subject:"Bug#939526\: buster\-pu\: package inn2\/2.6.3\-1\+deb10u1"

Bug#939526: buster-pu: package inn2/2.6.3-1+deb10u1

2019-10-12 Thread Julien Cristau

Control: tag -1 - moreinfo
Control: tag -1 + confirmed

On Sun, Oct 06, 2019 at 01:34:19AM +0200, Marco d'Itri wrote:
> Control: retitle -1 buster-pu: package inn2/2.6.3-1+deb10u2
> 
> Bug #931256 explains in detail why TLS is broken in inn2 in buster, due 
> to the policies of newer openssl versions.
> 
> As noticed by Adam D. Barratt, the original patch had a bug: it was 
> then solved by the upstream maintainer and the fix has been one month in 
> testing now.
> 
> 
> diff -Nru inn2-2.6.3/debian/changelog inn2-2.6.3/debian/changelog
> --- inn2-2.6.3/debian/changelog   2019-02-17 17:52:36.0 +0100
> +++ inn2-2.6.3/debian/changelog   2019-10-06 00:51:59.0 +0200
> @@ -1,3 +1,11 @@
> +inn2 (2.6.3-1+deb10u2) buster; urgency=medium
> +
> +  * Backported upstream changeset 10344 to fix negotiation of DHE
> +ciphersuites. (See #931256.)
> +  * Backported upstream changeset 10348 to fix upstream changeset 10344.
> +
> + -- Marco d'Itri   Sun, 06 Oct 2019 00:51:59 +0200
> +
>  inn2 (2.6.3-1) unstable; urgency=medium
>  
>* New upstream release.

Go ahead and upload, thanks.

Cheers,
Julien

Processed: Re: Bug#939526: buster-pu: package inn2/2.6.3-1+deb10u1

2019-10-12 Thread Debian Bug Tracking System

Processing control commands:

> tag -1 - moreinfo
Bug #939526 [release.debian.org] buster-pu: package inn2/2.6.3-1+deb10u2
Removed tag(s) moreinfo.
> tag -1 + confirmed
Bug #939526 [release.debian.org] buster-pu: package inn2/2.6.3-1+deb10u2
Added tag(s) confirmed.

-- 
939526: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939526
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#939526: buster-pu: package inn2/2.6.3-1+deb10u1

2019-10-05 Thread Debian Bug Tracking System

Processing control commands:

> retitle -1 buster-pu: package inn2/2.6.3-1+deb10u2
Bug #939526 [release.debian.org] buster-pu: package inn2/2.6.3-1+deb10u1
Changed Bug title to 'buster-pu: package inn2/2.6.3-1+deb10u2' from 'buster-pu: 
package inn2/2.6.3-1+deb10u1'.

-- 
939526: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939526
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#939526: buster-pu: package inn2/2.6.3-1+deb10u1

2019-10-05 Thread Marco d'Itri

Control: retitle -1 buster-pu: package inn2/2.6.3-1+deb10u2

Bug #931256 explains in detail why TLS is broken in inn2 in buster, due 
to the policies of newer openssl versions.

As noticed by Adam D. Barratt, the original patch had a bug: it was 
then solved by the upstream maintainer and the fix has been one month in 
testing now.


