Bug#1065413: bookworm-pu: package openssl/3.0.13-1~deb12u1

[Sebastian Andrzej Siewior]

On 2024-04-07 23:46:28 [+0200], To Adam D. Barratt wrote:
> On 2024-03-24 20:06:12 [+], Adam D. Barratt wrote:
> > 
> > Sorry for not getting to this sooner. Is this still the case?
> 
> So. This happened #1068045 (yapet broke with 1.0 format) due to the
> update. On the bright side it has been broken in unstable but unnoticed.
> Looking into it but also sleeping (but making progress).

yapet is fixed in unstable. My understanding is that the maintainer will
take care of it.

I've been looking at the release.d.o page and there are deb-ci failures
for nodejs. Those should be gone with nodejs/18.19.0+dfsg-6~deb12u1
which is in d-security.
So based on this I would say all good ;)

> > Regards,
> > 
> > Adam
 
Sebastian

Bug#1065413: bookworm-pu: package openssl/3.0.13-1~deb12u1

[Sebastian Andrzej Siewior]

On 2024-03-24 20:06:12 [+], Adam D. Barratt wrote:
> 
> Sorry for not getting to this sooner. Is this still the case?

So. This happened #1068045 (yapet broke with 1.0 format) due to the
update. On the bright side it has been broken in unstable but unnoticed.
Looking into it but also sleeping (but making progress).

> Regards,
> 
> Adam

Sebastian

Bug#1065413: bookworm-pu: package openssl/3.0.13-1~deb12u1

[Sebastian Andrzej Siewior]

On 2024-03-24 20:06:12 [+], Adam D. Barratt wrote:
> On Mon, 2024-03-04 at 07:38 +0100, Sebastian Andrzej Siewior wrote:
> > This is an update to the current stable OpenSSL release in the 3.0.x
> > series. It addresses the following CVE reports which were postponed
> > due to low severity:
> [...]
> > I'm not aware of a problems/ regression at this point.
> 
> Sorry for not getting to this sooner. Is this still the case?

Yes.

> Regards,
> 
> Adam

Sebastian

Bug#1063621: bookworm-pu: package clamav/clamav_1.0.5+dfsg-1~deb12u1

[Sebastian Andrzej Siewior]

On 2024-03-08 07:38:10 [+], Adam D. Barratt wrote:
> On Fri, 2024-02-09 at 23:12 +0100, Sebastian Andrzej Siewior wrote:
> > This is an update to the latest clamav release in the 1.0.x series. 
> 
> One small thing you may want to fix for any follow-up updates:
> 
> +clamav (1.0.5+dfsg-1~deb12u1) bookworm; urgency=medium
> +
> +  * Import 1.0.4 (Closes: #1063479).

Indeed, thank you.

> Regards,
> 
> Adam

Sebastian

Bug#1063621: bookworm-pu: package clamav/clamav_1.0.5+dfsg-1~deb12u1

[Sebastian Andrzej Siewior]

On 2024-02-09 23:12:18 [+0100], To sub...@bugs.debian.org wrote:
> Package: release.debian.org
> Control: affects -1 + src:clamav
> X-Debbugs-Cc: cla...@packages.debian.org
> User: release.debian@packages.debian.org
> Usertags: pu
> Tags: bookworm
> Severity: normal
> 
> This is an update to the latest clamav release in the 1.0.x series. This
> update closes two CVEs:
> 
> - CVE-2024-20290: Fixed a possible heap overflow read bug in the OLE2 file
>   parser that could cause a denial-of-service (DoS) condition.
> 
> - CVE-2024-20328: Fixed a possible command injection vulnerability in the
>   "VirusEvent" feature of ClamAV's ClamD service.
> 
>   To fix this issue, we disabled the '%f' format string parameter.  ClamD
>   administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME`  
> environment
>   variable, instead of '%f'. But you should do so only from within  an
>   executable, such as a Python script, and not directly in the clamd.conf
>   "VirusEvent" command.

A friendly ping.

Sebastian

Bug#1065413: bookworm-pu: package openssl/3.0.13-1~deb12u1

[Sebastian Andrzej Siewior]

Package: release.debian.org
Control: affects -1 + src:openssl
X-Debbugs-Cc: open...@packages.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: bookworm
X-Debbugs-Cc: sebast...@breakpoint.cc
Severity: normal

This is an update to the current stable OpenSSL release in the 3.0.x
series. It addresses the following CVE reports which were postponed due
to low severity:

- CVE-2023-5678 (Fix excessive time spent in DH check / generation with
  large Q parameter value)
- CVE-2023-6129 (POLY1305 MAC implementation corrupts vector registers on
  PowerPC)
- CVE-2023-6237 (Excessive time spent checking invalid RSA public keys)
- CVE-2024-0727 (PKCS12 Decoding crashes)

I'm not aware of a problems/ regression at this point. During the upload
of 3.1.x release to upstable at the time m2crypto and nodejs failed to
build. I verified that m2crypto in stable and nodejs in stable-security
build against this version of openssl.

Sebastian

Bug#1063621: bookworm-pu: package clamav/clamav_1.0.5+dfsg-1~deb12u1

[Sebastian Andrzej Siewior]

e with the following fixes:
+
+- Eliminate security warning about unused "atty" dependency.
+  - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/1035
+
+- Upgrade the bundled UnRAR library (libclamunrar) to version 6.2.12.
+  - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/1054
+
+- Windows: libjson-c 0.17 compatibility fix. with ssize_t type definition.
+  - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/1064
+
+- Freshclam: Removed a verbose warning printed for each Freshclam HTTP request.
+  - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/1042
+
+- Build system: Fix link error with Clang/LLVM/LLD version 17.
+  Patch courtesy of Yasuhiro Kimura.
+  - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/1058
+
+- Fix alert-exceeds-max feature for files > 2GB and < max-filesize.
+  - GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/1041
+
+Special thanks to the following people for code contributions and bug reports:
+- Yasuhiro Kimura
+
 ## 1.0.3
 
 ClamAV 1.0.3 is a critical patch release with the following fixes:
diff --git a/clamav-config.h.cmake.in b/clamav-config.h.cmake.in
index b21af87..4f3b837 100644
--- a/clamav-config.h.cmake.in
+++ b/clamav-config.h.cmake.in
@@ -587,11 +587,22 @@
 #define inline @INLINE_KEYWORD@
 #endif
 
-/* Define to `long int' if  does not define. */
-#cmakedefine off_t @off_t@
-
 /* Define to `int' if  does not define. */
-#cmakedefine ssize_t @ssize_t@
+#ifndef SSIZE_T_DEFINED
+   #if defined(_MSC_VER)
+  #include 
+  typedef SSIZE_T ssize_t;
+   #else
+  @SSIZE_T_DEF@
+   #endif
+   # define SSIZE_T_DEFINED
+#endif
+
+/* Define to `long int' if  does not define. */
+#ifndef OFF_T_DEFINED
+   @OFF_T_DEF@
+   #define OFF_T_DEFINED
+#endif
 
 /* Define to the equivalent of the C99 'restrict' keyword, or to
nothing if this is not supported.  Do not define if restrict is
diff --git a/clamd/clamd_others.c b/clamd/clamd_others.c
index 23f3b02..32d0701 100644
--- a/clamd/clamd_others.c
+++ b/clamd/clamd_others.c
@@ -101,6 +101,8 @@ void virusaction(const char *filename, const char *virname,
 #define VE_FILENAME "CLAM_VIRUSEVENT_FILENAME"
 #define VE_VIRUSNAME "CLAM_VIRUSEVENT_VIRUSNAME"
 
