groups.c | 3 ++- + lib/ext/supported_versions.c| 3 ++- + lib/hello_ext.c | 36 ++--- + lib/hello_ext.h | 3 ++- + lib/includes/gnutls/gnutls.h.in | 4 ++-- + tests/gnutls-cli-resume.sh | 17 + 30 files changed, 98 insertions(+), 44 deletions(-) + + +diff --git a/lib/ext/alpn.c b/lib/ext/alpn.c +index b9991f0a1..7cc799756 100644 +--- a/lib/ext/alpn.c b/lib/ext/alpn.c +@@ -39,7 +39,8 @@ const hello_ext_entry_st ext_mod_alpn = { + .tls_id = 16, + .gid = GNUTLS_EXTENSION_ALPN, + /* this extension must be parsed even on resumption */ +- .parse_type = GNUTLS_EXT_MANDATORY, ++ .client_parse_point = GNUTLS_EXT_MANDATORY, ++ .server_parse_point = GNUTLS_EXT_MANDATORY, + .validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_DTLS | + GNUTLS_EXT_FLAG_CLIENT_HELLO | GNUTLS_EXT_FLAG_EE | + GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO, +diff --git a/lib/ext/client_cert_type.c b/lib/ext/client_cert_type.c +index b627b71f9..34f4dcfa4 100644 +--- a/lib/ext/client_cert_type.c b/lib/ext/client_cert_type.c +@@ -48,7 +48,8 @@ const hello_ext_entry_st ext_mod_client_cert_type = { + .name = "Client Certificate Type", + .tls_id = 19, + .gid = GNUTLS_EXTENSION_CLIENT_CERT_TYPE, +- .parse_type = GNUTLS_EXT_TLS, ++ .client_parse_point = GNUTLS_EXT_TLS, ++ .server_parse_point = GNUTLS_EXT_TLS, + .validity = GNUTLS_EXT_FLAG_TLS | + GNUTLS_EXT_FLAG_DTLS | + GNUTLS_EXT_FLAG_CLIENT_HELLO | +diff --git a/lib/ext/cookie.c b/lib/ext/cookie.c +index 0feb2f0e5..b4608f3a9 100644 +--- a/lib/ext/cookie.c b/lib/ext/cookie.c +@@ -41,7 +41,8 @@ const hello_ex
Bug#949310: buster-pu: package gnutls28/3.6.7-4+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hello, there is a regression in gnutls/buster compared to stretch. It fails to parse certificates using Registered ID in Subject Alternative Name. See upstream report https://gitlab.com/gnutls/gnutls/issues/905 for more details. I would like to fix this in pu, by pulling the fix from GnuTLS 3.6.9. The respective upstream change also adds a testcase and therefore adds/modifies binaries. The proposed Debian changes are not representable as debdiff, I am attaching git-format-patch diff instead. cu Andreas From de3d573242195eddab914709584242610b2e2762 Mon Sep 17 00:00:00 2001 From: Andreas Metzler Date: Sun, 19 Jan 2020 18:00:12 +0100 Subject: [PATCH] Fix parsing of certificates using RegisteredID Closes: #949293 --- debian/binary/cert10.der | Bin 0 -> 571 bytes debian/binary/cert5.der | Bin 0 -> 414 bytes debian/changelog | 6 + ...ralname-registeredID-from-RFC-5280-i.patch | 242 ++ debian/patches/series | 1 + debian/rules | 8 + debian/source/include-binaries| 2 + 7 files changed, 259 insertions(+) create mode 100644 debian/binary/cert10.der create mode 100644 debian/binary/cert5.der create mode 100644 debian/patches/41_rel3.6.9_01-Support-for-Generalname-registeredID-from-RFC-5280-i.patch diff --git a/debian/binary/cert10.der b/debian/binary/cert10.der new file mode 100644 index ..07ab16d3eec034bd14cd94dd0174a2a76c768918 GIT binary patch literal 571 zcmXqLVlp>qV!XS6nTe5!i7~~1i;Y98~}r=h5UFdK6y3o{Rod$6ygLP%`WXB7yE< z2fL4n5$aH8Ms{W=1{U9cSH5JrPuwpy_1pr3D$^|zjMJuCRBw;2RdL_8Rbf7h>pH)< zAeoC69oOR@)U-AzX+7fIwMMr5Y?*=QWGCtCmWvy28Z=%rkOx{StIQ%{Al4xA)v;*r z&#
Bug#947365: transition: libvigraimpex
On 2020-01-03 Paul Gevers wrote: > On 31-12-2019 18:26, Andreas Metzler wrote: [...] > > Afaict the involved packages should propagate to testing in 3 days, when > > enblend-enfuse is old enough. I have commited the fix. [1] > Unfortunately libvigraimpex is (hopefully only temporarily) blocked by a > bug we had in piuparts and the (automatically) rescheduling of the > failed tests takes some days [1]. So, maybe it would be even faster to > upload the fix now. > Paul > [1] I don't want to manually test all the piuparts failures as there are > too many, and I don't want to blindly ignore those results. Hello Paul, I have just dput-ed. Thanks for the monitoring. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' signature.asc Description: PGP signature
Bug#947365: transition: libvigraimpex
On 2019-12-31 Sebastiaan Couwenberg wrote: > On 12/31/19 4:20 PM, Andreas Metzler wrote: >> as Bas correctly diagnoses I am not currently building for all supported >> versions but only for the default one because it is not trivial but >> requires some work. Looking at python policy I think that is acceptable >> but not perfect. >> Is my reading of polic correct? > AFAIK the python policy doesn't document the build dependencies. > doko filed bugs for at least one of my packages that had python3-all-dev > in B-D but only built for the default interpreter with the request to > change the B-D or build for all supported versions, so either option is > fine. Hello, Thanks for clearing this up. I was just unsure whether not building for all suppported versions was acceptable. >> Shall I make a timely upload fixing the >> build-dependency or can I wait for propagation of vigra packages to >> testing? > I would commit the change now, and upload it after the testing migration > unless there are other blockers that hold up the migration for more than > 5 days, then I would upload it now. Afaict the involved packages should propagate to testing in 3 days, when enblend-enfuse is old enough. I have commited the fix. [1] cu Andreas [1] https://salsa.debian.org/ametzler/libvigraimpex/commit/c5a8c27cc018c8968036b73c39d0d02d0f229320
Bug#947365: transition: libvigraimpex
On 2019-12-31 Sebastiaan Couwenberg wrote: > On 12/30/19 9:48 PM, Paul Gevers wrote: [...] >> libvigraimpex is also part of the pseudo python3.8 transition [1], but >> it is still red. This probably means that you are not correctly building >> Python3 modules for all supported Python3 versions. Can you please check? > Looks like it shouldn't build depend on python3-all-dev since the build > systems only uses the default interpreter. > sed -i 's/python3-all-dev/python3-dev/g' debian/control Hello, as Bas correctly diagnoses I am not currently building for all supported versions but only for the default one because it is not trivial but requires some work. Looking at python policy I think that is acceptable but not perfect. Is my reading of polic correct? Shall I make a timely upload fixing the build-dependency or can I wait for propagation of vigra packages to testing? Sorry for the inconvenience. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#947365: transition: libvigraimpex
On 2019-12-26 Paul Gevers wrote: > On 25-12-2019 19:29, Andreas Metzler wrote: >> libvigraimpex is marked for autoremoval because of the python2 removal. >> This is fixed in experimental, the new version features a soname bump. [...] > Normally we don't want python 2 removal package uploads and transitions > mixed, but it seems that python-vigra doesn't have reverse dependencies. > Please go ahead in unstable. Thank you, uploaded. cu Andreas
Bug#947365: transition: libvigraimpex
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hello, libvigraimpex is marked for autoremoval because of the python2 removal. This is fixed in experimental, the new version features a soname bump. this should be a small scale transition. I have successfully [1] rebuilt 3depict enblend-enfuse hugin luminance-hdr saga against -3 in experimental. Ben file: title = "libvigraimpex"; is_affected = .depends ~ "libvigraimpex6" | .depends ~ "libvigraimpex11"; is_good = .depends ~ "libvigraimpex11"; is_bad = .depends ~ "libvigraimpex6"; cu Andreas [1] 3depic is broken by https://bugs.debian.org/947364
Bug#946644: nmu: sa-exim_4.2.1-18
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu sa-exim_4.2.1-18 . ANY . unstable . -m "Rebuild against exim4-localscanapi-3.1 (exim 4.93)" Hello, please binNMU sa-exim to make it installable again. exim 4.93 broke the local_scan exim and therefore the localscanapi version was bumped. ZThis bump happened in RC5 after sa-exim had already been updated for the API changes. cu Andreas
Bug#945925: buster-pu: package gnutls28/3.6.7-4+deb10u1
format) -- Build-Ids: [-d328298de34135fca5f236357f2f2dd56cb109f3-] {+b17a60f0701c7de3d7e5e921305846b5efbc3c91+} Depends: libgnutls-dane0 (= [-3.6.7-4)-] {+3.6.7-4+deb10u1)+} Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+} Control files of package libgnutls-openssl27: lines which differ (wdiff format) --- Depends: libgnutls30 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libc6 (>= 2.14) Installed-Size: [-372-] {+373+} Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+} Control files of package libgnutls-openssl27-dbgsym: lines which differ (wdiff format) -- Build-Ids: [-fe4c3c0c38af44779c38ae5d1e187b6250f7afe0-] {+5e61e31c2ae39982eeb14ae1c8f66aff43e1083a+} Depends: libgnutls-openssl27 (= [-3.6.7-4)-] {+3.6.7-4+deb10u1)+} Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+} Control files of package libgnutls28-dev: lines which differ (wdiff format) --- Depends: libc6-dev | libc-dev, libgnutls-dane0 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libgnutls-openssl27 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libgnutls30 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libgnutlsxx28 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libidn2-dev, libp11-kit-dev (>= 0.23.10), libtasn1-6-dev, nettle-dev (>= 3.4.1~rc1) Installed-Size: [-4313-] {+4314+} Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+} Control files of package libgnutls30: lines which differ (wdiff format) --- Installed-Size: [-2643-] {+2644+} Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+} Control files of package libgnutls30-dbgsym: lines which differ (wdiff format) -- Build-Ids: [-4d66d28cd2e7537e1e1d2905595b260226b22ad2-] {+1ca9574531f2bffce01464c8a654b2e0c2ed894b+} Depends: libgnutls30 (= [-3.6.7-4)-] {+3.6.7-4+deb10u1)+} Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+} Control files of package libgnutlsxx28: lines which differ (wdiff format) - Depends: libgnutls30 (= [-3.6.7-4),-] {+3.6.7-4+deb10u1),+} libc6 (>= 2.14), libgcc1 (>= 1:3.0), libstdc++6 (>= 5) Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+} Control files of package libgnutlsxx28-dbgsym: lines which differ (wdiff format) Build-Ids: [-d752158b357b5875ebc8680001b57a886b94a1a4-] {+b8bd0e5aecb48c352850674891129476d08d016a+} Depends: libgnutlsxx28 (= [-3.6.7-4)-] {+3.6.7-4+deb10u1)+} Version: [-3.6.7-4-] {+3.6.7-4+deb10u1+} diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog --- gnutls28-3.6.7/debian/changelog 2019-06-12 19:21:23.0 +0200 +++ gnutls28-3.6.7/debian/changelog 2019-11-30 13:41:59.0 +0100 @@ -1,3 +1,11 @@ +gnutls28 (3.6.7-4+deb10u1) buster; urgency=medium + + * 42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch +from 3.6.10: Fix interop problems with gnutls 2.x. Closes: #933538 +(Thanks, Hanno Stock!) + + -- Andreas Metzler Sat, 30 Nov 2019 13:41:59 +0100 + gnutls28 (3.6.7-4) unstable; urgency=medium * Cherry-pick important bug-fixes from 3.6.8: diff -Nru gnutls28-3.6.7/debian/patches/42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch gnutls28-3.6.7/debian/patches/42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch --- gnutls28-3.6.7/debian/patches/42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.6.7/debian/patches/42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch 2019-11-30 13:41:59.0 +0100 @@ -0,0 +1,63 @@ +From daa49b9e455d262a1a2bc1b641e72dc004e2cb3e Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Sat, 3 Aug 2019 21:51:58 +0200 +Subject: [PATCH] _gnutls_epoch_set_keys: do not forbid random padding in + TLS1.x CBC ciphersuites + +Since some point in 3.6.x we updated the calculation of maximum record size, +however that did not include the possibility of random record padding available +for CBC ciphersuites which exceeds the maximum. This commit allows for larger +sizes for these ciphersuites to account for random padding as applied by +gnutls 2.12.x. + +Resolves: #811 + +Signed-off-by: Nikos Mavrogiannopoulos +--- + NEWS | 4 + lib/constate.c | 11 +-- + lib/record.c | 4 ++-- + 3 files changed, 15 insertions(+), 4 deletions(-) + +diff --git a/lib/constate.c b/lib/constate.c +index 51a4eca30..4c6ca0fd0 100644 +--- a/lib/constate.c b/lib/constate.c +@@ -707,10 +707,17 @@ int _gnutls_epoch_set_keys(gnutls_session_t session, uint16_t epoch, hs_stage_t + return gnutls_assert_val(ret); + } + +- if (ver->tls13_sem) { ++ /* The TLS1.3 li
Bug#939595: release.debian.org: Please bump urgency of exim4 4.92.1-3 to criticial
Package: release.debian.org Severity: normal Hello, In hindsight I have chosen the wrong urgency for exim4 4.92.1-3, a remote root command execution should migrate as fast as possible. Could please bump the urgency/shorten the migration period? urgent exim4/4.92.1-3 TIA, cu Andreas -- System Information: Debian Release: bullseye/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.2.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8), LANGUAGE=de_AT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' signature.asc Description: PGP signature
