Bug#768537: unblock: myproxy/6.0-2

2014-11-09 Thread Mattias Ellert 
Control: -1 tags - moreinfo
Control: -1 retitle unblock: myproxy/6.0-3

New version with Pre-Depends: 6.0/3

Mattias



signature.asc
Description: This is a digitally signed message part

Bug#768537: unblock: myproxy/6.0-2

2014-11-09 Thread Mattias Ellert 
lör 2014-11-08 klockan 10:06 +0100 skrev Mattias Ellert:
 Closes: #768266 (Severity: serious; RC)
 
 In addition to fixing the above bug, the update also applies a patch to
 enable TLS. The previous package used SSLv3 only, which is no longer
 appropriate. Some of the tests in the test suite failed without the
 patch because Debian's openssl 1.0.1j-1 has disabled SSLv3. With the
 patch the test suite passes.

This test failure has since been reported as bug #768722

Unblocking this update will therefore also resolve that bug for the
release.

Mattias



signature.asc
Description: This is a digitally signed message part

Bug#768537: unblock: myproxy/6.0-2

2014-11-08 Thread Mattias Ellert 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Closes: #768266 (Severity: serious; RC)

In addition to fixing the above bug, the update also applies a patch to
enable TLS. The previous package used SSLv3 only, which is no longer
appropriate. Some of the tests in the test suite failed without the
patch because Debian's openssl 1.0.1j-1 has disabled SSLv3. With the
patch the test suite passes.

Mattias

diff -Nru myproxy-6.0/debian/changelog myproxy-6.0/debian/changelog
--- myproxy-6.0/debian/changelog	2014-09-27 17:27:12.0 +0200
+++ myproxy-6.0/debian/changelog	2014-11-08 06:41:39.0 +0100
@@ -1,3 +1,10 @@
+myproxy (6.0-2) unstable; urgency=medium
+
+  * Properly handle symlink-to-dir conversion in doc package (Closes: #768266)
+  * Enable TLS - debian's openssl has disabled SSLv3 by default
+
+ -- Mattias Ellert mattias.ell...@fysast.uu.se  Fri, 07 Nov 2014 23:51:15 +0100
+
 myproxy (6.0-1) unstable; urgency=medium
 