+#define FILENAME_DISABLED_MESSAGE "The filename format character has been disabled due to security concerns, use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead."
+
 void virusaction(const char *filename, const char *virname,
  const struct optstruct *opts)
 {
@@ -145,7 +147,7 @@ void virusaction(const char *filename, const char *virname,
 }
 len = strlen(opt->strarg);
 buffer_cmd =
-(char *)calloc(len + v * strlen(virname) + f * strlen(filename) + 1, sizeof(char));
+(char *)calloc(len + v * strlen(virname) + f * strlen(FILENAME_DISABLED_MESSAGE) + 1, sizeof(char));
 if (!buffer_cmd) {
 if (path)
 xfree(env[0]);
@@ -160,8 +162,8 @@ void virusaction(const char *filename, const char *virname,
 j += strlen(virname);
 i++;
 } else if (i + 1 < len && opt->strarg[i] == '%' && opt->strarg[i + 1] == 'f') {
-strcat(buffer_cmd, filename);
-j += strlen(filename);
+strcat(buffer_cmd, FILENAME_DISABLED_MESSAGE);
+j += strlen(FILENAME_DISABLED_MESSAGE);
 i++;
 } else {
 buffer_cmd[j++] = opt->strarg[i];
diff --git a/common/optparser.c b/common/optparser.c
index a7bdbee..1be7afe 100644
--- a/common/optparser.c
+++ b/common/optparser.c
@@ -333,7 +333,7 @@ const struct clam_option __clam_options[] = {
 
 {"DisableCache", "disable-cache", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option allows you to disable clamd's caching feature.", "no"},
 
-{"VirusEvent", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Execute a command when a virus is found. In the command string %v will be\nreplaced with the virus name and %f will be replaced with the file name.\nAdditionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME\nand $CLAM_VIRUSEVENT_VIRUSNAME.", "/usr/bin/mailx -s \"ClamAV VIRUS ALERT: %v\" alert < /dev/null"},
+{"VirusEvent", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Execute a command when virus is found.\nUse the following environment variables to identify the file and virus names:\n- $CLAM_VIRUSEVENT_FILENAME\n- $CLAM_VIRUSEVENT_VIRUSNAME\nIn the command string, '%v' will also be replaced with the virus name.\nNote: The '%f' filename format character has been disabled and will no longer\nbe replaced with the file name, due to command injection security concerns.\nUse the 'CLAM_VIRUSEVENT_FILENAME' environment variable i

Bug#1058700: nmu: dar_2.7.13-2

[Sebastian Andrzej Siewior]

Package: release.debian.org
Control: affects -1 + src:dar
User: release.debian@packages.debian.org
Usertags: binnmu
Severity: normal

Hi,

if I see this correctly then dar 2.7.13-2 won't migrate to testing
because it was built using openssl 3.0.12-1. This version isn't in
testing and if everything goes according to then plan then openssl
3.1.4-2 will migrate to testing in ~3days. Therefore I suggest to binNMU
dar to pickup current openssl so it can migrate:

nmu dar_2.7.13-2 . ANY . unstable . -m "Update Built-Using for openssl"

Sebastian

Re: OpenSSL transition to testing

[Sebastian Andrzej Siewior]

On 2023-11-22 22:15:43 [+0100], Jérémy Lal wrote:
> Plase wait a moment before doing more uploads.
> I am gonna deal with it before the end the week. Sorry for that.

Sorry for any trouble I may have caused. I haven't had any response and
I wasn't granted any free rider card so I started backporting on SAT
evening. And to not make it look selfish I looked at the CVEs, too. This
and testing took a while.
I just (wrongly) assumed the other testsuite failures is just my local
setup problem…

> Jérémy

Sebastian

OpenSSL transition to testing

[Sebastian Andrzej Siewior]

Hi,

OpenSSL didn't migrate to testing for two reasons:
#1 Didn't build on mips64el because slow buildd is slow. 

#2 Autopkgtest fails in the latest version due to changes in OpenSSL.


For #1 Kurt increased the priority so it might build eventually.

#2. This is known by nodejs upstream and has been fixed by adjusting the
nodejs test suite. I filled a bug BTS collecting all needed pieces:
https://bugs.debian.org/1055416

Besides OpenSSL 3.0.12 there is also 3.1.4 currently in experimental
which is also blocked nodejs' autopkgtest but this time a different
issue:
https://bugs.debian.org/1052470

Based on my faded out memory, it was a bit more complicated.

I'm now curious to learn what could be the best way to move forward. I
have a few ideas:
- NMU #1055416, allow the transition to happen.

- NMU also #1052470 in order to allow an OpenSSL 3.1.4 upload. This
  could be tricky because proposed change is based on nodejs' master-18.x
  branch meaning new nodejs version which could lead to other issues.
  I could try to isolate the needed bits but…

- Ignore debci for Nodejs which would allow 3.0.12-2 to migrate and
  3.1.4 could follow to unstable shortly after.

Anyone?

Sebastian

Bug#1051884: bullseye-pu: package openssl/1.1.1w-0~deb11u1

[Sebastian Andrzej Siewior]

On 2023-10-02 13:41:17 [+0200], Cyril Brulebois wrote:
> Adam D. Barratt  (2023-10-02):
> > Unfortunately, the version format change from -0+deb11uX to -0~deb11uX
> > has broken the installer.
> > 
> > The udebs end up with dependencies of the form ">= 1.1.1w", which
> > 1.1.1w-0~deb11u1 doesn't fulfil. Assuming I'm not missing anything,
> > could we have an upload that uses the -0+ style of versioning ASAP,
> > please?
> 
> Trying to understand the reasons behind the versioning scheme switch, it
> seems the debian/bullseye branch is still at 1.1.1v-0~deb11u1 (without a
> tag).

Sorry for that. Just uploaded 1.1.1w-0+deb11u1 which solves that.

> Cheers,

Sebastian

Bug#1053001: bookworm-pu: package openssl/3.0.11-1~deb12u1

[Sebastian Andrzej Siewior]

Package: release.debian.org
Control: affects -1 + src:openssl
X-Debbugs-Cc: open...@packages.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: bookworm
X-Debbugs-Cc: sebast...@breakpoint.cc
Severity: normal

This is an update of the openssl package to the 3.0.11 version, a patch
release (bug and security fixes). This version contains no security
updates.
The 3.0.11 version is since 2023-09-19 in unstable. The migration to
testing was delayed due to a "bug" in a testsuite of another package
which led to CI failures. Once this was fixed, the both packages
migrated. The package causing the delay is not part of bookworm. I am
not aware of any other fallout.

Sebastian
diff -Nru openssl-3.0.10/apps/cmp.c openssl-3.0.11/apps/cmp.c
--- openssl-3.0.10/apps/cmp.c	2023-08-01 15:47:24.0 +0200
+++ openssl-3.0.11/apps/cmp.c	2023-09-19 15:02:31.0 +0200
@@ -2512,7 +2512,7 @@
 }
 break;
 case OPT_CSR:
-opt_csr = opt_arg();
+opt_csr = opt_str();
 break;
 case OPT_OUT_TRUSTED:
 opt_out_trusted = opt_str();
diff -Nru openssl-3.0.10/apps/lib/apps.c openssl-3.0.11/apps/lib/apps.c
--- openssl-3.0.10/apps/lib/apps.c	2023-08-01 15:47:24.0 +0200
+++ openssl-3.0.11/apps/lib/apps.c	2023-09-19 15:02:31.0 +0200
@@ -944,7 +944,7 @@
 BIO *bio;
 
 if (!maybe_stdin) {
-BIO_printf(bio_err, "No filename or uri specified for loading");
+BIO_printf(bio_err, "No filename or uri specified for loading\n");
 goto end;
 }
 uri = "";
@@ -960,10 +960,8 @@
 ctx = OSSL_STORE_open_ex(uri, libctx, propq, get_ui_method(), ,
  params, NULL, NULL);
 }
-if (ctx == NULL) {
-BIO_printf(bio_err, "Could not open file or uri for loading");
+if (ctx == NULL)
 goto end;
-}
 if (expect > 0 && !OSSL_STORE_expect(ctx, expect))
 goto end;
 