Bug#930490: unblock: exim4/4.92-8
set to a directory instead of a file + exim/GnuTLS would still send out the list of accepted certificates, + This did not match documented behavior. ++ 75_13-Use-dsn_from-for-success-DSN-messages.-Bug-2404.patch + The dsn_from option was not used for DSN success messages. + * Pulled from upstream GIT master: ++ 75_14-Fix-smtp-response-timeout.patch + Fix the timeout on smtp response to apply to the whole response instead + of resetting for every byte received. ++ 75_15-Fix-detection-of-32b-platform-at-build-time.-Bug-240.patch + https://bugs.exim.org/show_bug.cgi?id=2405 + ${eval } was broken on 32bit archs. + + -- Andreas Metzler Sat, 08 Jun 2019 17:37:43 +0200 + exim4 (4.92-7) unstable; urgency=medium * Upload to unstable. diff -Nru exim4-4.92/debian/patches/75_11-GnuTLS-fix-tls_out_ocsp-under-hosts_request_ocsp.patch exim4-4.92/debian/patches/75_11-GnuTLS-fix-tls_out_ocsp-under-hosts_request_ocsp.patch --- exim4-4.92/debian/patches/75_11-GnuTLS-fix-tls_out_ocsp-under-hosts_request_ocsp.patch 1970-01-01 01:00:00.0 +0100 +++ exim4-4.92/debian/patches/75_11-GnuTLS-fix-tls_out_ocsp-under-hosts_request_ocsp.patch 2019-06-08 13:49:59.0 +0200 @@ -0,0 +1,54 @@ +From 5e64b73ef7cdaf20b998b3345a588b462fd30bfb Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Tue, 7 May 2019 22:55:41 +0100 +Subject: [PATCH] GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp + +(cherry picked from commit 7a501c874f028f689c44999ab05bb0d39da46941) +--- + doc/ChangeLog | 3 +++ + src/tls-gnu.c | 12 + test/log/5651 | 2 +- + test/log/5730 | 8 + 4 files changed, 16 insertions(+), 9 deletions(-) + +--- a/doc/ChangeLog b/doc/ChangeLog +@@ -39,6 +39,9 @@ JH/11 Harden plaintext authenticator aga + library routine (usually a crash). Found by "zerons". + + ++JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the ++ verification result was not updated unless hosts_require_ocsp applied. ++ + + Exim version 4.92 + - +--- a/src/tls-gnu.c b/src/tls-gnu.c +@@ -2450,7 +2450,7 @@ if (!verify_certificate(state, errstr)) + } + + #ifndef DISABLE_OCSP +-if (require_ocsp) ++if (request_ocsp) + { + DEBUG(D_tls) + { +@@ -2474,10 +2474,14 @@ if (require_ocsp) + { + tlsp->ocsp = OCSP_FAILED; + tls_error(US"certificate status check failed", NULL, state->host, errstr); +-return NULL; ++if (require_ocsp) ++ return FALSE; ++} ++ else ++{ ++DEBUG(D_tls) debug_printf("Passed OCSP checking\n"); ++tlsp->ocsp = OCSP_VFIED; + } +- DEBUG(D_tls) debug_printf("Passed OCSP checking\n"); +- tlsp->ocsp = OCSP_VFIED; + } + #endif + diff -Nru exim4-4.92/debian/patches/75_12-GnuTLS-fix-the-advertising-of-acceptable-certs-by-th.patch exim4-4.92/debian/patches/75_12-GnuTLS-fix-the-advertising-of-acceptable-certs-by-th.patch --- exim4-4.92/debian/patches/75_12-GnuTLS-fix-the-advertising-of-acceptable-certs-by-th.patch 1970-01-01 01:00:00.0 +0100 +++ exim4-4.92/debian/patches/75_12-GnuTLS-fix-the-advertising-of-acceptable-certs-by-th.patch 2019-06-08 13:50:55.0 +0200 @@ -0,0 +1,42 @@ +From 44893ba5249c6c6d5a0d62a1cc57ba3fbf7185b4 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Sun, 19 May 2019 12:12:36 +0100 +Subject: [PATCH 1/2] GnuTLS: fix the advertising of acceptable certs by the + server. Bug 2389 + +(cherry picked from commit 12d95aa62042377fc9f603245a17a43142972447) +--- + doc/ChangeLog | 4 + src/tls-gnu.c | 8 + 2 files changed, 12 insertions(+) + +--- a/doc/ChangeLog b/doc/ChangeLog +@@ -42,6 +42,10 @@ JH/11 Harden plaintext authenticator aga + JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the + verification result was not updated unless hosts_require_ocsp applied. + ++JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in ++ directory-of-certs mode. Previously they were advertised despite the ++ documentation. ++ + + Exim version 4.92 + - +--- a/src/tls-gnu.c b/src/tls-gnu.c +@@ -1133,6 +1133,14 @@ else + #endif + gnutls_certificate_set_x509_trust_file(state->x509_cred, + CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM); ++ ++#ifdef SUPPORT_CA_DIR ++ /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list ++ when using the directory-of-certs config model. */ ++ ++ if ((statbuf.st_mode & S_IFMT) == S_IFDIR) ++gnutls_certificate_send_x509_rdn_sequence(state->session, 1); ++#endif + } + + if (cert_count < 0) diff -Nru exim4-4.92/debian/patches/75_13-Use-dsn_from-for-success-DSN-messages.-Bug-2404.patch exim4-4.92/debian/patches/75_13-Use-dsn_from-for-success-DSN-messages.-Bug-2404.patch --- exim4-4.92/debian/patches/75_13-Use-dsn_from-for-success-DSN-messages.-Bug-2404
Bug#930491: unblock: gnutls28/3.6.7-4
[-3.6.7-3)-] {+3.6.7-4)+} Version: [-3.6.7-3-] {+3.6.7-4+} Control files of package libgnutls28-dev: lines which differ (wdiff format) --- Depends: libc6-dev | libc-dev, libgnutls-dane0 (= [-3.6.7-3),-] {+3.6.7-4),+} libgnutls-openssl27 (= [-3.6.7-3),-] {+3.6.7-4),+} libgnutls30 (= [-3.6.7-3),-] {+3.6.7-4),+} libgnutlsxx28 (= [-3.6.7-3),-] {+3.6.7-4),+} libidn2-dev, libp11-kit-dev (>= 0.23.10), libtasn1-6-dev, nettle-dev (>= 3.4.1~rc1) Installed-Size: [-4312-] {+4313+} Version: [-3.6.7-3-] {+3.6.7-4+} Control files of package libgnutls30: lines which differ (wdiff format) --- Version: [-3.6.7-3-] {+3.6.7-4+} Control files of package libgnutls30-dbgsym: lines which differ (wdiff format) -- Build-Ids: [-febecd51bb621afd4a8f0352f55d6c2ed96df57a-] {+4d66d28cd2e7537e1e1d2905595b260226b22ad2+} Depends: libgnutls30 (= [-3.6.7-3)-] {+3.6.7-4)+} Installed-Size: [-4058-] {+4061+} Version: [-3.6.7-3-] {+3.6.7-4+} Control files of package libgnutlsxx28: lines which differ (wdiff format) - Depends: libgnutls30 (= [-3.6.7-3),-] {+3.6.7-4),+} libc6 (>= 2.14), libgcc1 (>= 1:3.0), libstdc++6 (>= 5) Version: [-3.6.7-3-] {+3.6.7-4+} Control files of package libgnutlsxx28-dbgsym: lines which differ (wdiff format) Depends: libgnutlsxx28 (= [-3.6.7-3)-] {+3.6.7-4)+} Version: [-3.6.7-3-] {+3.6.7-4+} diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog --- gnutls28-3.6.7/debian/changelog 2019-05-19 10:48:52.0 +0200 +++ gnutls28-3.6.7/debian/changelog 2019-06-12 19:21:23.0 +0200 @@ -1,3 +1,28 @@ +gnutls28 (3.6.7-4) unstable; urgency=medium + + * Cherry-pick important bug-fixes from 3.6.8: ++ 40_rel3.6.8_01-gnutls_srp_entry_free-follow-consistent-behavior-in.patch + The gnutls_srp_set_server_credentials_function can be used with the 8192 + parameters as well. + https://gitlab.com/gnutls/gnutls/issues/761 ++ 40_rel3.6.8_05-lib-nettle-fix-carry-flag-in-Streebog-code.patch + Fix calculation of Streebog digests (incorrect carry operation in + 512 bit addition). ++ 40_rel3.6.8_10-ext-record_size_limit-distinguish-sending-and-receiv.patch + Fix compatibility of GnuTLS 3.6.[456] server with GnuTLS 3.6.7 client. + Closes: #929907 ++ 40_rel3.6.8_15-Apply-STD3-ASCII-rules-in-gnutls_idna_map.patch + Apply STD3 ASCII rules in gnutls_idna_map() to prevent hostname/domain + crafting via IDNA conversion. + https://gitlab.com/gnutls/gnutls/issues/720 ++ 40_rel3.6.8_20-pubkey-remove-deprecated-TLS1_RSA-flag-check.patch + Fixed bug preventing the use of gnutls_pubkey_verify_data2() and + gnutls_pubkey_verify_hash2() with the GNUTLS_VERIFY_DISABLE_CA_SIGN + flag. + https://gitlab.com/gnutls/gnutls/issues/754 + + -- Andreas Metzler Wed, 12 Jun 2019 19:21:23 +0200 + gnutls28 (3.6.7-3) unstable; urgency=medium * Revert debhelper upgrade, use DH 10. diff -Nru gnutls28-3.6.7/debian/patches/40_rel3.6.8_01-gnutls_srp_entry_free-follow-consistent-behavior-in.patch gnutls28-3.6.7/debian/patches/40_rel3.6.8_01-gnutls_srp_entry_free-follow-consistent-behavior-in.patch --- gnutls28-3.6.7/debian/patches/40_rel3.6.8_01-gnutls_srp_entry_free-follow-consistent-behavior-in.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.6.7/debian/patches/40_rel3.6.8_01-gnutls_srp_entry_free-follow-consistent-behavior-in.patch 2019-06-12 19:21:15.0 +0200 @@ -0,0 +1,65 @@ +From 0bdca5d51f203cf414d645e75ac197e3fadfadc8 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Fri, 10 May 2019 06:30:12 +0200 +Subject: [PATCH] _gnutls_srp_entry_free: follow consistent behavior in freeing + data + +_gnutls_srp_entry_free would previously not free any parameters that +were known to gnutls to account for documented behavior of +gnutls_srp_set_server_credentials_function(). This was not updated +when the newly added 8192 parameter was added to the library. + +This introduces a safety check for generator parameters, even though +in practice they are the same pointer. + +Resolves: #761 + +Signed-off-by: Nikos Mavrogiannopoulos +--- + NEWS | 3 +++ + lib/auth/srp_passwd.c | 12 + 2 files changed, 11 insertions(+), 4 deletions(-) + +--- a/NEWS b/NEWS +@@ -47,6 +47,9 @@ See the end for copying conditions. + + ** gnutls-cli: Added option --logfile to redirect informational messages output. + ++** libgnutls: the gnutls_srp_set_server_credentials_function can be used ++ with the 8192 parameters as well (#995). ++ + ** API and ABI modifications: + No changes since last version. + +--- a/lib/auth/srp_
Bug#930490: unblock: exim4/4.92-8
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package exim4. This upload pulls 5 patches from upstream GIT: + 75_11-GnuTLS-fix-tls_out_ocsp-under-hosts_request_ocsp.patch Fix expansion of $tls_out_ocsp under hosts_request_ocsp. + 75_12-GnuTLS-fix-the-advertising-of-acceptable-certs-by-th.patch When tls_verify_certificates was set to a directory instead of a file exim/GnuTLS would still send out the list of accepted certificates, This did not match documented behavior. + 75_13-Use-dsn_from-for-success-DSN-messages.-Bug-2404.patch The dsn_from option was not used for DSN success messages. + 75_14-Fix-smtp-response-timeout.patch Fix the timeout on smtp response to apply to the whole response instead of resetting for every byte received. + 75_15-Fix-detection-of-32b-platform-at-build-time.-Bug-240.patch https://bugs.exim.org/show_bug.cgi?id=2405 ${eval } was broken on 32bit archs. unblock exim4/4.92-8 Thanks, cu Andreas
Bug#926412: unblock: gnutls28/3.6.7-2
On 2019-05-20 Paul Gevers wrote: > On 19-05-2019 10:33, Andreas Metzler wrote: >> I probably could try to pick the CVE related changes and other important >> bug-fixes, however I do not think it is the right choice. The changes >> will be smaller but the risk of breakage is higher. > Can you explain why do you believe that? >> Also 3.6.7 now has >> been tested in sid for almost two months now. > Ack. Hello Paul, well, apart from the two CVE fixes there are many bugfixes in this release that we probably want, e.g. https://gitlab.com/gnutls/gnutls/issues/690 https://gitlab.com/gnutls/gnutls/issues/689 https://gitlab.com/gnutls/gnutls/issues/713 https://gitlab.com/gnutls/gnutls/issues/698 etc. Most of these are related to TLS 1.3. - They might not show up as bug reports now because it TLS1.3 is not that common yet but will propably cause issues later in buster's lifetime. And the more fixes there the more error-prone complicated cherry-picking s going to be. >>> You bumped the debhelper compat level. That isn't a change we find >>> acceptable during the freeze. >> >> I will immediately revert this if it helps. > I don't have enough experience yet with reviewing unblocks, that I feel > comfortable reviewing and unblocking the current package, so if your > insisting on the whole, somebody else will have to do the review. I am > sure this revert will be a requirement though. The revert has been in sid for a week now. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#926412: unblock: gnutls28/3.6.7-2
On 2019-05-18 Paul Gevers wrote: [gnutls] > Is it reasonably possible to split of the CVE changes and patch the > version currently in testing? That would be much more comfortable for > us. Either by reverting the new upstream version with e.g. an +really > version number, or, but less preferred by us, via an upload to > testing-proposed-updates. Hello Paul, I probably could try to pick the CVE related changes and other important bug-fixes, however I do not think it is the right choice. The changes will be smaller but the risk of breakage is higher. Also 3.6.7 now has been tested in sid for almost two months now. > You bumped the debhelper compat level. That isn't a change we find > acceptable during the freeze. I will immediately revert this if it helps. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#926412: unblock: gnutls28/3.6.7-2
On 2019-04-04 Andreas Metzler wrote: [...] > This is a upstream bugfix release featuring two security fixes > + Fixes a memory corruption (double free) vulnerability in the > certificate verification API. > https://gitlab.com/gnutls/gnutls/issues/694 CVE-2019-3829 > GNUTLS-SA-2019-03-27 > + Fixes an invalid pointer access via malformed TLS1.3 async messages; > https://gitlab.com/gnutls/gnutls/issues/704 CVE-2019-3836 > GNUTLS-SA-2019-03-27 [...] Ping?