   * Update to 6.0, adapt to Globus Toolkit 6
diff -Nru myproxy-6.0/debian/libmyproxy-doc.postinst myproxy-6.0/debian/libmyproxy-doc.postinst
--- myproxy-6.0/debian/libmyproxy-doc.postinst	1970-01-01 01:00:00.0 +0100
+++ myproxy-6.0/debian/libmyproxy-doc.postinst	2014-11-07 23:49:50.0 +0100
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+#DEBHELPER#
+
+dpkg-maintscript-helper symlink_to_dir \
+/usr/share/doc/libmyproxy-doc \
+libmyproxy-dev 6.0-2~ \
+libmyproxy-doc -- $@
diff -Nru myproxy-6.0/debian/libmyproxy-doc.postrm myproxy-6.0/debian/libmyproxy-doc.postrm
--- myproxy-6.0/debian/libmyproxy-doc.postrm	1970-01-01 01:00:00.0 +0100
+++ myproxy-6.0/debian/libmyproxy-doc.postrm	2014-11-07 23:49:50.0 +0100
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+#DEBHELPER#
+
+dpkg-maintscript-helper symlink_to_dir \
+/usr/share/doc/libmyproxy-doc \
+libmyproxy-dev 6.0-2~ \
+libmyproxy-doc -- $@
diff -Nru myproxy-6.0/debian/libmyproxy-doc.preinst myproxy-6.0/debian/libmyproxy-doc.preinst
--- myproxy-6.0/debian/libmyproxy-doc.preinst	1970-01-01 01:00:00.0 +0100
+++ myproxy-6.0/debian/libmyproxy-doc.preinst	2014-11-07 23:49:50.0 +0100
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+#DEBHELPER#
+
+dpkg-maintscript-helper symlink_to_dir \
+/usr/share/doc/libmyproxy-doc \
+libmyproxy-dev 6.0-2~ \
+libmyproxy-doc -- $@
diff -Nru myproxy-6.0/debian/patches/myproxy-tls.patch myproxy-6.0/debian/patches/myproxy-tls.patch
--- myproxy-6.0/debian/patches/myproxy-tls.patch	1970-01-01 01:00:00.0 +0100
+++ myproxy-6.0/debian/patches/myproxy-tls.patch	2014-11-08 06:12:14.0 +0100
@@ -0,0 +1,53 @@
+diff --git a/myproxy.c b/myproxy.c
+index 24e744f..9f2fb65 100644
+--- a/myproxy.c
 b/myproxy.c
+@@ -544,8 +544,9 @@ myproxy_bootstrap_trust(myproxy_socket_attrs_t *attrs)
+ }
+ 
+ /* get trust root(s) from the myproxy-server */
+-ctx = SSL_CTX_new(SSLv3_client_method());
+-SSL_CTX_set_options(ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
++ctx = SSL_CTX_new(SSLv23_client_method());
++SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 |
++			SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+ 
+ if (!(sbio = BIO_new_ssl_connect(ctx))) goto error;
+ if ( (sockfd = get_connected_myproxy_host_socket(
+diff --git a/myproxy_ocsp.c b/myproxy_ocsp.c
+index 440f6ef..d39e1dc 100644
+--- a/myproxy_ocsp.c
 b/myproxy_ocsp.c
+@@ -311,11 +311,12 @@ int myproxy_ocsp_verify(X509 *cert, X509 *issuer) {
+ goto end;
+   }
+   X509_LOOKUP_add_dir(lookup, certdir, X509_FILETYPE_PEM);
+-  ctx = SSL_CTX_new(SSLv3_client_method());
++  ctx = SSL_CTX_new(SSLv23_client_method());
+   if (ctx == NULL) {
+ result = MYPROXY_OCSPRESULT_ERROR_OUTOFMEMORY;
+ goto end;
+   }
++  SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+   SSL_CTX_set_cert_store(ctx, store);
+   SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL);
+ 
+diff --git a/ssl_utils.c b/ssl_utils.c
+index 0749e5b..4ff5aa5 100644
+--- a/ssl_utils.c
 b/ssl_utils.c
+@@ -2146,12 +2146,13 @@ ssl_verify_gsi_chain(SSL_CREDENTIALS *chain)
+X509_LOOKUP_add_dir(lookup, certdir, X509_FILETYPE_PEM);
+X509_STORE_CTX_init(csc, cert_store, chain-certificate, NULL);
+
+-   sslContext = SSL_CTX_new(SSLv3_server_method());
++   sslContext = SSL_CTX_new(SSLv23_server_method());
+if (sslContext == NULL) {
+   verror_put_string(Initializing SSL_CTX);
+   ssl_error_to_verror();
+   goto end;
+}
++   SSL_CTX_set_options(sslContext, SSL_OP_NO_SSLv2);
+ 
+SSL_CTX_set_purpose(sslContext, X509_PURPOSE_ANY);
+ 
diff -Nru myproxy-6.0/debian/patches/series myproxy-6.0/debian/patches/series
--- myproxy-6.0/debian/patches/series	2014-09-27 18:31:26.0 +0200
+++ myproxy-6.0/debian/patches/series	2014-11-08 06:05:21.0 +0100
@@ -2,3 +2,5 @@
 myproxy-pathmax.patch
 # Missing depandencies
 myproxy-deps.patch
+# Enable TLS
+myproxy-tls.patch


signature.asc
Description: This is a digitally signed message

Processed: Re: Bug#768537: unblock: myproxy/6.0-2

2014-11-08 Thread Debian Bug Tracking System 
Processing control commands:

 tags -1 + moreinfo
Bug #768537 [release.debian.org] unblock: myproxy/6.0-2
Added tag(s) moreinfo.

-- 
768537: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768537
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/handler.s.b768537.141543859032492.transcr...@bugs.debian.org

Bug#768537: unblock: myproxy/6.0-2

2014-11-08 Thread Adam D. Barratt 

Control: tags -1 + moreinfo

On 2014-11-08 9:06, Mattias Ellert wrote:

Closes: #768266 (Severity: serious; RC)

In addition to fixing the above bug, the update also applies a patch to
enable TLS. The previous package used SSLv3 only, which is no longer
appropriate. Some of the tests in the test suite failed without the
patch because Debian's openssl 1.0.1j-1 has disabled SSLv3. With the
patch the test suite passes.


As with voms, this is missing a Pre-Depends: dpkg (= 1.17.5).

Regards,

Adam


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/330349948b2eb20b59bf160a9d2ee...@mail.adsl.funky-badger.org