@@ -1948,16 +1946,17 @@
 nid = OBJ_txt2nid(typestr);
 if (nid == NID_undef) {
 BIO_printf(bio_err,
-   "%s: Skipping unknown %s name attribute \"%s\"\n",
+   "%s warning: Skipping unknown %s name attribute \"%s\"\n",
opt_getprog(), desc, typestr);
 if (ismulti)
 BIO_printf(bio_err,
-   "Hint: a '+' in a value string needs be escaped using '\\' else a new member of a multi-valued RDN is expected\n");
+   "%s hint: a '+' in a value string needs be escaped using '\\' else a new member of a multi-valued RDN is expected\n",
+   opt_getprog());
 continue;
 }
 if (*valstr == '\0') {
 BIO_printf(bio_err,
-   "%s: No value provided for %s name attribute \"%s\", skipped\n",
+   "%s warning: No value provided for %s name attribute \"%s\", skipped\n",
opt_getprog(), desc, typestr);
 continue;
 }
diff -Nru openssl-3.0.10/apps/req.c openssl-3.0.11/apps/req.c
--- openssl-3.0.10/apps/req.c	2023-08-01 15:47:24.0 +0200
+++ openssl-3.0.11/apps/req.c	2023-09-19 15:02:31.0 +0200
@@ -990,10 +990,10 @@
 else
 tpubkey = X509_REQ_get0_pubkey(req);
 if (tpubkey == NULL) {
-fprintf(stdout, "Modulus is unavailable\n");
+BIO_puts(bio_err, "Modulus is unavailable\n");
 goto end;
 }
-fprintf(stdout, "Modulus=");
+BIO_puts(out, "Modulus=");
 if (EVP_PKEY_is_a(tpubkey, "RSA") || EVP_PKEY_is_a(tpubkey, "RSA-PSS")) {
 BIGNUM *n = NULL;
 
@@ -1002,9 +1002,9 @@
 BN_print(out, n);
 BN_free(n);
 } else {
-fprintf(stdout, "Wrong Algorithm type");
+BIO_puts(out, "Wrong Algorithm type");
 }
-fprintf(stdout, "\n");
+BIO_puts(out, "\n");
 }
 
 if (!noout && !gen_x509) {
diff -Nru openssl-3.0.10/apps/s_server.c openssl-3.0.11/apps/s_server.c
--- openssl-3.0.10/apps/s_server.c	2023-08-01 15:47:24.0 +0200
+++ openssl-3.0.11/apps/s_server.c	2023-09-19 15:02:31.0 +0200
@@ -789,7 +789,7 @@
  "second server certificate chain file in PEM format"},
 {"dkey", OPT_DKEY, '<',
  "Second private key file to use (usually for DSA)"},
-{"dkeyform", OPT_DKEYFORM, 'F',
+{"dkeyform", OPT_DKEYFORM, 'f',
  "Second key file format (ENGINE, other values ignored)"},
 {"dpass", OPT_DPASS, 's',
  "Second private key and cert file pass phrase source"},
diff -Nru openssl-3.0.10/appveyor.yml openssl-3.0.11/appveyor.yml
--- openssl-3.0.10/appveyor.yml	2023-08-01 15:47:24.0 +0200
+++ openssl-3.0.11/appveyor.yml	1970-01-01 01:00:00.0 +0100
@@ -1,82 +0,0 @@
-image:
-- Visual Studio 2017
-
-platform:
-- x64
-- x86
-

Bug#1052070: bookworm-pu: package mutt/2.2.12-0.1~deb12u1

[Sebastian Andrzej Siewior]

On 2023-09-23 20:39:32 [+0100], Adam D. Barratt wrote:
> Please go ahead.
Thanks, done.

> Regards,
> 
> Adam

Sebastian

Bug#1052070: bookworm-pu: package mutt/2.2.12-0.1~deb12u1

[Sebastian Andrzej Siewior]

Package: release.debian.org
Control: affects -1 + src:mutt
X-Debbugs-Cc: m...@packages.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: bookworm
X-Debbugs-Cc: sebast...@breakpoint.cc
Severity: normal

This is an update mutt package as provided by upstream to version 2.2.12
which also available in unstable since 10th September.
The 2.2.x series are bug fix only releases.

The 2.2.10 release changed the message-id generation by using the base64
url-safe dictionary instead of base64 for encoding "random" characters.
The usage of the '/' character in the message-id leads to a problem with
online-archives if the message-id is part of the URL and then '/' gets
interpreted as a "folder delimiter" instead a "file". This is a real
problem for the lore archiver.

The 2.2.11 release listed only build issue on MacOS.

The 2.2.12 release listed only two "crash bugs" which were fixed
recently via the d-security.

The whole history from git:
| a60b22fe2a250 Filter U+200C in pager.
| 2f35d2fdb99de Reset header color after mutt_set_flag().
| ba5e0dc2bcadd Add doc note to MuttLisp about boolean config vars.
| d0faf2d44455b Remove reference to $mark_old inside $mail_check_recent.
| ef2abed29fe02 Fix counters for external maildir 'T' flag changes.
| 16d8ad647bd17 Move MuttLisp boolean config note.
| 7c4fa47888d0d mutt_oauth2: Print access token request message
| cecddeac3be3d base64val: Add support to decode base64 safe URL.
| 5df86199463b5 Use base64 URL safe alphabet for message id generation.
| 216dd145d41dd Improve smtp oauth authentication.
| 9f01d4ab0b8af Abort imap_fast_trash() if previously checkpointed.
| 33f8b7cee857d Update copyright notices.
| 9138232d8daa4 Update UPDATING files for 2.2.10 release.
| e0e92c31228e3 (tag: mutt-2-2-10-rel) automatic post-release commit for 
mutt-2.2.10
| 50954c4ab7408 Fix  behavior for sort=reverse-threads.
| a5423c403381e Updated Japanese translation.
| d52c6115b074d Fix GPGME build failure on MacOS.
| d619496e99899 Update UPDATING file for 2.2.11 release.
| 6b538297bc0ba (tag: mutt-2-2-11-rel) automatic post-release commit for 
mutt-2.2.11
| 7eb9c18f27d14 Add a documentation note that aliases are case insensitive.
| 452ee330e094b Fix rfc2047 base64 decoding to abort on illegal characters.
| 4cc3128abdf52 Check for NULL userhdrs.
| a4752eb0ae0a5 Fix write_one_header() illegal header check.
| 6a155b4933b4b Update UPDATING file for 2.2.12 release.
| 0a81a2a7ca2b4 (mutt-2-2-12-rel) automatic post-release commit for mutt-2.2.12

Sebastian

Bug#1050639: bookworm-pu: package clamav/1.0.2+dfsg-1~deb12u1

[Sebastian Andrzej Siewior]

On 2023-09-14 21:52:25 [+0100], Adam D. Barratt wrote:
> 
> That's now out, as SUA-240-1.

Thank you Adam.

> Regards,
> 
> Adam

Sebastian

Bug#1050639: bookworm-pu: package clamav/1.0.2+dfsg-1~deb12u1

[Sebastian Andrzej Siewior]

On 2023-09-14 06:31:26 [+0100], Adam D. Barratt wrote:
> On Wed, 2023-09-13 at 22:01 +0200, Sebastian Andrzej Siewior wrote:
> > On 2023-09-13 17:26:46 [+0100], Adam D. Barratt wrote:
> > > How does this sound for an SUA?
> [...]
> > This sounds entirely fine to me. I don't think that it is needed to
> > point out that bullseye is not affected by the second issue.
> > 
> 
> Great, thanks.
> 
> > There is also this thing regarding libclamunrar and the update to
> > v6.2.10 of the bundled libbrary. I *think* it is related to
> > CVE-2023-40477. Since unrar itself is only in -pu I think it is okay
> > for libclamunar to follow the same fate.
> > 
> 
> Just to be completely sure, "follow the same fate" here means leaving
> libclamunrar in (o-)p-u until the point releases?

I mean there is no reason to push libclamunrar via d/updates if the
unrar package isn't. Therefore I don't mind keeping libclamunrar in
o-)p-u until the point release. It is non-free after all.

> I assume the bundled library isn't used as-is in the Debian packaging,
> that being why libclamunrar exists.

The last time I looked the src:unrar package either didn't provide the
library or something else was different. So I tried to replace it with
libarchive but upstream wasn't pleased because it did not support some
"newer" rar formats. But now (as of the recent CVE) I was looking again,
noticed the library and noticed that clamav upstream already fiddled
with their in-tree copy. However I will spent some cycles to see if the
in-tree library can be used. If it works then it will lower the amount
of swearing needed during packaging of a new version.