diff -Nru inn2-2.6.3/debian/changelog inn2-2.6.3/debian/changelog
--- inn2-2.6.3/debian/changelog 2019-02-17 17:52:36.0 +0100
+++ inn2-2.6.3/debian/changelog 2019-10-06 00:51:59.0 +0200
@@ -1,3 +1,11 @@
+inn2 (2.6.3-1+deb10u2) buster; urgency=medium
+
+  * Backported upstream changeset 10344 to fix negotiation of DHE
+ciphersuites. (See #931256.)
+  * Backported upstream changeset 10348 to fix upstream changeset 10344.
+
+ -- Marco d'Itri   Sun, 06 Oct 2019 00:51:59 +0200
+
 inn2 (2.6.3-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru inn2-2.6.3/debian/patches/changeset_10344 
inn2-2.6.3/debian/patches/changeset_10344
--- inn2-2.6.3/debian/patches/changeset_10344   1970-01-01 01:00:00.0 
+0100
+++ inn2-2.6.3/debian/patches/changeset_10344   2019-09-05 22:34:04.0 
+0200
@@ -0,0 +1,202 @@
+Index: a/nnrpd/tls.c
+===
+--- a/nnrpd/tls.c  (revision 10342)
 a/nnrpd/tls.c  (revision 10344)
+@@ -96,45 +96,58 @@
+ 
+ /*
+-**  Hardcoded DH parameter files, from OpenSSL.
+-**  For information on how these files were generated, see
+-**  "Assigned Number for SKIP Protocols" 
+-**  .
+-*/
+-static const char file_dh512[] =
++**  Hardcoded DH parameter files.
++**  These are pre-defined DH groups recommended by RFC 7919 (Appendix A),
++**  that have been audited and therefore supposed to be more
++**  resistant to attacks than ones randomly generated.
++*/
++static const char file_ffdhe2048[] = \
+ "-BEGIN DH PARAMETERS-\n\
+-MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak\n\
+-XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC\n\
++MIIBCAKCAQEA//+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n\
+++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n\
++87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n\
++YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n\
++7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n\
++ssbzSibBsu/6iGtCOGEoXJf//wIBAg==\n\
+ -END DH PARAMETERS-\n";
+ 
+-static const char file_dh1024[] =
++static const char file_ffdhe4096[] = \
+ "-BEGIN DH PARAMETERS-\n\
+-MIGHAoGBAPSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY\n\
+-jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6\n\
+-ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpL3jHAgEC\n\
++MIICCAKCAgEA//+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n\
+++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n\
++87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n\
++YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n\
++7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n\
++ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3\n\
++7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32\n\
++nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e\n\
++8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx\n\
++iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K\n\
++zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//8CAQI=\n\
+ -END DH PARAMETERS-\n";
+ 
+-static const char file_dh2048[] =
++static const char file_ffdhe8192[] = \
+ "-BEGIN DH PARAMETERS-\n\
+-MIIBCAKCAQEA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV\n\
+-89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39uK50\n\
+-T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1YTknb\n\
+-zSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdX\n\
+-Q6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCbAkbT\n\
+-CD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwIBAg==\n\
+--END DH PARAMETERS-\n";
+-
+-static const char file_dh4096[] =
+-"-BEGIN DH PARAMETERS-\n\
+-MIICCAKCAgEA+hRyUsFN4VpJ1O8JLcCo/VWr19k3BCgJ4uk+d+KhehjdRqNDNyOQ\n\
+-l/MOyQNQfWXPeGKmOmIig6Ev/nm6Nf9Z2B1h3R4hExf+zTiHnvVPeRBhjdQi81rt\n\
+-Xeoh6TNrSBIKIHfUJWBh3va0TxxjQIs6IZOLeVNRLMqzeylWqMf49HsIXqbcokUS\n\
+-Vt1BkvLdW48j8PPv5DsKRN3tloTxqDJGo9tKvj1Fuk74A+Xda1kNhB7KFlqMyN98\n\
+-VETEJ6c7KpfOo30mnK30wqw3S8OtaIR/maYX72tGOno2ehFDkq3pnPtEbD2CScxc\n\
+-alJC+EL7RPk5c/tgeTvCngvc1KZn92Y//EI7G9tPZtylj2b56sHtMftIoYJ9+ODM\n\
+-sccD5Piz/rejE3Ome8EOOceUSCYAhXn8b3qvxVI1ddd1pED6FHRhFvLrZxFvBEM9\n\
+-ERRMp5QqOaHJkM+Dxv8Cj6MqrCbfC4u+ZErxodzuusgDgvZiLF22uxMZbobFWyte\n\
+-OvOzKGtwcTqO/1wV5gKkzu1ZVswVUQd5Gg8lJicwqRWyyNRczDDoG9jVDxmogKTH\n\
+-AaqLulO7R8Ifa1SwF2DteSGVtgWEN8gDpN3RBmmPTDngyF2DHb5qmpnznwtFKdTL\n\
+-KWbuHn491xNO25CQWMtem80uKw+pTnisBRF/454n1Jnhub144YRBoN8CAQI=\n\