Bug#926878: unblock: exim4/4.92-5
On 2019-04-11 Paul Gevers wrote: > Control: tags -1 moreinfo > Hi Andreas, > On 11-04-2019 19:51, Andreas Metzler wrote: >> The second notable change is related to sa-exim. Exim in Debian was >> patched to allow dlopening a localscan() module. The single consumer of >> this patch in Debian is sa-exim. (The patch also originates there.) >> The patch in Debian has been nonfunctional in unstable for quite some >> time (4.92~RC2-1/experimental/18 Dec, 4.92~RC3-1 unstable/26 Dec and >> buster/03 Jan). The issue only popped up end of March on the upstream >> user support ML. >> Looking at the state of sa-exim (dead upstream since 2006 and buggy: >> https://lists.exim.org/lurker/message/20180726.113354.6d03efde.en.html >> #879687) we have decided stop patching exim, which resulted in 4.92-5, >> which >> - improves the example/docs for content-scanning in exim without sa-exim >> - drops the abovementioned patch and the virtual Provides for >> exim4-localscanapi-2.0 and also drops the exim-dev packages (only >> needed for sa-exim). Exim now also Conflicts with sa-exim. > I am probably missing something, but as far as I see it, your packages > can't migrate to testing/buster because it would make sa-exim > uninstallable. uninstallable and unbuildable. > If I am right, please coordinate with the maintainer of > sa-exim (in CC). At least at this moment they should agree that it is > alright to remove sa-exim from buster. I am not seeing any serious bugs > reported against sa-exim so they may not be aware of the issue. I had X-Debbugs-Cc'ed sa-exim@pdo on this report. I will also open a rc bug suggesting sa-exim removal to hash this out properly. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#926878: unblock: exim4/4.92-5
a65884d62d6506ce390b4f07 5955fdc7b64bc2f31b1e0b63c762a57924c2516e 9b6cfa23511aa8ae2305e45f556cd5238b07f495 bb23e5a1a9f351c2a608d482dfc1e00d9998c629 bc986da4b151ecfa52558aa9c20d03614d31dd25+} Depends: exim4-base (= [-4.92-2)-] {+4.92-5)+} Version: [-4.92-2-] {+4.92-5+} Control files of package exim4-config: lines which differ (wdiff format) Installed-Size: [-983-] {+985+} Version: [-4.92-2-] {+4.92-5+} Control files of package exim4-daemon-heavy: lines which differ (wdiff format) -- Conflicts: [-mail-transport-agent-] {+mail-transport-agent, sa-exim+} Installed-Size: [-1477-] {+1537+} Provides: [-exim4-localscanapi-2.0,-] mail-transport-agent Version: [-4.92-2-] {+4.92-5+} Control files of package exim4-daemon-heavy-dbgsym: lines which differ (wdiff format) - Build-Ids: [-50c2969f4b54bc47c33c513e27a89cd4a09d728d-] {+bd894614600fc329441d05ceb08017719b489417+} Depends: exim4-daemon-heavy (= [-4.92-2)-] {+4.92-5)+} Installed-Size: [-2646-] {+2631+} Version: [-4.92-2-] {+4.92-5+} Control files of package exim4-daemon-light: lines which differ (wdiff format) -- Conflicts: [-mail-transport-agent-] {+mail-transport-agent, sa-exim+} Installed-Size: [-1332-] {+1324+} Provides: default-mta, [-exim4-localscanapi-2.0,-] mail-transport-agent Version: [-4.92-2-] {+4.92-5+} Control files of package exim4-daemon-light-dbgsym: lines which differ (wdiff format) - Build-Ids: [-51279c0f518a9e2a849c64a89ff8eaadcabe26fa-] {+caa4ade19a8e042ebf7f9f22782142cbd56bcd2b+} Depends: exim4-daemon-light (= [-4.92-2)-] {+4.92-5)+} Installed-Size: [-2260-] {+2247+} Version: [-4.92-2-] {+4.92-5+} Control files of package eximon4: lines which differ (wdiff format) --- Installed-Size: [-212-] {+216+} Version: [-4.92-2-] {+4.92-5+} Control files of package eximon4-dbgsym: lines which differ (wdiff format) -- Build-Ids: [-a31149847f6ae982b262e6aec59d3afa2e9ae841-] {+5ef1dbf7d44b659418b55dd4a173cda74ecad278+} Depends: eximon4 (= [-4.92-2)-] {+4.92-5)+} Version: [-4.92-2-] {+4.92-5+} diff -Nru exim4-4.92/debian/changelog exim4-4.92/debian/changelog --- exim4-4.92/debian/changelog 2019-02-20 19:23:11.0 +0100 +++ exim4-4.92/debian/changelog 2019-04-07 13:39:31.0 +0200 @@ -1,3 +1,33 @@ +exim4 (4.92-5) unstable; urgency=medium + + * Improved spam-scanning example with accompaning information in +README.Debian. Explicitly warn about adding the default SpamAssassin +report in a header, which Closes: #774553 + * Drop 90_localscan_dlopen.dpatch. (It has been non-functional for a couple +of months.) Closes: #925982 Add a Conflicts for sa-exim, which relied on +the (working) version of the patch. Drop exim4-dev package. Add a NEWS +entry for this change. + + -- Andreas Metzler Sun, 07 Apr 2019 13:39:31 +0200 + +exim4 (4.92-4) unstable; urgency=medium + + * Another patch from exim-4.92+fixes branch: +75_10-Harden-plaintext-authenticator.patch + + -- Andreas Metzler Fri, 22 Mar 2019 07:15:20 +0100 + +exim4 (4.92-3) unstable; urgency=medium + + * Pull fixes from exim-4.92+fixes branch. ++ 75_05-Fix-expansions-for-RFC-822-addresses-having-comments.patch ++ 75_06-Docs-Add-note-on-lsearch-for-IPv4-mapped-IPv6-addres.patch ++ 75_07-Fix-crash-from-SRV-lookup-hitting-a-CNAME.patch ++ 75_08-Logging-fix-initial-listening-on-log-line.patch ++ 75_09-OpenSSL-Fix-aggregation-of-messages.patch + + -- Andreas Metzler Wed, 20 Mar 2019 17:01:29 +0100 + exim4 (4.92-2) unstable; urgency=medium * Upload to unstable. diff -Nru exim4-4.92/debian/control exim4-4.92/debian/control --- exim4-4.92/debian/control 2019-02-17 13:13:18.0 +0100 +++ exim4-4.92/debian/control 2019-04-07 13:39:31.0 +0200 @@ -138,10 +138,9 @@ Architecture: any Priority: optional Provides: - exim4-localscanapi-2.0, mail-transport-agent, ${dist:Provides:exim4-daemon-light} -Conflicts: mail-transport-agent +Conflicts: mail-transport-agent, sa-exim Replaces: exim4-base (<= 4.61-1), mail-transport-agent Depends: exim4-base (>= ${Upstream-Version}), @@ -202,8 +201,8 @@ Package: exim4-daemon-heavy Architecture: any Priority: optional -Provides: exim4-localscanapi-2.0, mail-transport-agent -Conflicts: mail-transport-agent +Provides: mail-transport-agent +Conflicts: mail-transport-agent, sa-exim Replaces: exim4-base (<= 4.61-1), mail-transport-agent Depends: exim4-base (>= ${Upstream-Version}), @@ -238,8 +237,8 @@ #Package: exim4-daemon-custom #Architecture: any #Priority: optional -#Provides: exim4-lo
Bug#926412: unblock: gnutls28/3.6.7-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package gnutls28. This is a upstream bugfix release featuring two security fixes + Fixes a memory corruption (double free) vulnerability in the certificate verification API. https://gitlab.com/gnutls/gnutls/issues/694 CVE-2019-3829 GNUTLS-SA-2019-03-27 + Fixes an invalid pointer access via malformed TLS1.3 async messages; https://gitlab.com/gnutls/gnutls/issues/704 CVE-2019-3836 GNUTLS-SA-2019-03-27 One of these is fixed by a hardening measure (gnutls_free() will automatically set the free'd pointer to NULL.) It also unbreaks vlc (#922879) and has some TLS1.3 related changes. The straight debdiff is huge, because of a) usual release updates of autogenerated files and b) because it includes a global 's/http:/https:/'. Stripped down debdiff is attached. unblock gnutls28/3.6.7-2 cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' smaller.debdiff.diff.xz Description: application/xz signature.asc Description: PGP signature
Bug#910445: stretch-pu: package gnutls28/3.5.8-5+deb9u4
+deb9u4+} Control files of package libgnutls-dane0: lines which differ (wdiff format) --- Depends: libgnutls30 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libc6 (>= 2.14), libunbound2 (>= 1.4.1) Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+} Control files of package libgnutls-dane0-dbgsym: lines which differ (wdiff format) -- Build-Ids: [-25228bbeb1c692f8764099a856ab8c9463f7c325-] {+1c399494f95f5e9ff28fcbd0243e96639fad69d3+} Depends: libgnutls-dane0 (= [-3.5.8-5+deb9u3)-] {+3.5.8-5+deb9u4)+} Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+} Control files of package libgnutls-openssl27: lines which differ (wdiff format) --- Depends: libgnutls30 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libc6 (>= 2.14) Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+} Control files of package libgnutls-openssl27-dbgsym: lines which differ (wdiff format) -- Build-Ids: [-baf0016a0105eb9eb689bd33997207d4a704386d-] {+51a6d9549543590e69584a2dd9df4e919cd62918+} Depends: libgnutls-openssl27 (= [-3.5.8-5+deb9u3)-] {+3.5.8-5+deb9u4)+} Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+} Control files of package libgnutls28-dev: lines which differ (wdiff format) --- Depends: libgnutls30 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libgnutls-openssl27 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libgnutlsxx28 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libgnutls-dane0 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} nettle-dev, libc6-dev | libc-dev, zlib1g-dev, libtasn1-6-dev, libp11-kit-dev, libidn11-dev (>= 1.31) Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+} Control files of package libgnutls30: lines which differ (wdiff format) --- Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+} Control files of package libgnutls30-dbgsym: lines which differ (wdiff format) -- Build-Ids: [-07a8f58a7e4e32a36feee7511f728d5896439b13-] {+1c1bc93c559cfe2ebd1b5676fa4b355118edf38e+} Depends: libgnutls30 (= [-3.5.8-5+deb9u3)-] {+3.5.8-5+deb9u4)+} Installed-Size: [-2880-] {+2882+} Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+} Control files of package libgnutlsxx28: lines which differ (wdiff format) - Depends: libgnutls30 (= [-3.5.8-5+deb9u3),-] {+3.5.8-5+deb9u4),+} libc6 (>= 2.4), libgcc1 (>= 1:3.0), libstdc++6 (>= 5) Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+} Control files of package libgnutlsxx28-dbgsym: lines which differ (wdiff format) Build-Ids: [-a8a2ad066f20b10398a4047b4a5ac2032fdcc3d7-] {+f443a08baf0b78f1286c82e9d3e085c83734d37b+} Depends: libgnutlsxx28 (= [-3.5.8-5+deb9u3)-] {+3.5.8-5+deb9u4)+} Version: [-3.5.8-5+deb9u3-] {+3.5.8-5+deb9u4+} diff -Nru gnutls28-3.5.8/debian/changelog gnutls28-3.5.8/debian/changelog --- gnutls28-3.5.8/debian/changelog 2017-07-23 14:28:37.0 +0200 +++ gnutls28-3.5.8/debian/changelog 2018-10-06 14:06:18.0 +0200 @@ -1,3 +1,14 @@ +gnutls28 (3.5.8-5+deb9u4) stretch; urgency=medium + + * Pull fixes for CVE-2018-10844 and CVE-2018-10845 from gnutls 3.5.19 ++ 39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch ++ 39_02-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch ++ 39_03-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch ++ 39_04-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch ++ 39_05-tests-pkcs12_encode-fix-test-for-SHA512.patch + + -- Andreas Metzler Sat, 06 Oct 2018 14:06:18 +0200 + gnutls28 (3.5.8-5+deb9u3) stretch; urgency=medium * 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch diff -Nru gnutls28-3.5.8/debian/patches/39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch gnutls28-3.5.8/debian/patches/39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch --- gnutls28-3.5.8/debian/patches/39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.5.8/debian/patches/39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch 2018-10-06 13:53:23.0 +0200 @@ -0,0 +1,92 @@ +From e14d85eb8b1987d86f7b1d101a0e7795675d20d4 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Tue, 12 Jun 2018 14:22:52 +0200 +Subject: [PATCH 1/5] dummy_wait: correctly account the length field in SHA384 + HMAC + +The existing lucky13 attack count-measures did not work correctly for +SHA384 HMAC. + +The overall