> Regards,
> 
> Adam

Sebastian

Bug#1051884: bullseye-pu: package openssl/1.1.1w-0~deb11u1

[Sebastian Andrzej Siewior]

l-1.1.1w/crypto/poly1305/asm/poly1305-x86_64.pl	2023-09-11 16:08:11.0 +0200
@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -193,7 +193,7 @@
 	bt	\$`5+32`,%r9		# AVX2?
 	cmovc	%rax,%r10
 ___
-$code.=<<___	if ($avx>3);
+$code.=<<___	if ($avx>3 && !$win64);
 	mov	\$`(1<<31|1<<21|1<<16)`,%rax
 	shr	\$32,%r9
 	and	%rax,%r9
@@ -2722,7 +2722,7 @@
 .cfi_endproc
 .size	poly1305_blocks_avx512,.-poly1305_blocks_avx512
 ___
-if ($avx>3) {
+if ($avx>3 && !$win64) {
 
 # VPMADD52 version using 2^44 radix.
 #
diff -Nru openssl-1.1.1v/crypto/rsa/rsa_ameth.c openssl-1.1.1w/crypto/rsa/rsa_ameth.c
--- openssl-1.1.1v/crypto/rsa/rsa_ameth.c	2023-08-01 15:51:35.0 +0200
+++ openssl-1.1.1w/crypto/rsa/rsa_ameth.c	2023-09-11 16:08:11.0 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -82,13 +82,16 @@
 if (!rsa_param_encode(pkey, , ))
 return 0;
 penclen = i2d_RSAPublicKey(pkey->pkey.rsa, );
-if (penclen <= 0)
+    if (penclen <= 0) {
+ASN1_STRING_free(str);
 return 0;
+}
 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),
strtype, str, penc, penclen))
 return 1;
 
 OPENSSL_free(penc);
+ASN1_STRING_free(str);
 return 0;
 }
 
diff -Nru openssl-1.1.1v/debian/changelog openssl-1.1.1w/debian/changelog
--- openssl-1.1.1v/debian/changelog	2023-08-26 13:17:12.0 +0200
+++ openssl-1.1.1w/debian/changelog	2023-09-13 21:21:33.0 +0200
@@ -1,3 +1,9 @@
+openssl (1.1.1w-0~deb11u1) bullseye; urgency=medium
+
+  * Import 1.1.1w
+
+ -- Sebastian Andrzej Siewior   Wed, 13 Sep 2023 21:21:33 +0200
+
 openssl (1.1.1v-0~deb11u1) bullseye; urgency=medium
 
   * Import 1.1.1v
diff -Nru openssl-1.1.1v/doc/man3/CMS_sign.pod openssl-1.1.1w/doc/man3/CMS_sign.pod
--- openssl-1.1.1v/doc/man3/CMS_sign.pod	2023-08-01 15:51:35.0 +0200
+++ openssl-1.1.1w/doc/man3/CMS_sign.pod	2023-09-11 16:08:11.0 +0200
@@ -95,7 +95,7 @@
 suitable for many purposes. For finer control of the output format the
 B, B and B parameters can all be B and the
 B flag set. Then one or more signers can be added using the
-function CMS_sign_add1_signer(), non default digests can be used and custom
+function CMS_add1_signer(), non default digests can be used and custom
 attributes added. CMS_final() must then be called to finalize the
 structure if streaming is not enabled.
 
@@ -119,7 +119,7 @@
 
 =head1 COPYRIGHT
 
-Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff -Nru openssl-1.1.1v/include/openssl/opensslv.h openssl-1.1.1w/include/openssl/opensslv.h
--- openssl-1.1.1v/include/openssl/opensslv.h	2023-08-01 15:51:35.0 +0200
+++ openssl-1.1.1w/include/openssl/opensslv.h	2023-09-11 16:08:11.0 +0200
@@ -39,8 +39,8 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x1010116fL
-# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.1v  1 Aug 2023"
+# define OPENSSL_VERSION_NUMBER  0x1010117fL
+# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.1w  11 Sep 2023"
 
 /*-
  * The macros below are to be used for shared library (.so, .dll, ...)
diff -Nru openssl-1.1.1v/NEWS openssl-1.1.1w/NEWS
--- openssl-1.1.1v/NEWS	2023-08-01 15:51:35.0 +0200
+++ openssl-1.1.1w/NEWS	2023-09-11 16:08:11.0 +0200
@@ -5,6 +5,11 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.1.1v and OpenSSL 1.1.1w [11 Sep 2023]
+
+  o Fix POLY1305 MAC implementation corrupting XMM registers on Windows
+(CVE-2023-4807)
+
   Major changes between OpenSSL 1.1.1u and OpenSSL 1.1.1v [1 Aug 2023]
 
   o Fix excessive time spent checking DH q parameter value (CVE-2023-3817)
diff -Nru openssl-1.1.1v/README openssl-1.1.1w/README
--- openssl-1.1.1v/README	2023-08-01 15:51:35.0 +0200
+++ openssl-1.1.1w/README	2023-09-11 16:08:11

Bug#1050639: bookworm-pu: package clamav/1.0.2+dfsg-1~deb12u1

[Sebastian Andrzej Siewior]

On 2023-09-13 17:26:46 [+0100], Adam D. Barratt wrote:
> How does this sound for an SUA?
> 
> ===
> Package  : clamav
> Version  : 1.0.3+dfsg-1~deb12u1 [bookworm]
>0.103.10+dfsg-0+deb11u1 [bullseye]
> Importance   : medium
> 
> ClamAV is an AntiVirus toolkit for Unix.
> 
> Upstream published versions 1.0.3 and 0.103.10.
> 
> This is a bug-fix release and an upstream LTS release. The changes are not
> currently required for operation, but upstream strongly recommends that users
> update.
> 
> Changes since 1.0.1 and 0.103.8 currently in bookworm and bullseye include
> fixes for a security issue:
> 
> CVE-2023-20197: Possible denial of service vulnerability in the HFS+
> file parser.
> 
> The update for bookworm also includes a fix for a second security issue:
> 
> CVE-2023-20212: Possible denial of service vulnerability in the AutoIt
> module.
> 
> If you use clamav, we recommend that you install this update.
> ===
> 
> I'm not entirely happy with the CVE section, but not sure how else to
> present it, given that both updates fix one issue but aiui the second
> only applies to bookworm.

This sounds entirely fine to me. I don't think that it is needed to
point out that bullseye is not affected by the second issue.

There is also this thing regarding libclamunrar and the update to
v6.2.10 of the bundled libbrary. I *think* it is related to
CVE-2023-40477. Since unrar itself is only in -pu I think it is okay for
libclamunar to follow the same fate.

> Regards,
> 
> Adam

Sebastian

Bug#1050639: bookworm-pu: package clamav/1.0.2+dfsg-1~deb12u1

[Sebastian Andrzej Siewior]

On 2023-08-27 13:20:01 [+0200], To sub...@bugs.debian.org wrote:
> Package: release.debian.org
> Control: affects -1 + src:clamav
> User: release.debian@packages.debian.org
> Usertags: pu
> Tags: bookworm
> Severity: normal

This is a quick update that I updated to 1.0.3+dfsg-1~deb12u1 as of
today. The diff mostly a version update. I additionally removed a log
line from freshclam which logged harmless 304 "not modified" requests.
This line was added in 1.0.0 and people complained, it got in as of
1.0.0 and is already removed in 1.1.x and later.

The main reason for 1.0.3 was the unrar update and I updated so clamav
does not complain about the lower version.

It would be nice if this could be made available via d/updates.