Bug#939526: buster-pu: package inn2/2.6.3-1~deb10u1

2019-09-18 Thread Marco d'Itri

On Sep 17, "Adam D. Barratt"  wrote:

> Shouldn't the assignment to "r" be outside of the conditional? Otherwise, if
> ffdheX has previously been initialised, the function will return NULL rather
> than the previously loaded buffer.
Thank you, upstream confirmed.
I did a new upload to unstable and will re-upload to pu next week.

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#939526: buster-pu: package inn2/2.6.3-1~deb10u1

2019-09-17 Thread Adam D. Barratt


Control: tags -1 + moreinfo

On 2019-09-05 22:41, Marco d'Itri wrote:
[...]

++switch(level)
++{
++case 0: /* Everything is permitted. */
++case 1: /* DH keys shorter than 1024 bits are prohibited. */
++case 2: /* DH keys shorter than 2048 bits are prohibited. */
++if (ffdhe2048 == NULL) {
++ffdhe2048 = load_dh_buffer(file_ffdhe2048,
++   sizeof(file_ffdhe2048));
++r = ffdhe2048;
++}
++break;

[etc]

++return r;


Shouldn't the assignment to "r" be outside of the conditional? 
Otherwise, if ffdheX has previously been initialised, the function will 
return NULL rather than the previously loaded buffer.


Regards,

Adam

Processed: Re: Bug#939526: buster-pu: package inn2/2.6.3-1~deb10u1

2019-09-17 Thread Debian Bug Tracking System

Processing control commands:

> tags -1 + moreinfo
Bug #939526 [release.debian.org] buster-pu: package inn2/2.6.3-1+deb10u1
Added tag(s) moreinfo.

-- 
939526: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939526
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#939526: buster-pu: package inn2/2.6.3-1~deb10u1

2019-09-05 Thread Marco d'Itri

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Bug #931256 explains in detail why TLS is broken in inn2 in buster, due 
to the policies of newer openssl versions.

This same patch has been in 2.6.3-2 in unstable/testing for two weeks.