Bug#901551: unblock: libgcrypt20/1.8.3-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libgcrypt20, this is a upstream bugfix/security release of the stable branch, fixing CVE-2018-0495. https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/ unblock libgcrypt20/1.8.3-1 thanks, cu Andreas 1.8.2-2_to_1.8.3-1.diff.xz Description: application/xz signature.asc Description: PGP signature
Bug#892802: transition: efl
On 2018-04-08 Andreas Metzler <ametz...@bebt.de> wrote: > On 2018-04-08 Emilio Pozuelo Monfort <po...@debian.org> wrote: >> On 08/04/18 07:45, Andreas Metzler wrote: >[...] >>> it looks like the transition needs some brute force/hint. Both efl and >>> e17 are valid candidates, but do not propagate. Good somebody please >>> take a look? >> efl needs to be decrufted. For that, elementary should be removed >> (AFAIK it's replaced by the new efl) so an RM bug against >> ftp.debian.org is needed. > Submitted as #895221 Status update: + elementary has been removed. + *Somehow* related exactimage/1.0.1-2 has dropped edisplay and therefore any efl-related dependency. It is only 2/5 days old. However this should not delay efl anymore since edisplay/testing's dependencies can still be fullfilled by efl/sid. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#892802: transition: efl
On 2018-04-08 Emilio Pozuelo Monfort <po...@debian.org> wrote: > On 08/04/18 07:45, Andreas Metzler wrote: [...] >> it looks like the transition needs some brute force/hint. Both efl and >> e17 are valid candidates, but do not propagate. Good somebody please >> take a look? > efl needs to be decrufted. For that, elementary should be removed > (AFAIK it's replaced by the new efl) so an RM bug against > ftp.debian.org is needed. Submitted as #895221 cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' signature.asc Description: PGP signature
Bug#892802: transition: efl
On 2018-03-13 Ross Vandegriftwrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: transition > Hello, > I'd like to request a transition for efl from experimental -> unstable. This > release takes over a few other source packages. It also reverses some > Debian-local ABI & soname deviations from the upstream releases. [...] Hello, it looks like the transition needs some brute force/hint. Both efl and e17 are valid candidates, but do not propagate. Good somebody please take a look? cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#892802: transition: efl
On 2018-03-13 Emilio Pozuelo Monfortwrote: > Control: tags -1 confirmed > On 13/03/18 08:15, Ross Vandegrift wrote: >> Package: release.debian.org >> Severity: normal >> User: release.debian@packages.debian.org >> Usertags: transition >> Hello, >> I'd like to request a transition for efl from experimental -> unstable. This >> release takes over a few other source packages. It also reverses some >> Debian-local ABI & soname deviations from the upstream releases. [...] > It looks good. Please go ahead and upload the affected packages to unstable, > then I'll schedule the binNMUs for the "bad" packages listed in > https://release.debian.org/transitions/html/auto-efl.html Hello Emilio, efl has been built on all archs it is going build[1], could you please trigger the first run of binnmus? FWIW the auto-efl tracker does not seem to work at all, I guess because "good" and "bad" are not disjunct. TIA, cu Andreas [1] s390x is lacking luajit -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Re: mariadb-10.1 fails to propagate to testing
On 2017-11-26 "Adam D. Barratt" <a...@adam-barratt.org.uk> wrote: > On Sun, 2017-11-26 at 16:22 +0100, Andreas Metzler wrote: >> mariadb-10.1 1:10.1.29-6 seems to be stuck in sid. It does not >> propagate to testing although >> https://qa.debian.org/excuses.php?package=mariadb-10.1 lists it as >> valid candidate. >> Could you please check the cause? > There's a bit of backstory, but effectively: the mariadb-test binary > package in testing is built from the mariadb-10.1 source package, and > has strictly versioned dependencies on other binaries built from that > source package. In unstable, the mariadb-10.2 source package builds the > binary package instead, but FTBFS on several architectures so is not a > candidate. The net result is that when britney tries to migrate mariadb > -10.1 1:10.1.29-6, the mariadb-test binary package in testing becomes > uninstallable, and the migration attempt is aborted. Hello, So essentially if mariadb-10.1 migrated a mariadb-10.1 with mariadb-test would be replaced by a mariadb-10.1 without mariadb-test? Given that afaict mariadb-test has no reverse dependencies could you consider forcing the migration? I am asking since mariadb blocks exim, which urgently needs an update. Thanks, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
mariadb-10.1 fails to propagate to testing
Hello, mariadb-10.1 1:10.1.29-6 seems to be stuck in sid. It does not propagate to testing although https://qa.debian.org/excuses.php?package=mariadb-10.1 lists it as valid candidate. Could you please check the cause? Thanks, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#873855: unblock: libgcrypt20/1.7.9-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libgcrypt20, it includes the the fix for CVE-2017-0379 https://www.debian.org/security/2017/dsa-3959 TIA, cu Andreas unblock libgcrypt20/1.7.9-1 -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#869434: stretch-pu: package gnutls28/3.5.8-5+deb9u3
On 2017-08-08 "Adam D. Barratt" <a...@adam-barratt.org.uk> wrote: > On Sun, 2017-07-23 at 15:28 +0200, Andreas Metzler wrote: >> gnutls upstream has pointed out that it would make sense to pull >> two patches from 3.5.14. These improve interoperability by avoiding >> incorrect OCSP verification errors. These errors could become quite >> common with growing popularity of ecdsa signatures. > Please go ahead. Thanks, uploaded. cu Andreas
Bug#869434: stretch-pu: package gnutls28/3.5.8-5+deb9u3
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hello, gnutls upstream has pointed out that it would make sense to pull two patches from 3.5.14. These improve interoperability by avoiding incorrect OCSP verification errors. These errors could become quite common with growing popularity of ecdsa signatures. thanks, cu Andreas diff -Nru gnutls28-3.5.8/debian/changelog gnutls28-3.5.8/debian/changelog --- gnutls28-3.5.8/debian/changelog 2017-07-08 10:29:05.0 +0200 +++ gnutls28-3.5.8/debian/changelog 2017-07-23 14:28:37.0 +0200 @@ -1,3 +1,14 @@ +gnutls28 (3.5.8-5+deb9u3) stretch; urgency=medium + + * 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch +38_02-OCSP-find_signercert-improved-DER-length-calculation.patch from +gnutls 3.5.14: Fix OCSP verification errors, especially with ecdsa +signatures. +https://gitlab.com/gnutls/gnutls/issues/223 +Thanks to Nikos Mavrogiannopoulos for the suggestion. + + -- Andreas Metzler <ametz...@debian.org> Sun, 23 Jul 2017 14:28:37 +0200 + gnutls28 (3.5.8-5+deb9u2) stretch; urgency=medium * 37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch from diff -Nru gnutls28-3.5.8/debian/patches/38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch gnutls28-3.5.8/debian/patches/38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch --- gnutls28-3.5.8/debian/patches/38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.5.8/debian/patches/38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch 2017-07-23 13:49:16.0 +0200 @@ -0,0 +1,56 @@ +From 4115dda443f38119ad46262f7f4adc78cfa1bf83 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <n...@redhat.com> +Date: Fri, 30 Jun 2017 10:04:01 +0200 +Subject: [PATCH 1/2] OCSP: check the subject public key identifier field to + figure issuer + +Normally when attempting to match the 'Responder Key ID' in an OCSP response +against the issuer certificate we check (according to RFC6960) against the +hash of the SPKI field. However, in few certificates (see commit: +"added ECDSA OCSP response verification"), that may not be the case. In that +certificate, that value matches the Subject Public Key identifier field +but not the hash. + +To account for these certificates, we enhance the matching to also consider +the Subject Public Key identifier field. + +Relates: #223 + +Signed-off-by: Nikos Mavrogiannopoulos <n...@redhat.com> +--- + lib/x509/ocsp.c | 17 - + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c +index dcdf435d2..68e721eaa 100644 +--- a/lib/x509/ocsp.c b/lib/x509/ocsp.c +@@ -1923,9 +1923,24 @@ static gnutls_x509_crt_t find_signercert(gnutls_ocsp_resp_t resp) + + for (i = 0; i < ncerts; i++) { + if (keyid.data != NULL) { +- uint8_t digest[20]; ++ uint8_t digest[128]; /* to support longer key IDs */ + gnutls_datum_t spki; ++ size_t digest_size = sizeof(digest); + ++ _gnutls_debug_log("checking key ID against SPK identifier\n"); ++ ++ /* check subject key identifier as well, some certificates ++ * match that, but not the hash */ ++ rc = gnutls_x509_crt_get_subject_key_id(certs[i], digest, _size, NULL); ++ if (rc >= 0 && digest_size == keyid.size && ++ memcmp(keyid.data, digest, digest_size) == 0) { ++signercert = certs[i]; ++goto quit; ++ } ++ ++ _gnutls_debug_log("checking key ID against SPKI hash\n"); ++ ++ /* continue with checking the hash */ + rc = _gnutls_x509_get_raw_field2(certs[i]->cert, [i]->der, + "tbsCertificate.subjectPublicKeyInfo.subjectPublicKey", + ); +-- +2.13.2 + diff -Nru gnutls28-3.5.8/debian/patches/38_02-OCSP-find_signercert-improved-DER-length-calculation.patch gnutls28-3.5.8/debian/patches/38_02-OCSP-find_signercert-improved-DER-length-calculation.patch --- gnutls28-3.5.8/debian/patches/38_02-OCSP-find_signercert-improved-DER-length-calculation.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.5.8/debian/patches/38_02-OCSP-find_signercert-improved-DER-length-calculation.patch 2017-07-23 13:49:16.0 +0200 @@ -0,0 +1,77 @@ +From 3c36d980d447251b34677c21bd4a141829c045f6 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <n...@gnutls.org> +Date: Sat, 1 Jul 2017 10:50:57 +0200 +Subject: [PATCH 2/2] OCSP: find_signercert: improved DER length calculation + +Previously we were assuming a fixed amount of length bytes which +is not correct for all possible lengths. Use libtasn1 to decode +the length field. + +Resolves: #223 + +Signed-off-by: Nikos Mavrogiannopoulos <n...@gnutls.org> +--- + lib/x509/ocsp.c | 30 -- + 1 file changed, 24 insertions(+), 6 deletions(-) + +diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c +in
Bug#867659: stretch-pu: package gnutls28/3.5.8-5+deb9u2
On 2017-07-15 "Adam D. Barratt" <a...@adam-barratt.org.uk> wrote: > Control: tags -1 + confirmed > On Sat, 2017-07-08 at 10:52 +0200, Andreas Metzler wrote: >> I would like to fix #867581 in stable by pulling the patch from 3.5.13. >> The issue is about broken AES-GCM in-place encryption and decryption on >> aarch64. > Please go ahead, bearing in mind that the window for 9.1 closes this > weekend. Thank you, uploaded. cu Andreas
Bug#867665: transition: wmaker
On 2017-07-09 Jonathan Wiltshire <j...@debian.org> wrote: > Control: tag -1 confirmed > On Sat, Jul 08, 2017 at 01:22:26PM +0200, Andreas Metzler wrote: >> wmaker 0.95.8 features a soname bump of libwraster. There are only 3 >> other packages involved (wdm, wmforecast and wmweather+) and all of them >> build fine against the libwmaker-dev in experimental. > Please go ahead. Thanks, I have just uploaded to sid. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' signature.asc Description: PGP signature