Sebastian
diff -Nru clamav-1.0.2+dfsg/CMakeLists.txt clamav-1.0.3+dfsg/CMakeLists.txt
--- clamav-1.0.2+dfsg/CMakeLists.txt	2023-08-16 00:24:07.0 +0200
+++ clamav-1.0.3+dfsg/CMakeLists.txt	2023-08-25 23:18:34.0 +0200
@@ -22,7 +22,7 @@
 set(VERSION_SUFFIX "")
 
 project( ClamAV
- VERSION "1.0.2"
+ VERSION "1.0.3"
  DESCRIPTION "ClamAV open source email, web, and end-point anti-virus toolkit." )
 
 set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake" ${CMAKE_MODULE_PATH})
diff -Nru clamav-1.0.2+dfsg/debian/changelog clamav-1.0.3+dfsg/debian/changelog
--- clamav-1.0.2+dfsg/debian/changelog	2023-08-27 11:35:11.0 +0200
+++ clamav-1.0.3+dfsg/debian/changelog	2023-09-09 16:36:13.0 +0200
@@ -1,3 +1,10 @@
+clamav (1.0.3+dfsg-1~deb12u1) bookworm; urgency=medium
+
+  * Import 1.0.3
+  * Remove unnecessary warning messages in freshclam during update.
+
+ -- Sebastian Andrzej Siewior   Sat, 09 Sep 2023 16:36:13 +0200
+
 clamav (1.0.2+dfsg-1~deb12u1) bookworm; urgency=medium
 
   * Import 1.0.2 (Closes: #1050057)
diff -Nru clamav-1.0.2+dfsg/debian/.git-dpm clamav-1.0.3+dfsg/debian/.git-dpm
--- clamav-1.0.2+dfsg/debian/.git-dpm	2023-08-27 11:35:11.0 +0200
+++ clamav-1.0.3+dfsg/debian/.git-dpm	2023-09-09 16:35:33.0 +0200
@@ -1,8 +1,8 @@
 # see git-dpm(1) from git-dpm package
-de9cef7ab6e5a57247f9598340a0e64869429870
-de9cef7ab6e5a57247f9598340a0e64869429870
-7b4b490a9f8c93c9ef66c8d34be648796dd9f7bd
-7b4b490a9f8c93c9ef66c8d34be648796dd9f7bd
-clamav_1.0.2+dfsg.orig.tar.xz
-c845d2c777adda943e7421c601924e1bee1864a8
-14134372
+b6798c1c1c1bd4e43f1ffbc36748adb5cf07787a
+b6798c1c1c1bd4e43f1ffbc36748adb5cf07787a
+6aeff1ef1ff425a1a201d8e3f2c5b8b1f8a60fdb
+6aeff1ef1ff425a1a201d8e3f2c5b8b1f8a60fdb
+clamav_1.0.3+dfsg.orig.tar.xz
+329456b2e5930a422859b00ed0e08cc8ab53e2b3
+14191252
diff -Nru clamav-1.0.2+dfsg/debian/libclamav11.symbols clamav-1.0.3+dfsg/debian/libclamav11.symbols
--- clamav-1.0.2+dfsg/debian/libclamav11.symbols	2023-08-27 11:35:11.0 +0200
+++ clamav-1.0.3+dfsg/debian/libclamav11.symbols	2023-09-09 16:36:13.0 +0200
@@ -1,25 +1,25 @@
 libclamav.so.11 libclamav11 #MINVER#
 * Build-Depends-Package: libclamav-dev
- CLAMAV_PRIVATE@CLAMAV_PRIVATE 1.0.2
+ CLAMAV_PRIVATE@CLAMAV_PRIVATE 1.0.3
  CLAMAV_PUBLIC@CLAMAV_PUBLIC 1.0.0
- __cli_strcasestr@CLAMAV_PRIVATE 1.0.2
- __cli_strndup@CLAMAV_PRIVATE 1.0.2
- __cli_strnlen@CLAMAV_PRIVATE 1.0.2
- __cli_strnstr@CLAMAV_PRIVATE 1.0.2
- base64Flush@CLAMAV_PRIVATE 1.0.2
- blobAddData@CLAMAV_PRIVATE 1.0.2
- blobCreate@CLAMAV_PRIVATE 1.0.2
- blobDestroy@CLAMAV_PRIVATE 1.0.2
- cl_ASN1_GetTimeT@CLAMAV_PRIVATE 1.0.2
+ __cli_strcasestr@CLAMAV_PRIVATE 1.0.3
+ __cli_strndup@CLAMAV_PRIVATE 1.0.3
+ __cli_strnlen@CLAMAV_PRIVATE 1.0.3
+ __cli_strnstr@CLAMAV_PRIVATE 1.0.3
+ base64Flush@CLAMAV_PRIVATE 1.0.3
+ blobAddData@CLAMAV_PRIVATE 1.0.3
+ blobCreate@CLAMAV_PRIVATE 1.0.3
+ blobDestroy@CLAMAV_PRIVATE 1.0.3
+ cl_ASN1_GetTimeT@CLAMAV_PRIVATE 1.0.3
  cl_always_gen_section_hash@CLAMAV_PUBLIC 1.0.0
- cl_base64_decode@CLAMAV_PRIVATE 1.0.2
- cl_base64_encode@CLAMAV_PRIVATE 1.0.2
- cl_cleanup_crypto@CLAMAV_PRIVATE 1.0.2
+ cl_base64_decode@CLAMAV_PRIVATE 1.0.3
+ cl_base64_encode@CLAMAV_PRIVATE 1.0.3
+ cl_cleanup_crypto@CLAMAV_PRIVATE 1.0.3
  cl_countsigs@CLAMAV_PUBLIC 1.0.0
  cl_cvdfree@CLAMAV_PUBLIC 1.0.0
  cl_cvdhead@CLAMAV_PUBLIC 1.0.0
  cl_cvdparse@CLAMAV_PUBLIC 1.0.0
- cl_cvdunpack@CLAMAV_PRIVATE 1.0.2
+ cl_cvdunpack@CLAMAV_PRIVATE 1.0.3
  cl_cvdverify@CLAMAV_PUBLIC 1.0.0
  cl_debug@CLAMAV_PUBLIC 1.0.0
  cl_engine_addref@CLAMAV_PUBLIC 1.0.0
@@ -28,7 +28,7 @@
  cl_engine_get_num@CLAMAV_PUBLIC 1.0.0
  cl_engine_get_str@CLAMAV_PUBLIC 1.0.0
  cl_engine_new@CLAMAV_PUBLIC 1.0.0
- cl_engine_set_clcb_engine_compile_progress@CLAMAV_PRIVATE 1.0.2
+ cl_engine_set_clcb_engine_compile_progress@CLAMAV_PRIVATE 1.0.3
  cl_engine_set_clcb_file_inspection@CLAMAV_PUBLIC 1.0.0
  cl_engine_set_clcb_file_props@CLAMAV_PUBLIC 1.0.0
  cl_engine_set_clcb_hash@CLAMAV_PUBLIC 1.0.0
@@ -37,7 +37,7 @@
  cl_engine_set_clcb_pre_cache@CLAMAV_PUBLIC 1.0.0
  cl_engine_set_clcb_pre_scan@CLAMAV_PUBLIC 1.0.0
  cl_engine_set_clcb_sigload@

Bug#1050638: bullseye-pu: package clamav/0.103.9+dfsg-0+deb11u1

[Sebastian Andrzej Siewior]

uot;\`\$]/&/g'`"
 ac_cs_version="\\
-ClamAV config.status 0.103.9
+ClamAV config.status 0.103.10
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru clamav-0.103.9+dfsg/configure.ac clamav-0.103.10+dfsg/configure.ac
--- clamav-0.103.9+dfsg/configure.ac	2023-08-27 11:44:51.0 +0200
+++ clamav-0.103.10+dfsg/configure.ac	2023-09-09 16:39:23.0 +0200
@@ -22,7 +22,7 @@
 
 dnl For a release change [devel] to the real version [0.xy]
 dnl also change VERSION below
-AC_INIT([ClamAV], [0.103.9], [https://github.com/Cisco-Talos/clamav/issues], [clamav], [https://www.clamav.net/])
+AC_INIT([ClamAV], [0.103.10], [https://github.com/Cisco-Talos/clamav/issues], [clamav], [https://www.clamav.net/])
 
 dnl put configure auxiliary into config
 AC_CONFIG_AUX_DIR([config])
diff -Nru clamav-0.103.9+dfsg/debian/changelog clamav-0.103.10+dfsg/debian/changelog
--- clamav-0.103.9+dfsg/debian/changelog	2023-08-27 11:57:11.0 +0200
+++ clamav-0.103.10+dfsg/debian/changelog	2023-09-09 17:25:07.0 +0200
@@ -1,3 +1,9 @@
+clamav (0.103.10+dfsg-0+deb11u1) bullseye; urgency=medium
+
+  * Import 0.103.10
+
+ -- Sebastian Andrzej Siewior   Sat, 09 Sep 2023 17:25:07 +0200
+
 clamav (0.103.9+dfsg-0+deb11u1) bullseye; urgency=medium
 