diff -Nru inn2-2.6.3/debian/changelog inn2-2.6.3/debian/changelog
--- inn2-2.6.3/debian/changelog 2019-02-17 17:52:36.0 +0100
+++ inn2-2.6.3/debian/changelog 2019-09-05 23:25:56.0 +0200
@@ -1,3 +1,10 @@
+inn2 (2.6.3-1~deb10u1) buster; urgency=medium
+
+  * Backported upstream changeset 10344 to fix negotiation of DHE
+ciphersuites. (See #931256.)
+
+ -- Marco d'Itri   Thu, 05 Sep 2019 23:25:56 +0200
+
 inn2 (2.6.3-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru inn2-2.6.3/debian/patches/changeset_10344 
inn2-2.6.3/debian/patches/changeset_10344
--- inn2-2.6.3/debian/patches/changeset_10344   1970-01-01 01:00:00.0 
+0100
+++ inn2-2.6.3/debian/patches/changeset_10344   2019-09-05 22:34:04.0 
+0200
@@ -0,0 +1,202 @@
+Index: a/nnrpd/tls.c
+===
+--- a/nnrpd/tls.c  (revision 10342)
 a/nnrpd/tls.c  (revision 10344)
+@@ -96,45 +96,58 @@
+ 
+ /*
+-**  Hardcoded DH parameter files, from OpenSSL.
+-**  For information on how these files were generated, see
+-**  "Assigned Number for SKIP Protocols" 
+-**  .
+-*/
+-static const char file_dh512[] =
++**  Hardcoded DH parameter files.
++**  These are pre-defined DH groups recommended by RFC 7919 (Appendix A),
++**  that have been audited and therefore supposed to be more
++**  resistant to attacks than ones randomly generated.
++*/
++static const char file_ffdhe2048[] = \
+ "-BEGIN DH PARAMETERS-\n\
+-MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak\n\
+-XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC\n\
++MIIBCAKCAQEA//+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n\
+++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n\
++87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n\
++YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n\
++7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n\
++ssbzSibBsu/6iGtCOGEoXJf//wIBAg==\n\
+ -END DH PARAMETERS-\n";
+ 
+-static const char file_dh1024[] =
++static const char file_ffdhe4096[] = \
+ "-BEGIN DH PARAMETERS-\n\
+-MIGHAoGBAPSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY\n\
+-jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6\n\
+-ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpL3jHAgEC\n\
++MIICCAKCAgEA//+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n\
+++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n\
++87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n\
++YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n\
++7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n\
++ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3\n\
++7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32\n\
++nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e\n\
++8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx\n\
++iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K\n\
++zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//8CAQI=\n\
+ -END DH PARAMETERS-\n";
+ 
+-static const char file_dh2048[] =
++static const char file_ffdhe8192[] = \
+ "-BEGIN DH PARAMETERS-\n\
+-MIIBCAKCAQEA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV\n\
+-89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39uK50\n\
+-T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1YTknb\n\
+-zSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdX\n\
+-Q6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCbAkbT\n\
+-CD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwIBAg==\n\
+--END DH PARAMETERS-\n";
+-
+-static const char file_dh4096[] =
+-"-BEGIN DH PARAMETERS-\n\
+-MIICCAKCAgEA+hRyUsFN4VpJ1O8JLcCo/VWr19k3BCgJ4uk+d+KhehjdRqNDNyOQ\n\
+-l/MOyQNQfWXPeGKmOmIig6Ev/nm6Nf9Z2B1h3R4hExf+zTiHnvVPeRBhjdQi81rt\n\
+-Xeoh6TNrSBIKIHfUJWBh3va0TxxjQIs6IZOLeVNRLMqzeylWqMf49HsIXqbcokUS\n\
+-Vt1BkvLdW48j8PPv5DsKRN3tloTxqDJGo9tKvj1Fuk74A+Xda1kNhB7KFlqMyN98\n\
+-VETEJ6c7KpfOo30mnK30wqw3S8OtaIR/maYX72tGOno2ehFDkq3pnPtEbD2CScxc\n\
+-alJC+EL7RPk5c/tgeTvCngvc1KZn92Y//EI7G9tPZtylj2b56sHtMftIoYJ9+ODM\n\
+-sccD5Piz/rejE3Ome8EOOceUSCYAhXn8b3qvxVI1ddd1pED6FHRhFvLrZxFvBEM9\n\
+-ERRMp5QqOaHJkM+Dxv8Cj6MqrCbfC4u+ZErxodzuusgDgvZiLF22uxMZbobFWyte\n\
+-OvOzKGtwcTqO/1wV5gKkzu1ZVswVUQd5Gg8lJicwqRWyyNRczDDoG9jVDxmogKTH\n\
+-AaqLulO7R8Ifa1SwF2DteSGVtgWEN8gDpN3RBmmPTDngyF2DHb5qmpnznwtFKdTL\n\
+-KWbuHn491xNO25CQWMtem80uKw+pTnisBRF/454n1Jnhub144YRBoN8CAQI=\n\
++MIIECAKCBAEA//+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n\

Bug#939526: buster-pu: package inn2/2.6.3-1+deb10u1

Processed: Re: Bug#939526: buster-pu: package inn2/2.6.3-1+deb10u1

Processed: Re: Bug#939526: buster-pu: package inn2/2.6.3-1+deb10u1

Bug#939526: buster-pu: package inn2/2.6.3-1+deb10u1

Bug#939526: buster-pu: package inn2/2.6.3-1~deb10u1

Bug#939526: buster-pu: package inn2/2.6.3-1~deb10u1

Processed: Re: Bug#939526: buster-pu: package inn2/2.6.3-1~deb10u1

Bug#939526: buster-pu: package inn2/2.6.3-1~deb10u1

8 matches

Site Navigation

Mail list logo

Footer information