Bug#867665: transition: wmaker
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition wmaker 0.95.8 features a soname bump of libwraster. There are only 3 other packages involved (wdm, wmforecast and wmweather+) and all of them build fine against the libwmaker-dev in experimental. The auto-wmaker tracker looks fine, here is the Ben file generated by reportbug: title = "wmaker"; is_affected = .depends ~ "libwraster5" | .depends ~ "libwraster6"; is_good = .depends ~ "libwraster6"; is_bad = .depends ~ "libwraster5"; cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' signature.asc Description: PGP signature
Bug#867659: stretch-pu: package gnutls28/3.5.8-5+deb9u2
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hello, I would like to fix #867581 in stable by pulling the patch from 3.5.13. The issue is about broken AES-GCM in-place encryption and decryption on aarch64. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru gnutls28-3.5.8/debian/changelog gnutls28-3.5.8/debian/changelog --- gnutls28-3.5.8/debian/changelog 2017-06-16 07:47:11.0 +0200 +++ gnutls28-3.5.8/debian/changelog 2017-07-08 10:29:05.0 +0200 @@ -1,3 +1,11 @@ +gnutls28 (3.5.8-5+deb9u2) stretch; urgency=medium + + * 37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch from +upstream 3.5.x branch: Fix breakage if AES-GCM in-place encryption and +decryption on aarch64. Closes: #867581 + + -- Andreas Metzler <ametz...@debian.org> Sat, 08 Jul 2017 10:29:05 +0200 + gnutls28 (3.5.8-5+deb9u1) stretch-security; urgency=high * 36_CVE-2017-7507_*.patch: Pulled from 3.5.13, fix crash upon receiving diff -Nru gnutls28-3.5.8/debian/patches/37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch gnutls28-3.5.8/debian/patches/37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch --- gnutls28-3.5.8/debian/patches/37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.5.8/debian/patches/37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch 2017-07-07 19:43:55.0 +0200 @@ -0,0 +1,57 @@ +From 864e8d4e3ba87f53df7bdef695661415ed60a018 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <n...@redhat.com> +Date: Mon, 22 May 2017 14:41:56 +0200 +Subject: [PATCH] aarch64: fix AES-GCM in-place encryption and decryption + +Resolves #204 + +Signed-off-by: Nikos Mavrogiannopoulos <n...@redhat.com> +--- + lib/accelerated/aarch64/aes-gcm-aarch64.c | 24 + 1 file changed, 24 insertions(+) + +diff --git a/lib/accelerated/aarch64/aes-gcm-aarch64.c b/lib/accelerated/aarch64/aes-gcm-aarch64.c +index c571d0294..8d2bc1dce 100644 +--- a/lib/accelerated/aarch64/aes-gcm-aarch64.c b/lib/accelerated/aarch64/aes-gcm-aarch64.c +@@ -153,6 +153,27 @@ gcm_ghash(struct aes_gcm_ctx *ctx, const uint8_t * src, size_t src_size) + } + + static void ++ctr32_encrypt_blocks_inplace(const unsigned char *in, unsigned char *out, ++ size_t blocks, const AES_KEY *key, ++ const unsigned char ivec[16]) ++{ ++ unsigned i; ++ uint8_t ctr[16]; ++ uint8_t tmp[16]; ++ ++ memcpy(ctr, ivec, 16); ++ ++ for (i=0;i<blocks;i++) { ++ aes_v8_encrypt(ctr, tmp, key); ++ memxor3(out, tmp, in, 16); ++ ++ out += 16; ++ in += 16; ++ INCREMENT(16, ctr); ++ } ++} ++ ++static void + ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, + size_t blocks, const AES_KEY *key, + const unsigned char ivec[16]) +@@ -160,6 +181,9 @@ ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, + unsigned i; + uint8_t ctr[16]; + ++ if (in == out) ++ return ctr32_encrypt_blocks_inplace(in, out, blocks, key, ivec); ++ + memcpy(ctr, ivec, 16); + + for (i=0;i<blocks;i++) { +-- +2.13.2 + diff -Nru gnutls28-3.5.8/debian/patches/series gnutls28-3.5.8/debian/patches/series --- gnutls28-3.5.8/debian/patches/series 2017-06-16 07:47:04.0 +0200 +++ gnutls28-3.5.8/debian/patches/series 2017-07-07 19:43:58.0 +0200 @@ -12,3 +12,4 @@ 36_CVE-2017-7507_1-ext-status_request-ensure-response-IDs-are-properly-.patch 36_CVE-2017-7507_2-ext-status_request-Removed-the-parsing-of-responder-.patch 36_CVE-2017-7507_3-gnutls_ocsp_status_request_enable_client-documented-.patch +37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch signature.asc Description: PGP signature
Bug#865763: jessie-pu: package gnutls28/3.3.8-6+deb8u7
On 2017-06-27 Cyril Brulebois <k...@debian.org> wrote: > Andreas Metzler <ametz...@bebt.de> (2017-06-24): >> would like to fix the following issue in gnutls28/jessie (It was fixed >> in 3.5.3 and therefore does not apply to stretch/buster/sid). >> Quoting #865297: >> >> If the application closes open files during startup (e.g., a daemon), >> it may close the file that gnutls has open for /dev/urandom. The >> recommended way to handle this situation is to call >> gnutls_global_init() again. This will check if the fd for /dev/urandom >> is still valid and re-open it if not. >> >> Unfortunately, the way that the /dev/urandom fd is checked is not >> reliable. It only checks the mode, which might be the same if the >> application reused the fd for another character device with the same >> permissions (e.g., /dev/null). >> > The patch looks good to me, but I'd like to get a clarification: is the > fix in 3.5.3 based on the same patch, or was a different route taken? Yes, the same route was taken. The patch on the gnutls_3_3_x branch 5006914fda50f25807451a03616cdf2e7be0268f was picked and unfuzzed from 408cfd7a3afba0c5a2310c5cbcee581f57d9248c on gnutls_3_5_x > I'd like to avoid letting something go through (o-)p-u that hasn't seen > much testing elsewhere. Understandable. ;-) cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#865763: jessie-pu: package gnutls28/3.3.8-6+deb8u7
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hello, would like to fix the following issue in gnutls28/jessie (It was fixed in 3.5.3 and therefore does not apply to stretch/buster/sid). Quoting #865297: If the application closes open files during startup (e.g., a daemon), it may close the file that gnutls has open for /dev/urandom. The recommended way to handle this situation is to call gnutls_global_init() again. This will check if the fd for /dev/urandom is still valid and re-open it if not. Unfortunately, the way that the /dev/urandom fd is checked is not reliable. It only checks the mode, which might be the same if the application reused the fd for another character device with the same permissions (e.g., /dev/null). Thanks for considering, cu Andreas diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog --- gnutls28-3.3.8/debian/changelog 2017-06-16 07:39:56.0 +0200 +++ gnutls28-3.3.8/debian/changelog 2017-06-24 17:50:29.0 +0200 @@ -1,3 +1,13 @@ +gnutls28 (3.3.8-6+deb8u7) jessie; urgency=medium + + * 57_urandom-use-st_ino-and-st_rdev-to-determine-device-u.patch from +upstream gnutls_3_3_x branch: Improve check for /dev/urandom uniqueness. +Ensure that when gnutls_global_init() is called for a second time that +/dev/urandom is re-opened when the inode or device ID has changed. +Closes: #865297 + + -- Andreas Metzler <ametz...@debian.org> Sat, 24 Jun 2017 17:50:21 +0200 + gnutls28 (3.3.8-6+deb8u6) jessie-security; urgency=high * 56_CVE-2017-7507_1-ext-status_request-ensure-response-IDs-are-pro.patch diff -Nru gnutls28-3.3.8/debian/patches/57_urandom-use-st_ino-and-st_rdev-to-determine-device-u.patch gnutls28-3.3.8/debian/patches/57_urandom-use-st_ino-and-st_rdev-to-determine-device-u.patch --- gnutls28-3.3.8/debian/patches/57_urandom-use-st_ino-and-st_rdev-to-determine-device-u.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.3.8/debian/patches/57_urandom-use-st_ino-and-st_rdev-to-determine-device-u.patch 2017-06-24 17:49:20.0 +0200 @@ -0,0 +1,56 @@ +From 5006914fda50f25807451a03616cdf2e7be0268f Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <n...@redhat.com> +Date: Fri, 15 Jul 2016 14:58:07 +0200 +Subject: [PATCH] urandom: use st_ino and st_rdev to determine device + uniqueness + +--- + lib/nettle/rnd-common.c | 11 +++ + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/lib/nettle/rnd-common.c b/lib/nettle/rnd-common.c +index 47d2b0edd..33a71d351 100644 +--- a/lib/nettle/rnd-common.c b/lib/nettle/rnd-common.c +@@ -137,7 +137,8 @@ void _rnd_system_entropy_deinit(void) + #include "egd.h" + + static int _gnutls_urandom_fd = -1; +-static mode_t _gnutls_urandom_fd_mode = 0; ++static ino_t _gnutls_urandom_fd_ino = 0; ++static dev_t _gnutls_urandom_fd_rdev = 0; + + static int _rnd_get_system_entropy_urandom(void* _rnd, size_t size) + { +@@ -202,7 +203,7 @@ int _rnd_system_entropy_check(void) + struct stat st; + + ret = fstat(_gnutls_urandom_fd, ); +- if (ret < 0 || st.st_mode != _gnutls_urandom_fd_mode) { ++ if (ret < 0 || st.st_ino != _gnutls_urandom_fd_ino || st.st_rdev != _gnutls_urandom_fd_rdev) { + return _rnd_system_entropy_init(); + } + return 0; +@@ -224,7 +225,8 @@ int _rnd_system_entropy_init(void) + fcntl(_gnutls_urandom_fd, F_SETFD, old | FD_CLOEXEC); + + if (fstat(_gnutls_urandom_fd, ) >= 0) { +- _gnutls_urandom_fd_mode = st.st_mode; ++ _gnutls_urandom_fd_ino = st.st_ino; ++ _gnutls_urandom_fd_rdev = st.st_rdev; + } + + _rnd_get_system_entropy = _rnd_get_system_entropy_urandom; +@@ -240,7 +242,8 @@ fallback: + } + + if (fstat(_gnutls_urandom_fd, ) >= 0) { +- _gnutls_urandom_fd_mode = st.st_mode; ++ _gnutls_urandom_fd_ino = st.st_ino; ++ _gnutls_urandom_fd_rdev = st.st_rdev; + } + + _rnd_get_system_entropy = _rnd_get_system_entropy_egd; +-- +2.11.0 + diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series --- gnutls28-3.3.8/debian/patches/series 2017-06-15 16:13:12.0 +0200 +++ gnutls28-3.3.8/debian/patches/series 2017-06-24 17:50:33.0 +0200 @@ -36,3 +36,4 @@ 56_CVE-2017-7507_1-ext-status_request-ensure-response-IDs-are-pro.patch 56_CVE-2017-7507_2-ext-status_request-Removed-the-parsing-of-resp.patch 56_CVE-2017-7507_3-gnutls_ocsp_status_request_enable_client-docum.patch +57_urandom-use-st_ino-and-st_rdev-to-determine-device-u.patch signature.asc Description: PGP signature
Bug#864968: transition: libunistring
On 2017-06-18 Jörg Frings-Fürstwrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: transition > Hello, > I'd want to upload libunistring 0.9.7 to unstable. The ABI is bumped. [...] Hello, Point of information: Afaict from the changelog the only reason for the soname bump in 0.9.4 is this one: - diff -NurbBp xxx-libunistring-dev_0.9.6+really0.9.3-0.1/usr/include/unistr.h xxx-libunistring-dev_0.9.7-1/usr/include/unistr.h --- xxx-libunistring-dev_0.9.6+really0.9.3-0.1/usr/include/unistr.h 2016-05-27 12:54:58.0 +0200 +++ xxx-libunistring-dev_0.9.7-1/usr/include/unistr.h 2017-06-10 12:18:01.0 +0200 @@ -562,12 +595,23 @@ extern uint32_t * /* Compare S1 and S2. */ /* Similar to strcmp(), wcscmp(). */ +#ifdef __sun +/* Avoid a collision with the u8_strcmp() function in Solaris 11 libc. */ +extern int + u8_strcmp_gnu (const uint8_t *s1, const uint8_t *s2) + _UC_ATTRIBUTE_PURE; +# define u8_strcmp u8_strcmp_gnu +#else extern int - u8_strcmp (const uint8_t *s1, const uint8_t *s2); + u8_strcmp (const uint8_t *s1, const uint8_t *s2) + _UC_ATTRIBUTE_PURE; +#endif - i.e. it is specific to __sun. So afaict this transition should go smoothly without breakage of programs linking against both version of libunistring although libunistring does not use versioned symbols. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
unblocking for stretch point release?