   * Import 0.103.9
diff -Nru clamav-0.103.9+dfsg/debian/.git-dpm clamav-0.103.10+dfsg/debian/.git-dpm
--- clamav-0.103.9+dfsg/debian/.git-dpm	2023-08-27 11:51:51.0 +0200
+++ clamav-0.103.10+dfsg/debian/.git-dpm	2023-09-09 17:20:39.0 +0200
@@ -1,8 +1,8 @@
 # see git-dpm(1) from git-dpm package
-399cd45b987e0c25de2d54d23bbe9c043d7a6aad
-399cd45b987e0c25de2d54d23bbe9c043d7a6aad
-a13348d8210b0066d32493c325eb3f7d7df44fef
-a13348d8210b0066d32493c325eb3f7d7df44fef
-clamav_0.103.9+dfsg.orig.tar.xz
-cad4f441d66f57747575542534b27ac133a1e4b6
-7141568
+db5f3da8cd11befe230cc11e2fbebf61f26416ac
+db5f3da8cd11befe230cc11e2fbebf61f26416ac
+74e7333802c041f37048b27ce29a2da8c669301c
+74e7333802c041f37048b27ce29a2da8c669301c
+clamav_0.103.10+dfsg.orig.tar.xz
+2a46a0a56992290dfe49774af46db4937c7dccac
+7142116
diff -Nru clamav-0.103.9+dfsg/debian/libclamav9.symbols clamav-0.103.10+dfsg/debian/libclamav9.symbols
--- clamav-0.103.9+dfsg/debian/libclamav9.symbols	2023-08-27 11:57:11.0 +0200
+++ clamav-0.103.10+dfsg/debian/libclamav9.symbols	2023-09-09 17:25:07.0 +0200
@@ -1,20 +1,20 @@
 libclamav.so.9 libclamav9 #MINVER#
 * Build-Depends-Package: libclamav-dev
- CLAMAV_PRIVATE@CLAMAV_PRIVATE 0.103.9
+ CLAMAV_PRIVATE@CLAMAV_PRIVATE 0.103.10
  CLAMAV_PUBLIC@CLAMAV_PUBLIC 0.101.0
- __cli_strcasestr@CLAMAV_PRIVATE 0.103.9
- __cli_strndup@CLAMAV_PRIVATE 0.103.9
- __cli_strnlen@CLAMAV_PRIVATE 0.103.9
- __cli_strnstr@CLAMAV_PRIVATE 0.103.9
- base64Flush@CLAMAV_PRIVATE 0.103.9
- blobAddData@CLAMAV_PRIVATE 0.103.9
- blobCreate@CLAMAV_PRIVATE 0.103.9
- blobDestroy@CLAMAV_PRIVATE 0.103.9
- cl_ASN1_GetTimeT@CLAMAV_PRIVATE 0.103.9
+ __cli_strcasestr@CLAMAV_PRIVATE 0.103.10
+ __cli_strndup@CLAMAV_PRIVATE 0.103.10
+ __cli_strnlen@CLAMAV_PRIVATE 0.103.10
+ __cli_strnstr@CLAMAV_PRIVATE 0.103.10
+ base64Flush@CLAMAV_PRIVATE 0.103.10
+ blobAddData@CLAMAV_PRIVATE 0.103.10
+ blobCreate@CLAMAV_PRIVATE 0.103.10
+ blobDestroy@CLAMAV_PRIVATE 0.103.10
+ cl_ASN1_GetTimeT@CLAMAV_PRIVATE 0.103.10
  cl_always_gen_section_hash@CLAMAV_PUBLIC 0.101.0
- cl_base64_decode@CLAMAV_PRIVATE 0.103.9
- cl_base64_encode@CLAMAV_PRIVATE 0.103.9
- cl_cleanup_crypto@CLAMAV_PRIVATE 0.103.9
+ cl_base64_decode@CLAMAV_PRIVATE 0.103.10
+ cl_base64_encode@CLAMAV_PRIVATE 0.103.10
+ cl_cleanup_crypto@CLAMAV_PRIVATE 0.103.10
  cl_countsigs@CLAMAV_PUBLIC 0.101.0
  cl_cvdfree@CLAMAV_PUBLIC 0.101.0
  cl_cvdhead@CLAMAV_PUBLIC 0.101.0
@@ -54,19 +54,19 @@
  cl_fmap_close@CLAMAV_PUBLIC 0.101.0
  cl_fmap_open_handle@CLAMAV_PUBLIC 0.101.0
  cl_fmap_open_memory@CLAMAV_PUBLIC 0.101.0
- cl_get_pkey_file@CLAMAV_PRIVATE 0.103.9
- cl_get_x509_from_mem@CLAMAV_PRIVATE 0.103.9
- cl_hash_data@CLAMAV_PRIVATE 0.103.9
+ cl_get_pkey_file@CLAMAV_PRIVATE 0.103.10
+ cl_get_x509_from_mem@CLAMAV_PRIVATE 0.103.10
+ cl_hash_data@CLAMAV_PRIVATE 0.103.10
  cl_hash_destroy@CLAMAV_PUBLIC 0.101.0
- cl_hash_file_fd@CLAMAV_PRIVATE 0.103.9
- cl_hash_file_fd_ctx@CLAMAV_PRIVATE 0.103.9
- cl_hash_file_fp@CLAMAV_PRIVATE 0.103.9
+ cl_hash_file_fd@CLAMAV_PRIVATE 0.103.10
+ cl_hash_file_fd_ctx@CLAMAV_PRIVATE 0.103.10
+ cl_hash_file_fp@CLAMAV_PRIVATE 0.103.10
  cl_hash_init@CLAMAV_PUBLIC 0.101.0
  cl_init@CLAMAV_PUBLIC 0.101.0
- cl_initialize_crypto@CLAMAV_PRIVATE 0.103.9
+ cl_initialize_crypto@CLAMAV_PRIVATE 0.103.10
  cl_load@CLAMAV_PUBLIC 0.101.0
- cl_load_cert@CLAMAV_PRIVATE 0.103.9
- cl_load_crl@CLAMAV_PRIVATE 0.103.9
+ cl_load_cert@CLAMAV_PRIVATE 0.103.10
+ cl_load_crl@CLAMAV_PRIVATE 0.103.10
  cl_retdbdir@CLAMAV_PUBLIC 0.101.0
  cl_retflevel@CLAMAV_PUBLIC 0.103.8
  cl_retver@CLAMAV_PUBLIC 0.101.0
@@ -76,196 +76,196 @@
  cl_scanfile_callback@CLAMAV_PUBLIC 0.101.0
  cl_scanmap_callback@CLAMAV_PUBLIC

Bug#1050638: bullseye-pu: package clamav/0.103.9+dfsg-0+deb11u1

[Sebastian Andrzej Siewior]

On 2023-09-04 21:18:35 [+0200], To Adam D. Barratt wrote:
> > The next point release for both bullseye and bookworm is in a month.
> > Were you looking to have the clamav updates published via -updates
> > before that point?
> 
> I almost started preparing 0.103.10 I think it will be easier to go with
> that one instead…

So I managed to prepare the libclamunrar bits. The clamav diff 9 .. 10
is only the update update of the unrar bits (same for Bookworm version).
Regardless of this zero diff of the clamav bits I'm going to prepare a
new version anyway because I *think* people will complain because will
point out the outdated version…
However not today but tomorrow is also a day…
 
> > Regards,
> > 
> > Adam

Sebastian

Bug#1050573: bullseye-pu: package openssl/1.1.1v-0~deb11u1

[Sebastian Andrzej Siewior]

On 2023-08-26 14:50:09 [+0200], To sub...@bugs.debian.org wrote:
> This is an update of the openssl package to the 1.1.1v version, a patch 
> release

Upstream announced to release 1.1.1w on 11th September. They said it is
a "security-fix" with the highest severity defined as "low". This is
also the case for the current two CVEs. Therefore I assume that they
don't have to be fixed asap (i.e. via -security).
Also it will be the last 1.1.1 release since it will reach EOL on the
11th. I will prepare an update…

The upstream announcement:

https://mta.openssl.org/pipermail/openssl-announce/2023-September/000271.html:

Sebastian

Bug#1051084: bookworm-pu: package kernelshark/2.2.1-1~deb12u1

[Sebastian Andrzej Siewior]

On 2023-09-05 17:36:41 [+0100], Jonathan Wiltshire wrote:
> 
> Please go ahead.