Hello, I first understood the latest mail to -announce ("Planned release of stretch") to mean that propagation from sid to stretch is not possible anymore (except for critical fixes). However now that I am in a position of wanting to get something into the 1st point release I am wondering whether that is true (and I need to prepare an additional upload for proposed updated) or whether propagation from sid to stretch r1 is possible. cu Andreas PS: (Just for completeness sake: This mail was triggered by Gnutls CVE-2017-7507.) -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#864083: unblock: libgcrypt20/1.7.6-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libgcrypt20, the upload features the following changes: * Refresh debian/upstream/signing-key.asc, key-expiry-dates bumped. * Pull two fixes from gcrypt 1.7.7 bugfix release: + 30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch Fix possible timing attack on EdDSA session key. + 30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch Fix long standing bug in secure memory implementation which could lead to a segv on free. unblock libgcrypt20/1.7.6-2 Thanks, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru libgcrypt20-1.7.6/debian/changelog libgcrypt20-1.7.6/debian/changelog --- libgcrypt20-1.7.6/debian/changelog 2017-01-26 11:58:32.0 +0100 +++ libgcrypt20-1.7.6/debian/changelog 2017-06-03 10:58:36.0 +0200 @@ -1,3 +1,15 @@ +libgcrypt20 (1.7.6-2) unstable; urgency=high + + * Refresh debian/upstream/signing-key.asc, key-expiry-dates bumped. + * Pull two fixes from gcrypt 1.7.7 bugfix release: ++ 30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch + Fix possible timing attack on EdDSA session key. ++ 30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch + Fix long standing bug in secure memory implementation which could lead + to a segv on free. + + -- Andreas Metzler <ametz...@debian.org> Sat, 03 Jun 2017 10:58:36 +0200 + libgcrypt20 (1.7.6-1) unstable; urgency=medium * New upstream version, includes diff -Nru libgcrypt20-1.7.6/debian/patches/30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch libgcrypt20-1.7.6/debian/patches/30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch --- libgcrypt20-1.7.6/debian/patches/30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch 1970-01-01 01:00:00.0 +0100 +++ libgcrypt20-1.7.6/debian/patches/30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch 2017-06-03 10:53:37.0 +0200 @@ -0,0 +1,35 @@ +From f9494b3f258e01b6af8bd3941ce436bcc00afc56 Mon Sep 17 00:00:00 2001 +From: Jo Van Bulck <jo.vanbu...@cs.kuleuven.be> +Date: Thu, 19 Jan 2017 17:00:15 +0100 +Subject: [PATCH 1/2] ecc: Store EdDSA session key in secure memory. + +* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): use mpi_snew to allocate +session key. +-- + +An attacker who learns the EdDSA session key from side-channel +observation during the signing process, can easily revover the long- +term secret key. Storing the session key in secure memory ensures that +constant time point operations are used in the MPI library. + +Signed-off-by: Jo Van Bulck <jo.vanbu...@cs.kuleuven.be> +--- + cipher/ecc-eddsa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cipher/ecc-eddsa.c b/cipher/ecc-eddsa.c +index f91f8489..813e030d 100644 +--- a/cipher/ecc-eddsa.c b/cipher/ecc-eddsa.c +@@ -603,7 +603,7 @@ _gcry_ecc_eddsa_sign (gcry_mpi_t input, ECC_secret_key *skey, + a = mpi_snew (0); + x = mpi_new (0); + y = mpi_new (0); +- r = mpi_new (0); ++ r = mpi_snew (0); + ctx = _gcry_mpi_ec_p_internal_new (skey->E.model, skey->E.dialect, 0, + skey->E.p, skey->E.a, skey->E.b); + b = (ctx->nbits+7)/8; +-- +2.11.0 + diff -Nru libgcrypt20-1.7.6/debian/patches/30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch libgcrypt20-1.7.6/debian/patches/30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch --- libgcrypt20-1.7.6/debian/patches/30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch 1970-01-01 01:00:00.0 +0100 +++ libgcrypt20-1.7.6/debian/patches/30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch 2017-06-03 10:53:37.0 +0200 @@ -0,0 +1,69 @@ +From 91456759b887e153c4d4ce19538d478df260cab2 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gni...@fsij.org> +Date: Fri, 2 Jun 2017 10:34:42 +0900 +Subject: [PATCH 2/2] secmem: Fix SEGV and stat calculation. + +* src/secmem (init_pool): Care about the header size. +(_gcry_secmem_malloc_internal): Likewise. +(_gcry_secmem_malloc_internal): Use mb->size for stats. + +-- + +GnuPG-bug-id: 3027 +Signed-off-by: NIIBE Yutaka <gni...@fsij.org> +--- + src/secmem.c | 10 +- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/secmem.c b/src/secmem.c +index 46bbf82e..b2a9667d 100644 +--- a/src/secmem.c b/src/secmem.c +@@ -454,7 +454,7 @@ init_pool (pooldesc_t *pool, size_t n) + + /* Initialize first memory block. */ + mb = (memblock_t *) pool->mem; +- mb->size = pool->size; ++ mb->size = pool->size - BLOCK_HEAD_SIZE; + mb->flags = 0; + } + +@@ -610,7 +610,7 @@ _gcry_secmem_malloc_internal (size_t size, int xhint) + mb = mb_get_new (pool, (memblock_t *) pool->mem, size); + if (mb) + { +-
Bug#856872: jessie-pu: package gnutls28/3.3.8-6+deb8u5
On 2017-04-27 "Adam D. Barratt" <a...@adam-barratt.org.uk> wrote: > On Mon, 2017-03-06 at 19:24 +0100, Andreas Metzler wrote: [...] >> upstream has now released 3.5.10/3.3.27 including these fixes and >> another one on top: >> + 55_16_Enforce-the-max-packet-length-for-OpenPGP-subpackets.patch >>Addressed large allocation in OpenPGP certificate parsing, that could >>lead in out-of-memory condition. Issue found using oss-fuzz project, >> and >>was fixed by Alex Gaynor: >>https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 >>[GNUTLS-SA-2017-3C] >> >> Updated diff for jessie attached. > Please go ahead; thanks. Thanks, uploaded with the new CVE number mentioned in changelog. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#856872: jessie-pu: package gnutls28/3.3.8-6+deb8u5
On 2017-04-23 "Adam D. Barratt" <a...@adam-barratt.org.uk> wrote: > On Sun, 2017-03-05 at 19:08 +0100, Andreas Metzler wrote: > > I would like fix a number of minor issues in GnuTLS. > Apologies for the delay in getting back to you. > Are all of the issues listed below already resolved in unstable? >> Most of these (notably CVE-2017-533[4567]) are related to the PGP >> support, security does not intend to issue a DSA: >> >> + 55_00_pkcs12-fixed-the-calculation-of-p_size.patch >> Fixed issue in PKCS#12 password encoding, which truncated >> passwords over 32-characters. Reported by Mario Klebsch. [1] [...] Hello Adam, Yes, all of these are fixed in 3.5.8-5, which is also in testing. cu Andreas [1] Could not quickly find a commit on the 3.5 branch for this specific issue but have verified that it does not apply to 3.5.8. I guess it never applied to 3.5.x. -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#857460: unblock: exim4/4.89-1
On 2017-03-11 Andreas Metzler <ametz...@bebt.de> wrote: [...] > unblock exim4/4.89-1 > unblock eximdoc4/4.89-1 Ping?
Bug#857292: unblock: hugin/2016.2.0+dfsg-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package hugin, this fixes two issues: * #822062, #855505: When a custom temp directory was sent in the preferences the hugin assistant failed when aligning pictures. * Bumped version number. The tarball is *binary* *identical* with rc2. thanks, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru hugin-2016.2.0~rc2+dfsg/debian/changelog hugin-2016.2.0+dfsg/debian/changelog --- hugin-2016.2.0~rc2+dfsg/debian/changelog 2016-09-11 13:40:11.0 +0200 +++ hugin-2016.2.0+dfsg/debian/changelog 2017-02-26 08:23:23.0 +0100 @@ -1,3 +1,14 @@ +hugin (2016.2.0+dfsg-1) unstable; urgency=medium + + * rc2 released as 2016.2.0. + * Fix assissant align error with custom temporary directory +50_67c64f0ca1c4_Fixes_a_type_of_format_string.diff + error. +51_401823447b21_Fixes_running_assistant_with_user_defined_temp_directory.diff +Closes: #822062, #855505 + + -- Andreas Metzler <ametz...@debian.org> Sun, 26 Feb 2017 08:23:23 +0100 + hugin (2016.2.0~rc2+dfsg-2) unstable; urgency=medium * Upload to unstable. diff -Nru hugin-2016.2.0~rc2+dfsg/debian/patches/50_67c64f0ca1c4_Fixes_a_type_of_format_string.diff hugin-2016.2.0+dfsg/debian/patches/50_67c64f0ca1c4_Fixes_a_type_of_format_string.diff --- hugin-2016.2.0~rc2+dfsg/debian/patches/50_67c64f0ca1c4_Fixes_a_type_of_format_string.diff 1970-01-01 01:00:00.0 +0100 +++ hugin-2016.2.0+dfsg/debian/patches/50_67c64f0ca1c4_Fixes_a_type_of_format_string.diff 2016-12-18 15:05:14.0 +0100 @@ -0,0 +1,20 @@ +# HG changeset patch +# User tmodes +# Date 1474121697 -7200 +# Sat Sep 17 16:14:57 2016 +0200 +# Node ID 67c64f0ca1c45c991efa7b11e457cc5bc2c945c0 +# Parent 91b78c0c991f60744d71c9a4bd434c46cba4b444 +Fixes a type of format string + +diff -r 91b78c0c991f -r 67c64f0ca1c4 src/hugin1/hugin/MainFrame.cpp +--- a/src/hugin1/hugin/MainFrame.cpp Sat Sep 17 16:14:24 2016 +0200 b/src/hugin1/hugin/MainFrame.cpp Sat Sep 17 16:14:57 2016 +0200 +@@ -2162,7 +2162,7 @@ + unsigned i2 = *(comps[1].begin()); + ShowCtrlPointEditor( i1, i2); + // display message box with +-wxMessageBox(wxString::Format(_("Warning %d unconnected image groups found:"), comps.size()) + Components2Str(comps) + wxT("\n") ++wxMessageBox(wxString::Format(_("Warning %d unconnected image groups found:"), static_cast(comps.size())) + Components2Str(comps) + wxT("\n") + + _("Please create control points between unconnected images using the Control Points tab in the panorama editor.\n\nAfter adding the points, press the \"Align\" button again"),_("Error"), wxOK , mainWin); + return; + }; diff -Nru hugin-2016.2.0~rc2+dfsg/debian/patches/51_401823447b21_Fixes_running_assistant_with_user_defined_temp_directory.diff hugin-2016.2.0+dfsg/debian/patches/51_401823447b21_Fixes_running_assistant_with_user_defined_temp_directory.diff --- hugin-2016.2.0~rc2+dfsg/debian/patches/51_401823447b21_Fixes_running_assistant_with_user_defined_temp_directory.diff 1970-01-01 01:00:00.0 +0100 +++ hugin-2016.2.0+dfsg/debian/patches/51_401823447b21_Fixes_running_assistant_with_user_defined_temp_directory.diff 2017-02-26 08:05:34.0 +0100 @@ -0,0 +1,20 @@ +# HG changeset patch +# User tmodes +# Date 1488046377 -3600 +# Sat Feb 25 19:12:57 2017 +0100 +# Node ID 401823447b218b6d4778664fb6496deea6b03936 +# Parent 0fec458e26560958d657d14fd9a7a99b7f5c6c10 +Fixes running assistant with user defined temp directory [1666030] + +--- a/src/hugin1/base_wx/MyExternalCmdExecDialog.cpp b/src/hugin1/base_wx/MyExternalCmdExecDialog.cpp +@@ -255,6 +255,9 @@ int MyExecPanel::ExecQueue(HuginQueue::C + #if wxCHECK_VERSION(3,0,0) + wxConfigBase* config = wxConfigBase::Get(); + const long threads = config->Read(wxT("/output/NumberOfThreads"), 0l); ++// read all current environment variables ++wxGetEnvMap(_executeEnv.env); ++// now modify some variables before passing them to wxExecute + if (threads > 0) + { + wxString s; diff -Nru hugin-2016.2.0~rc2+dfsg/debian/patches/series hugin-2016.2.0+dfsg/debian/patches/series --- hugin-2016.2.0~rc2+dfsg/debian/patches/series 2016-07-16 07:03:27.0 +0200 +++ hugin-2016.2.0+dfsg/debian/patches/series 2017-02-26 08:00:14.0 +0100 @@ -1 +1,3 @@ 43_fallbackhelp.patch +50_67c64f0ca1c4_Fixes_a_type_of_format_string.diff +51_401823447b21_Fixes_running_assistant_with_user_defined_temp_directory.diff signature.asc Description: PGP signature
Bug#856872: jessie-pu: package gnutls28/3.3.8-6+deb8u5
On 2017-03-05 Andreas Metzler <ametz...@bebt.de> wrote: > Package: release.debian.org > Severity: normal > Tags: jessie > User: release.debian@packages.debian.org > Usertags: pu > Hello, > I would like fix a number of minor issues in GnuTLS. > Most of these (notably CVE-2017-533[4567]) are related to the PGP > support, security does not intend to issue a DSA: [...] Hello, upstream has now released 3.5.10/3.3.27 including these fixes and another one on top: + 55_16_Enforce-the-max-packet-length-for-OpenPGP-subpackets.patch Addressed large allocation in OpenPGP certificate parsing, that could lead in out-of-memory condition. Issue found using oss-fuzz project, and was fixed by Alex Gaynor: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 [GNUTLS-SA-2017-3C] Updated diff for jessie attached. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog --- gnutls28-3.3.8/debian/changelog 2016-11-01 10:07:52.0 +0100 +++ gnutls28-3.3.8/debian/changelog 2017-03-06 19:13:23.0 +0100 @@ -1,3 +1,62 @@ +gnutls28 (3.3.8-6+deb8u5) jessie; urgency=medium + + * Pull multiple fixes from gnutls_3_3_x branch: ++ 55_00_pkcs12-fixed-the-calculation-of-p_size.patch + Fixed issue in PKCS#12 password encoding, which truncated + passwords over 32-characters. Reported by Mario Klebsch. ++ 55_01_gnutls_x509_ext_import_proxy-fix-issue-reading-the-p.patch + Fix double free in certificate information printing. If the PKIX + extension proxy was set with a policy language set but no policy + specified, that could lead to a double free. [GNUTLS-SA-2017-1] + CVE-2017-5334 ++ 55_02_auth-rsa-eliminated-memory-leak-on-pkcs-1-formatting.patch + Addressed memory leak in server side error path (issue found using + oss-fuzz project) ++ 55_03_opencdk-Fixes-to-prevent-undefined-behavior-found-wi.patch + 55_04_Do-not-infinite-loop-if-an-EOF-occurs-while-skipping.patch + 55_05_Attempt-to-fix-a-leak-in-OpenPGP-cert-parsing.patch + 55_06_Corrected-a-leak-in-OpenPGP-sub-packet-parsing.patch + 55_07_opencdk-read_attribute-added-more-precise-checks-whe.patch + 55_08_opencdk-cdk_pk_get_keyid-fix-stack-overflow.patch + 55_09_opencdk-added-error-checking-in-the-stream-reading-f.patch + 55_10_opencdk-improved-error-code-checking-in-the-stream-r.patch + 55_11_opencdk-read-packet.c-corrected-typo-in-type-cast.patch + Addressed memory leaks and an infinite loop in OpenPGP certificate + parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project) + Addressed invalid memory accesses in OpenPGP certificate parsing. + (issues found using oss-fuzz project) [GNUTLS-SA-2017-2] + CVE-2017-5335 / CVE-2017-5336 / CVE-2017-5337 ++ 55_12_gnutls_pkcs11_obj_list_import_url2-Always-return-an-.patch + When returning success, but no elements, + gnutls_pkcs11_obj_list_import_url4, could have returned zero number of + elements with a pointer that was uninitialized. Ensure that an + initialized (i.e., null in that case), pointer is always returned. ++ 55_13_cdk_pkt_read-enforce-packet-limits.patch Addressed integer + overflow resulting to invalid memory write in OpenPGP certificate + parsing. Issue found using oss-fuzz project: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 + [GNUTLS-SA-2017-3A] ++ 55_14_opencdk-read_attribute-account-buffer-size.patch Addressed read + of 1 byte past the end of buffer in OpenPGP certificate parsing. Issue + found using oss-fuzz project: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391 + (This patch is from gnutls_3_5_x branch.) ++ 55_15_opencdk-do-not-parse-any-secret-keys-in-packet-when-.patch + Addressed crashes in OpenPGP certificate parsing, related to private key + parser. No longer allow OpenPGP certificates (public keys) to contain + private key sub-packets. Issue found using oss-fuzz project: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354 + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 + [GNUTLS-SA-2017-3B] ++ 55_16_Enforce-the-max-packet-length-for-OpenPGP-subpackets.patch + Addressed large allocation in OpenPGP certificate parsing, that could + lead in out-of-memory condition. Issue found using oss-fuzz project, and + was fixed by Alex Gaynor: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 + [GNUTLS-SA-2017-3C] + + -- Andreas Metzler <ametz...@debian.org> Mon, 06 Mar 2017 19:13:20 +0100 + gnutls28 (3.3.8-6+deb8u4) jessie; urgency=medium [ Salvatore Bonaccorso ] diff -Nru gnutls28-3.3.8/debian/patches/55_00_pkcs12-fixed-the-calculatio
Bug#856872: jessie-pu: package gnutls28/3.3.8-6+deb8u5
project) + Addressed invalid memory accesses in OpenPGP certificate parsing. + (issues found using oss-fuzz project) [GNUTLS-SA-2017-2] + CVE-2017-5335 / CVE-2017-5336 / CVE-2017-5337 ++ 55_12_gnutls_pkcs11_obj_list_import_url2-Always-return-an-.patch + When returning success, but no elements, + gnutls_pkcs11_obj_list_import_url4, could have returned zero number of + elements with a pointer that was uninitialized. Ensure that an + initialized (i.e., null in that case), pointer is always returned. ++ 55_13_cdk_pkt_read-enforce-packet-limits.patch Addressed integer + overflow resulting to invalid memory write in OpenPGP certificate + parsing. Issue found using oss-fuzz project: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 + [GNUTLS-SA-2017-3A] ++ 55_14_opencdk-read_attribute-account-buffer-size.patch Addressed read + of 1 byte past the end of buffer in OpenPGP certificate parsing. Issue + found using oss-fuzz project: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391 + (This patch is from gnutls_3_5_x branch.) ++ 55_15_opencdk-do-not-parse-any-secret-keys-in-packet-when-.patch + Addressed crashes in OpenPGP certificate parsing, related to private key + parser. No longer allow OpenPGP certificates (public keys) to contain + private key sub-packets. Issue found using oss-fuzz project: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354 + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 + [GNUTLS-SA-2017-3B] + + -- Andreas Metzler <ametz...@debian.org> Sun, 05 Mar 2017 18:18:03 +0100 + gnutls28 (3.3.8-6+deb8u4) jessie; urgency=medium [ Salvatore Bonaccorso ] diff -Nru gnutls28-3.3.8/debian/patches/55_00_pkcs12-fixed-the-calculation-of-p_size.patch gnutls28-3.3.8/debian/patches/55_00_pkcs12-fixed-the-calculation-of-p_size.patch --- gnutls28-3.3.8/debian/patches/55_00_pkcs12-fixed-the-calculation-of-p_size.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.3.8/debian/patches/55_00_pkcs12-fixed-the-calculation-of-p_size.patch 2017-03-05 08:29:46.0 +0100 @@ -0,0 +1,26 @@ +From 3979cbcb425b4088c822b0a75c78f5f1eef32291 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <n...@redhat.com> +Date: Mon, 28 Nov 2016 11:47:40 +0100 +Subject: [PATCH] pkcs12: fixed the calculation of p_size + +That affects passwords which exceed 32 characters. +--- + lib/x509/pkcs12_encr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/x509/pkcs12_encr.c b/lib/x509/pkcs12_encr.c +index 85cd3f228..d8fd49f82 100644 +--- a/lib/x509/pkcs12_encr.c b/lib/x509/pkcs12_encr.c +@@ -105,7 +105,7 @@ _gnutls_pkcs12_string_to_key(const mac_entry_st * me, + } + + /* Store salt and password in BUF_I */ +- p_size = ((pwlen / 64) * 64) + 64; ++ p_size = (((2*pwlen) / 64) * 64) + 64; + + if (p_size > sizeof(buf_i) - 64) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); +-- +2.11.0 + diff -Nru gnutls28-3.3.8/debian/patches/55_01_gnutls_x509_ext_import_proxy-fix-issue-reading-the-p.patch gnutls28-3.3.8/debian/patches/55_01_gnutls_x509_ext_import_proxy-fix-issue-reading-the-p.patch --- gnutls28-3.3.8/debian/patches/55_01_gnutls_x509_ext_import_proxy-fix-issue-reading-the-p.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.3.8/debian/patches/55_01_gnutls_x509_ext_import_proxy-fix-issue-reading-the-p.patch 2017-03-05 08:29:46.0 +0100 @@ -0,0 +1,76 @@ +From bbfd47d4bb6935b3eddae227deb9f340e2c1a69d Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <n...@redhat.com> +Date: Thu, 15 Dec 2016 15:02:18 +0100 +Subject: [PATCH] gnutls_x509_ext_import_proxy: fix issue reading the policy + language + +If the language was set but the policy wasn't, that could lead to +a double free, as the value returned to the user was freed. +--- + lib/x509/x509_ext.c | 22 +++--- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c +index f974b0279..ed0ad1d14 100644 +--- a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c +@@ -1414,7 +1414,8 @@ int gnutls_x509_ext_import_proxy(const gnutls_datum_t * ext, int *pathlen, + { + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; +- gnutls_datum_t value = { NULL, 0 }; ++ gnutls_datum_t value1 = { NULL, 0 }; ++ gnutls_datum_t value2 = { NULL, 0 }; + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.ProxyCertInfo", +@@ -1444,20 +1445,18 @@ int gnutls_x509_ext_import_proxy(const gnutls_datum_t * ext, int *pathlen, + } + + result = _gnutls_x509_read_value(c2, "proxyPolicy.policyLanguage", +- ); ++ ); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + if (policyLanguage) { +- *policyLanguage = (char *)value.data; +- } else { +- gnutls_free(value.data); +- value.data = NULL; ++ *policyLanguage = (char *)value1.data; ++ value1.data = NULL;
Bug#849967: jessie-pu: package exim4/4.84.2-2+deb8u3
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hello, I (and Heiko from exim upstream) would like to fix #845569 in jessie. sid/testing already include the fix, it was part of 4.88~RC6. The issue is a memleak in the GnuTLS code, the patch is a towo line change. Heiko has provided a very nice writeup in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845569#20 thanks, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru exim4-4.84.2/debian/changelog exim4-4.84.2/debian/changelog --- exim4-4.84.2/debian/changelog 2016-12-22 12:17:01.0 +0100 +++ exim4-4.84.2/debian/changelog 2017-01-02 19:42:06.0 +0100 @@ -1,3 +1,11 @@ +exim4 (4.84.2-2+deb8u3) jessie; urgency=medium + + * 94_Fix-memory-leak-on-Gnu-TLS-close.patch from upstream exim-4_84_2+fixes +branch: Fix GnuTLS memory leak. (Thanks, Heiko Schlittermann!) +Closes: #845569 + + -- Andreas Metzler <ametz...@debian.org> Mon, 02 Jan 2017 19:18:05 +0100 + exim4 (4.84.2-2+deb8u2) jessie-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru exim4-4.84.2/debian/patches/94_Fix-memory-leak-on-Gnu-TLS-close.patch exim4-4.84.2/debian/patches/94_Fix-memory-leak-on-Gnu-TLS-close.patch --- exim4-4.84.2/debian/patches/94_Fix-memory-leak-on-Gnu-TLS-close.patch 1970-01-01 01:00:00.0 +0100 +++ exim4-4.84.2/debian/patches/94_Fix-memory-leak-on-Gnu-TLS-close.patch 2016-12-31 17:46:00.0 +0100 @@ -0,0 +1,52 @@ +From 867e8fe25dbfb1e31493488ad695bde55b890397 Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <h...@schlittermann.de> +Date: Wed, 23 Nov 2016 12:02:26 +0100 +Subject: [PATCH] Fix memory leak on (Gnu)TLS close. + +This leak doesn't show up under normal operation, as the process +normally dies right after closing the session. + +But during callout repetitive TLS sessions are opened and closed from +the same process (the process receiving the message). Depending on +the amount of RAM and the number of callouts the same process does, +this may be a problem. (On an amd64 machine with 4GB RAM, at about 1000 +recipients the memory is exhausted.) + +(cherry picked from commit ed62aae3051c9a713d35c8ae516fbd193d1401ba) +--- + src/tls-gnu.c | 5 + + 1 file changed, 5 insertions(+) + +diff --git a/src/tls-gnu.c b/src/tls-gnu.c +index 61ed0e81..670f8cbc 100644 +--- a/src/tls-gnu.c b/src/tls-gnu.c +@@ -1729,6 +1729,7 @@ if (rc != GNUTLS_E_SUCCESS) + + if (!sigalrm_seen) + { ++gnutls_certificate_free_credentials(state->x509_cred); + (void)fclose(smtp_out); + (void)fclose(smtp_in); + } +@@ -2014,6 +2015,8 @@ if (shutdown) + } + + gnutls_deinit(state->session); ++gnutls_certificate_free_credentials(state->x509_cred); ++ + + state->tlsp->active = -1; + memcpy(state, _gnutls_state_init, sizeof(exim_gnutls_state_init)); +@@ -2074,6 +2077,8 @@ if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm) + receive_smtp_buffered = smtp_buffered; + + gnutls_deinit(state->session); ++gnutls_certificate_free_credentials(state->x509_cred); ++ + state->session = NULL; + state->tlsp->active = -1; + state->tlsp->bits = 0; +-- +2.11.0 + diff -Nru exim4-4.84.2/debian/patches/series exim4-4.84.2/debian/patches/series --- exim4-4.84.2/debian/patches/series 2016-12-22 12:17:01.0 +0100 +++ exim4-4.84.2/debian/patches/series 2016-12-31 17:45:15.0 +0100 @@ -23,3 +23,4 @@ 91_Expansions-Fix-crash-in-crypteq-On-OpenBSD-a-bad-sec.patch 92_CVE-2016-1238.diff 93_CVE-2016-9963-Fix-DKIM-information-leakage.patch +94_Fix-memory-leak-on-Gnu-TLS-close.patch signature.asc Description: PGP signature
Bug#849436: unblock: exim4/4.88~RC6-2