Thanks, done.

> Thanks,

Sebastian

Bug#1050638: bullseye-pu: package clamav/0.103.9+dfsg-0+deb11u1

[Sebastian Andrzej Siewior]

On 2023-09-04 19:52:23 [+0100], Adam D. Barratt wrote:
> On Sun, 2023-08-27 at 13:20 +0200, Sebastian Andrzej Siewior wrote:
> > This is a stable update from clamav upstream in the 0.103.x series.
> > It fixes the following CVE
> > - CVE-2023-20197 (Possible DoS in HFS+ file parser).
> > 
> 
> The next point release for both bullseye and bookworm is in a month.
> Were you looking to have the clamav updates published via -updates
> before that point?

I almost started preparing 0.103.10 I think it will be easier to go with
that one instead…

> Regards,
> 
> Adam

Sebastian

Bug#1051084: bookworm-pu: package kernelshark/2.2.1-1~deb12u1

[Sebastian Andrzej Siewior]

Package: release.debian.org
Control: affects -1 + src:kernelshark
User: release.debian@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal

Upstream released a new version which contains two fixes:
- kernel-shark: Fix segfault in libkshark-tepdata
  
https://git.kernel.org/pub/scm/utils/trace-cmd/kernel-shark.git/commit/?id=9f2097c9669fb7d5f72351343f34fb86649d1365
- kernel-shark: Fix Capture if directory contains space
  
https://git.kernel.org/pub/scm/utils/trace-cmd/kernel-shark.git/commit/?id=e2dc994a60e539e2db3ea9dd58fb11bf18255051

The former is critical since a lot of traces are affected by this bug
which results in segfault of kernelshark. The latter is nice to have and
easy to review.
I didn't figure out why some traces are not affected and some are not.
Kurt tested the 2.2.1 version before reporting #1049866 and confirmed
that the problems are gone.
The 2.2.1 version has been uploaded to unstable and testing by Sudipm.
He also uploaded the 2.2.1 version to Bookworm-Backports. However given
the impact of the bug and code change I think it is best address it in
Bookworm. Otherwise every regular user has to figure out that it is
fixed in -bpo and enable it.

Besides the new upstream version, the update also contains an updated
package description. This package (kernelshark) is basically a fronted
for the output for the trace data recorded by trace-cmd and does not
contain the utility (as claimed by the package description).

I didn't do any additional changes compared to what is unstable. If this
update is approved then I would file a rm for the bpo version which is
superseded.

Sebastian
diff -Nru kernelshark-2.2.0/bin/kshark-su-record kernelshark-2.2.1/bin/kshark-su-record
--- kernelshark-2.2.0/bin/kshark-su-record	2023-01-21 11:42:13.0 +0100
+++ kernelshark-2.2.1/bin/kshark-su-record	2023-06-07 19:46:20.0 +0200
@@ -2,4 +2,4 @@
 
 xhost +si:localuser:root &>/dev/null
 
-pkexec kshark-record -o ${PWD}/trace.dat
+pkexec kshark-record -o "${PWD}/trace.dat"
diff -Nru kernelshark-2.2.0/CMakeLists.txt kernelshark-2.2.1/CMakeLists.txt
--- kernelshark-2.2.0/CMakeLists.txt	2023-01-21 11:42:13.0 +0100
+++ kernelshark-2.2.1/CMakeLists.txt	2023-06-07 19:46:20.0 +0200
@@ -7,7 +7,7 @@
 set(KS_APP_NAME "kernelshark")
 set(KS_VERSION_MAJOR 2)
 set(KS_VERSION_MINOR 2)
-set(KS_VERSION_PATCH 0)
+set(KS_VERSION_PATCH 1)
 set(KS_VERSION_STRING ${KS_VERSION_MAJOR}.${KS_VERSION_MINOR}.${KS_VERSION_PATCH})
 message("\n project: Kernel Shark: (version: ${KS_VERSION_STRING})\n")
 
diff -Nru kernelshark-2.2.0/debian/changelog kernelshark-2.2.1/debian/changelog
--- kernelshark-2.2.0/debian/changelog	2023-05-05 21:37:24.0 +0200
+++ kernelshark-2.2.1/debian/changelog	2023-09-02 15:29:41.0 +0200
@@ -1,3 +1,12 @@
+kernelshark (2.2.1-1~deb12u1) bookworm; urgency=medium
+
+  [ Sudip Mukherjee ]
+  * New upstream version 2.2.1 (Closes: #1049866)
+- Update links for version update.
+  * Fix package description. (Closes: #1028585)
+
+ -- Sebastian Andrzej Siewior   Sat, 02 Sep 2023 15:29:41 +0200
+
 kernelshark (2.2.0-2) unstable; urgency=medium
 
   * Fix symlink names. (Closes: #1035449)
diff -Nru kernelshark-2.2.0/debian/control kernelshark-2.2.1/debian/control
--- kernelshark-2.2.0/debian/control	2023-02-05 01:46:52.0 +0100
+++ kernelshark-2.2.1/debian/control	2023-08-16 22:00:24.0 +0200
@@ -29,9 +29,9 @@
 Depends: ${shlibs:Depends}, ${misc:Depends},
  trace-cmd (>= 2.9.3), fonts-freefont-ttf,
  pkexec
-Description: Utility for retrieving and analyzing function tracing in the kernel
- This package contains the trace-cmd utility. Trace-cmd makes it easy to
- retrieve and analyze function traces from the Linux kernel while it is running.
+Description: Utilities for graphically analyzing function tracing in the kernel
+ KernelShark is a front end reader of trace-cmd output. It reads a trace-cmd.dat
+ formatted file and produces a graph and list view of the data.
 
 Package: libkshark2
 Section: libs
diff -Nru kernelshark-2.2.0/debian/libkshark2.links kernelshark-2.2.1/debian/libkshark2.links
--- kernelshark-2.2.0/debian/libkshark2.links	2023-05-05 21:05:16.0 +0200
+++ kernelshark-2.2.1/debian/libkshark2.links	2023-08-16 21:55:47.0 +0200
@@ -1,2 +1,2 @@
-usr/lib/${DEB_HOST_MULTIARCH}/libkshark-gui.so.2.2.0 usr/lib/${DEB_HOST_MULTIARCH}/libkshark-gui.so.2
-usr/lib/${DEB_HOST_MULTIARCH}/libkshark-plot.so.2.2.0 usr/lib/${DEB_HOST_MULTIARCH}/libkshark-plot.so.2
+usr/lib/${DEB_HOST_MULTIARCH}/libkshark-gui.so.2.2.1 usr/lib/${DEB_HOST_MULTIARCH}/libkshark-gui.so.2
+usr/lib/${DEB_HOST_MULTIARCH}/libkshark-plot.so.2.2.1 usr/lib/${DEB_HOST_MULTIARCH}/libkshark-plot.so.2
diff -Nru kernelshark-2.2.0/src/libkshark-tepdata.c kernelshark-2.2.1/src/libkshark-tepdata.c
--- kernelshark-2.2.0/src/libkshark-tepdata.c	2023-01-21 11:42:13.0 +0100
+++ kernelshark-2.2.1/src/libkshark-tepda

Bug#1050638: bullseye-pu: package clamav/0.103.9+dfsg-0+deb11u1

[Sebastian Andrzej Siewior]