d5160d1c609170bdf2 d65072ddeb66cc7ad6950e23e0ea5d2ea76f9015+} Version: [-4.88~RC6-1-] {+4.88~RC6-2+} Control files of package exim4-dev: lines which differ (wdiff format) - Version: [-4.88~RC6-1-] {+4.88~RC6-2+} Control files of package eximon4: lines which differ (wdiff format) --- Version: [-4.88~RC6-1-] {+4.88~RC6-2+} diff -Nru exim4-4.88~RC6/debian/changelog exim4-4.88~RC6/debian/changelog --- exim4-4.88~RC6/debian/changelog 2016-12-08 07:19:18.0 +0100 +++ exim4-4.88~RC6/debian/changelog 2016-12-22 16:50:21.0 +0100 @@ -1,3 +1,15 @@ +exim4 (4.88~RC6-2) unstable; urgency=high + + * Add macro IGNORE_SMTP_LINE_LENGTH_LIMIT to allow disabling the SMTP DATA +physical line limit check for both for SMTP DATA ACL and remote_smtp* +transports. Closes: #828801 +Also update corresponding NEWS entry. + * [lintian] debian/changelog: s/lenght/length/ + * Pull 75_Fix-DKIM-information-leakage.patch from upstream GIT, fixing DKIM +information leakage issue CVE-2016-9963. + + -- Andreas Metzler <ametz...@debian.org> Thu, 22 Dec 2016 16:50:21 +0100 + exim4 (4.88~RC6-1) unstable; urgency=low * New upstream version. @@ -109,7 +121,7 @@ expansion. https://bugs.exim.org/show_bug.cgi?id=165 * Copy information message on rejecting overlong lines in data ACL from upstream example configuration. Closes: #823418 - * Add NEWS entry on line-lenght-limit introduced in 4.87~RC1-1. + * Add NEWS entry on line-length-limit introduced in 4.87~RC1-1. Closes: 821830 -- Andreas Metzler <ametz...@debian.org> Sun, 08 May 2016 14:03:10 +0200 @@ -3805,7 +3817,7 @@ - Supports CRL (Certificate Revocation List) (Closes: #229063) - exim_dbmbuild does not crash on _very_ long RHS values. (Closes: #231597) -- route_list does not use a fixed lenght buffer anymore. (Closes: #231979) +- route_list does not use a fixed length buffer anymore. (Closes: #231979) - An empty tls_verify_certificates file is correctly interpreted as empty list instead of breaking TLS. (Closes: #236478) * Korean translation of debconf templates by Changwoo Ryu (Closes: #241499) diff -Nru exim4-4.88~RC6/debian/debconf/conf.d/acl/40_exim4-config_check_data exim4-4.88~RC6/debian/debconf/conf.d/acl/40_exim4-config_check_data --- exim4-4.88~RC6/debian/debconf/conf.d/acl/40_exim4-config_check_data 2016-09-25 14:46:29.0 +0200 +++ exim4-4.88~RC6/debian/debconf/conf.d/acl/40_exim4-config_check_data 2016-12-18 13:59:15.0 +0100 @@ -11,9 +11,11 @@ # Deny if the message contains an overlong line. Per the standards # we should never receive one such via SMTP. # + .ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT denymessage= maximum allowed line length is 998 octets, \ got $max_received_linelength condition = ${if > {$max_received_linelength}{998}} + .endif # Deny unless the address list headers are syntactically correct. # diff -Nru exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp --- exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp 2016-09-25 14:46:29.0 +0200 +++ exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp 2016-12-18 13:59:52.0 +0100 @@ -9,7 +9,9 @@ remote_smtp: debug_print = "T: remote_smtp for $local_part@$domain" driver = smtp +.ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} +.endif .ifdef REMOTE_SMTP_HOSTS_AVOID_TLS hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS .endif diff -Nru exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost --- exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost 2016-09-25 14:46:29.0 +0200 +++ exim4-4.88~RC6/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost 2016-12-18 14:00:13.0 +0100 @@ -12,7 +12,9 @@ remote_smtp_smarthost: debug_print = "T: remote_smtp_smarthost for $local_part@$domain" driver = smtp +.ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} +.endif hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \ {\ ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\ diff -Nru exim4-4.88~RC6/debian/NEWS exim4-4.88~RC6/debian/NEWS --- exim4-4.88~RC6/debian/NEWS 2016-09-25 14:46:29.0 +0200 +++ exim4-4.88~RC6/debian/NEWS 2016-12-18 14:04:32.0 +0100 @@ -1,9 +1,11 @@ exim4 (4.87-3) unstable; urgency=medium - Starting with 4.87~RC1-1 exim will not accept messages with physical lines - long
Bug#849329: unblock: gnutls28/3.5.7-3
libgnutls-dane0: lines which differ (wdiff format) --- Depends: libgnutls30 (= [-3.5.7-2),-] {+3.5.7-3),+} libc6 (>= 2.14), libunbound2 (>= 1.4.1) Version: [-3.5.7-2-] {+3.5.7-3+} Control files of package libgnutls-dane0-dbgsym: lines which differ (wdiff format) -- Build-Ids: [-4942f0c0688463070e6410365999f7a60d5bde23-] {+c1ead7f61001838e6d88ff1cd74ac74e22c469f4+} Depends: libgnutls-dane0 (= [-3.5.7-2)-] {+3.5.7-3)+} Version: [-3.5.7-2-] {+3.5.7-3+} Control files of package libgnutls-openssl27: lines which differ (wdiff format) --- Depends: libgnutls30 (= [-3.5.7-2),-] {+3.5.7-3),+} libc6 (>= 2.14) Version: [-3.5.7-2-] {+3.5.7-3+} Control files of package libgnutls-openssl27-dbgsym: lines which differ (wdiff format) -- Build-Ids: [-9d6f39cb57ee78768fb728e590d19669272f0816-] {+c5ed28d817ac7aaf9d6a0aa028f34f13e57f7a45+} Depends: libgnutls-openssl27 (= [-3.5.7-2)-] {+3.5.7-3)+} Version: [-3.5.7-2-] {+3.5.7-3+} Control files of package libgnutls28-dev: lines which differ (wdiff format) --- Depends: libgnutls30 (= [-3.5.7-2),-] {+3.5.7-3),+} libgnutls-openssl27 (= [-3.5.7-2),-] {+3.5.7-3),+} libgnutlsxx28 (= [-3.5.7-2),-] {+3.5.7-3),+} libgnutls-dane0 (= [-3.5.7-2),-] {+3.5.7-3),+} nettle-dev, libc6-dev | libc-dev, zlib1g-dev, libtasn1-6-dev, libp11-kit-dev, libidn11-dev (>= 1.31) Version: [-3.5.7-2-] {+3.5.7-3+} Control files of package libgnutls30: lines which differ (wdiff format) --- Version: [-3.5.7-2-] {+3.5.7-3+} Control files of package libgnutls30-dbgsym: lines which differ (wdiff format) -- Build-Ids: [-2549b7cc772d8fd074de0be00f0619db53bee1f1-] {+9addeb34b9f349ee50037cd28d46fc5c9112c6fe+} Depends: libgnutls30 (= [-3.5.7-2)-] {+3.5.7-3)+} Version: [-3.5.7-2-] {+3.5.7-3+} Control files of package libgnutlsxx28: lines which differ (wdiff format) - Depends: libgnutls30 (= [-3.5.7-2),-] {+3.5.7-3),+} libc6 (>= 2.4), libgcc1 (>= 1:3.0), libstdc++6 (>= 5) Version: [-3.5.7-2-] {+3.5.7-3+} Control files of package libgnutlsxx28-dbgsym: lines which differ (wdiff format) Build-Ids: [-cdb980046cd934ff2b0fedb5235e56484dcfadcd-] {+0692627b5d607063eb71903a721233f5901066e9+} Depends: libgnutlsxx28 (= [-3.5.7-2)-] {+3.5.7-3)+} Version: [-3.5.7-2-] {+3.5.7-3+} diff -Nru gnutls28-3.5.7/debian/changelog gnutls28-3.5.7/debian/changelog --- gnutls28-3.5.7/debian/changelog 2016-12-09 18:10:53.0 +0100 +++ gnutls28-3.5.7/debian/changelog 2016-12-20 18:47:13.0 +0100 @@ -1,3 +1,14 @@ +gnutls28 (3.5.7-3) unstable; urgency=medium + + * 35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch, +35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch from +upstream 3.5 branch: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned +by PKCS#8 decryption functions when an invalid key is provided. This +addresses regression on decrypting certain PKCS#8 keys. +Closes: #848905 + + -- Andreas Metzler <ametz...@debian.org> Tue, 20 Dec 2016 18:47:13 +0100 + gnutls28 (3.5.7-2) unstable; urgency=medium * Upload to unstable. diff -Nru gnutls28-3.5.7/debian/patches/35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch gnutls28-3.5.7/debian/patches/35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch --- gnutls28-3.5.7/debian/patches/35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.5.7/debian/patches/35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch 2016-12-20 18:39:09.0 +0100 @@ -0,0 +1,25 @@ +From e62aaf4bfaf1a4280db23d9729c2d7fa0fdf97e5 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <n...@redhat.com> +Date: Tue, 13 Dec 2016 11:27:38 +0100 +Subject: [PATCH 1/3] pkcs8: ensure that the correct error code is returned on + decryption failure + +--- + lib/x509/privkey_pkcs8.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c +index 74bb466c6..0094a83a5 100644 +--- a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c +@@ -711,6 +711,7 @@ static int pkcs8_key_decrypt(const gnutls_datum_t * raw_key, + _params, _params, ); + if (result < 0) { + gnutls_assert(); ++ result = GNUTLS_E_DECRYPTION_FAILED; + goto error; + } + +-- +2.11.0 + diff -Nru gnutls28-3.5.7/debian/patches/35_02_tests
Bug#840191: jessie-pu: package gnutls28/3.3.8-6+deb8u4
On 2016-10-31 "Adam D. Barratt" <a...@adam-barratt.org.uk> wrote: > On Sun, 2016-10-30 at 07:46 +0100, Andreas Metzler wrote: [...] >> I think it makes sense to add the GnuTLS patch for compatibitlity with >> CVE-2016-6489-patched nettle. (832983). > jessie's nettle doesn't appear to have been updated for that issue, but > I guess it still makes sense to include this for partial upgrades. Thank you, uploaded. The update for CVE-2016-6489 is currently being worked on and a fixed gnutls version needs to be available before. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#840191: jessie-pu: package gnutls28/3.3.8-6+deb8u4
On 2016-10-09 Salvatore Bonaccorso <car...@debian.org> wrote: [...] > Hi Stable Release Managers, > X-Debbugs-CC'ed Andreas Metzler. > gnutls28 in jessie is affected by CVE-2016-7444, GNUTLS-SA-2016-3, > having a flaw in the OCSP certificate check. This was fixed upstream > and included in unstable with 3.5.3-4 but would not warrant a DSA. > Attached is proposed debdiff for jessie. Would it be acceptable for an > upcoming point release? [...] I think it makes sense to add the GnuTLS patch for compatibitlity with CVE-2016-6489-patched nettle. (832983). cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog --- gnutls28-3.3.8/debian/changelog 2015-08-14 18:29:51.0 +0200 +++ gnutls28-3.3.8/debian/changelog 2016-10-30 07:39:11.0 +0100 @@ -1,3 +1,16 @@ +gnutls28 (3.3.8-6+deb8u4) jessie; urgency=medium + + [ Salvatore Bonaccorso ] + * CVE-2016-7444: Incorrect certificate validation when using OCSP responses +(GNUTLS-SA-2016-3). See #840191. + + [ Andreas Metzler ] + * Cherry pick 53_nettle-use-rsa_-_key_prepare-on-key-import.patch +from upstream GIT, which should allow gnutls continue to work with +CVE-2016-6489-patched nettle. See #832983. + + -- Andreas Metzler <ametz...@debian.org> Sun, 30 Oct 2016 07:39:08 +0100 + gnutls28 (3.3.8-6+deb8u3) jessie; urgency=medium * Pull 50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch from diff -Nru gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch --- gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch 2016-10-30 07:01:40.0 +0100 @@ -0,0 +1,24 @@ +From 964632f37dfdfb914ebc5e49db4fa29af35b1de9 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <n...@gnutls.org> +Date: Sat, 27 Aug 2016 17:00:22 +0200 +Subject: [PATCH] ocsp: corrected the comparison of the serial size in OCSP + response + +Previously the OCSP certificate check wouldn't verify the serial length +and could succeed in cases it shouldn't. + +Reported by Stefan Buehler. +--- + lib/x509/ocsp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/lib/x509/ocsp.c b/lib/x509/ocsp.c +@@ -1251,6 +1251,7 @@ gnutls_ocsp_resp_check_crt(gnutls_ocsp_r + gnutls_assert(); + goto cleanup; + } ++ cserial.size = t; + + if (rserial.size != cserial.size + || memcmp(cserial.data, rserial.data, rserial.size) != 0) { diff -Nru gnutls28-3.3.8/debian/patches/53_nettle-use-rsa_-_key_prepare-on-key-import.patch gnutls28-3.3.8/debian/patches/53_nettle-use-rsa_-_key_prepare-on-key-import.patch --- gnutls28-3.3.8/debian/patches/53_nettle-use-rsa_-_key_prepare-on-key-import.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.3.8/debian/patches/53_nettle-use-rsa_-_key_prepare-on-key-import.patch 2016-10-30 07:10:31.0 +0100 @@ -0,0 +1,152 @@ +From 186dc9c2012003587a38d7f4d03edd8da5fe989f Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <n...@gnutls.org> +Date: Sun, 7 Aug 2016 12:06:39 +0200 +Subject: [PATCH] nettle: use rsa_*_key_prepare on key import + +Previously we calculated the size of the key directly, but +by using the rsa_*_key_prepare we benefit from any checks that +may be introduced in the future. Specifically any checks for invalid +public keys (e.g., keys that may crash the underlying gmp functions). + +This patch avoids calling rsa_private_key_prepare every time we construct +a nettle private key struct, because this function requires a bigint +multiplication. We call that function once on private key import. +--- + lib/nettle/pk.c | 62 +++-- + 1 file changed, 52 insertions(+), 10 deletions(-) + +diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c +index 2fab308..b41ebfb 100644 +--- a/lib/nettle/pk.c b/lib/nettle/pk.c +@@ -98,18 +98,24 @@ _rsa_params_to_privkey(const gnutls_pk_params_st * pk_params, + memcpy(priv->c, pk_params->params[5], SIZEOF_MPZT); + memcpy(priv->a, pk_params->params[6], SIZEOF_MPZT); + memcpy(priv->b, pk_params->params[7], SIZEOF_MPZT); ++ /* we do not rsa_private_key_prepare() because it involves a multiplication. ++ * we call it once when we import the parameters */ + priv->size = + nettle_mpz_sizeinbase_256_u(TOMPZ + (pk_params->params[RSA_MODULUS])); + } + +-static void ++/* returns a negative value on invalid pubkey */ ++static int + _rsa_params_to_pubkey(const gnutls_pk_params_st * pk_params, + struct rsa_public_key *pub) + { + memcpy(p
Bug#827111: jessie-pu: package exim4/4.84.2-2
On 2016-07-26 Salvatore Bonaccorsowrote: > On Mon, Jul 25, 2016 at 08:50:47PM +0200, Salvatore Bonaccorso wrote: >> On Mon, Jul 25, 2016 at 07:28:33PM +0100, Adam D. Barratt wrote: >>> On Mon, 2016-07-25 at 20:14 +0200, Salvatore Bonaccorso wrote: [...] Since we claimed 4.84.2-2+deb8u1 in the DSA, would it help if we just redo the update, push the packages? (without further announce, since that was the claimed version)? Attached how that would look like with debdiff against 4.84.2-2. >>> >>> If you're happy to do so, that looks good to me; thanks. >> >> I just have uploaded 4.84.2-2+deb8u1 and will dak install the builds. >> Hope no user will complain. > FTR, this has been done. Thank you!
Bug#827111: jessie-pu: package exim4/4.84.2-2
On 2016-06-17 "Adam D. Barratt" <a...@adam-barratt.org.uk> wrote: > Control: tags -1 + pending > On Thu, 2016-06-16 at 18:38 +0200, Andreas Metzler wrote: > > On 2016-06-12 "Adam D. Barratt" <a...@adam-barratt.org.uk> wrote: > > > Control: tags -1 + confirmed > > > > > On Sun, 2016-06-12 at 14:06 +0200, Andreas Metzler wrote: > > >> I would like to update exim4 in jessie with the following changes: [...] > Flagged for acceptance. Hello, now we have 4.84.2-1+deb8u1 in stable security and 4.84.2-2 in spu would overwrite it at the next stable release. How do I fix this properly? a) Redo 4.84.2-2 with 4.84.2-1+deb8u1 merged in b) Release 4.84.2-3 with 4.84.2-1+deb8u1 merged in TIA, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'