.0 +0200
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for ClamAV 0.103.8.
+# Generated by GNU Autoconf 2.69 for ClamAV 0.103.9.
 #
 # Report bugs to <https://github.com/Cisco-Talos/clamav/issues>.
 #
@@ -592,8 +592,8 @@
 # Identity of this package.
 PACKAGE_NAME='ClamAV'
 PACKAGE_TARNAME='clamav'
-PACKAGE_VERSION='0.103.8'
-PACKAGE_STRING='ClamAV 0.103.8'
+PACKAGE_VERSION='0.103.9'
+PACKAGE_STRING='ClamAV 0.103.9'
 PACKAGE_BUGREPORT='https://github.com/Cisco-Talos/clamav/issues'
 PACKAGE_URL='https://www.clamav.net/'
 
@@ -1606,7 +1606,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures ClamAV 0.103.8 to adapt to many kinds of systems.
+\`configure' configures ClamAV 0.103.9 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1687,7 +1687,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
- short | recursive ) echo "Configuration of ClamAV 0.103.8:";;
+ short | recursive ) echo "Configuration of ClamAV 0.103.9:";;
esac
   cat <<\_ACEOF
   --enable-dependency-tracking
@@ -1922,7 +1922,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-ClamAV configure 0.103.8
+ClamAV configure 0.103.9
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2550,7 +2550,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by ClamAV $as_me 0.103.8, which was
+It was created by ClamAV $as_me 0.103.9, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4308,7 +4308,7 @@
 
 # Define the identity of the package.
  PACKAGE='clamav'
- VERSION='0.103.8'
+ VERSION='0.103.9'
 
 
 # Some tools Automake needs.
@@ -6036,7 +6036,7 @@
 $as_echo "#define PACKAGE PACKAGE_NAME" >>confdefs.h
 
 
-VERSION="0.103.8"
+VERSION="0.103.9"
 
 major=`echo $PACKAGE_VERSION |cut -d. -f1 | sed -e "s/^0-9//g"`
 minor=`echo $PACKAGE_VERSION |cut -d. -f2 | sed -e "s/^0-9//g"`
@@ -20018,7 +20018,7 @@
   ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \
&& (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size)))
 
-int crashtest()
+int crashtest(void)
 {
 	unsigned int backsize, dcur;
 	int dval=0x12000, unp_offset;
@@ -31896,7 +31896,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by ClamAV $as_me 0.103.8, which was
+This file was extended by ClamAV $as_me 0.103.9, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES= $CONFIG_FILES
@@ -31963,7 +31963,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/&/g'`"
 ac_cs_version="\\
-ClamAV config.status 0.103.8
+ClamAV config.status 0.103.9
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -34813,7 +34813,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by ClamAV $as_me 0.103.8, which was
+This file was extended by ClamAV $as_me 0.103.9, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES= $CONFIG_FILES
@@ -34880,7 +34880,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/&/g'`"
 ac_cs_version="\\
-ClamAV config.status 0.103.8
+ClamAV config.status 0.103.9
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru clamav-0.103.8+dfsg/configure.ac clamav-0.103.9+dfsg/configure.ac
--- clamav-0.103.8+dfsg/configure.ac	2023-02-17 21:22:49.0 +0100
+++ clamav-0.103.9+dfsg/configure.ac	2023-08-27 11:44:51.0 +0200
@@ -22,7 +22,7 @@
 
 dnl For a release change [devel] to the real version [0.xy]
 dnl also change VERSION below
-AC_INIT([ClamAV], [0.103.8], [https://github.com/Cisco-Talos/clamav/issues], [clamav], [https://www.clamav.net/])
+AC_INIT([ClamAV], [0.103.9], [https://github.com/Cisco-Talos/clamav/issues], [clamav], [https://www.clamav.net/])
 
 dnl put configure auxiliary into config
 AC_CONFIG_AUX_DIR([config])
diff -Nru clamav-0.103.8+dfsg/debian/changelog clamav-0.103.9+dfsg/debian/changelog
---

Bug#1050573: bullseye-pu: package openssl/1.1.1v-0~deb11u1

[Sebastian Andrzej Siewior]

On 2023-08-26 14:50:09 [+0200], To sub...@bugs.debian.org wrote:
> Package: release.debian.org
> Control: affects -1 + src:openssl
> User: release.debian@packages.debian.org
> Usertags: pu
> Tags: bullseye
> Severity: normal
> 
> This is an update of the openssl package to the 1.1.1v version, a patch 
> release
> (bug and security fixes). This has been long overdue and was delayed on
> my side mostly due to bad timing.
> This update contains fixes for the the following CVEs:
> 
>  - CVE-2023-3446 (Excessive time spent checking DH keys and parameters).
>  - CVE-2023-3817 (Excessive time spent checking DH q parameter value).
> 
> The NEWS/ CHANGES file lists more CVEs but those have been already
> fixed via d-security. These two have been rated as minor and are port of
> this pu.
> 
> Besides security fixes, this update contains non-CVE/security related
> fixes.
> I deployed this release on a handful buster/bullseye servers of mine
> with no known problems. Also I've seen no "regression" fixes on top in
> upstream's 1.1.1 branch. I am not (knowingly) able to run debci tests to
> comment on this. That said, I am not aware of a regression but willing
> to look into should something pop up.
> 
> [ Checklist ]
>   [x] *all* changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in (old)stable
>   [x] the issue is verified as fixed in unstable

Just a friendly note that this has been filled but did not make it to
the list.
 
Sebastian

Bug#1035310: bullseye-pu: package xz-utils/5.2.11-0~deb11u1

[Sebastian Andrzej Siewior]

On 2023-06-26 18:10:57 [+0100], Jonathan Wiltshire wrote:
> Control: tag -1 moreinfo
> 
> You're both going to have to help me a) understand what is the user-facing
> problem you're solving which is necessary to fix in stable and b) whether
> you're both agreed on how to fix it.

a) The bpo of manpages-de and manpages-fr contains a manpage for xz. The
   regular (non-bpo) package does not contain such the man-page nor does
   the package in the following stable contain this man-page.
   The user facing problem is the installation of both
   manpages-de|manpages-fr and xz-utils/5.2.11-0~deb11u1 because both
   provide the same man-page/file and dpkg doesn't like that.

b) I *think* we agreed on removing the man-pages from bpo of
   manpages-[de|fr] in the next upload if the upload of
   xz-utils/5.2.11-0~deb11u1 is confirmed. Otherwise it makes no sense
   to anything, the upgrade path bpo -> next-stable is working due to
   proper package relations.

> Thanks,

Sebastian

Bug#1036957: unblock: openssl/3.0.8-1

[Sebastian Andrzej Siewior]

control: retitle -1 unblock: openssl/3.0.9-1

On 2023-05-30 22:16:53 [+0200], To sub...@bugs.debian.org wrote:
> 
> Please unblock package openssl.
> 
> The 3.0.9 release contains security and non-security related fixes for
> the package. There are five new CVEs in total that has been addressed.
> One with "moderate" severity. From the package's changelog:
> 
> - CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy
>   Constraints) (Closes: #1034720).
> - CVE-2023-0465 (Invalid certificate policies in leaf certificates are
>   silently ignored).
> - CVE-2023-0466 (Certificate policy check not enabled).
> - Alternative fix for CVE-2022-4304 (Timing Oracle in RSA Decryption).
> - CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers).
> - CVE-2023-1255 (Input buffer over-read in AES-XTS implementation on 64 
> bit ARM).
> 
> The package built on all release architectures (it is still building on
> mipsel at the of writing but I expect it to pass).
> The openssl testsuite run on all architectures during the build process.
> Please find attached the debdiff vs the version in testing.
> 
> unblock openssl/3.0.9-1

Sebastian

Re: Upcoming OpenSSL release

[Sebastian Andrzej Siewior]

On 2023-05-28 07:44:13 [+0200], Paul Gevers wrote:
> Hi,
Hi,

> Given the impact of openssl, lets have that exception. Quiet period starts
> on 2023-06-04, we need to ensure it migrated *before* then.

Okay. I'm going to upload to unstable and open an unblock bug. Thank you
for the confirmation.

> Paul

Sebastian

Upcoming OpenSSL release

[Sebastian Andrzej Siewior]

Hi,

there is an upcoming OpenSSL scheduled for next TUE (2023-05-30)
including one security fix of moderate severity [0].
For Bullseye I am going backport ~6 fixes (4 security fixes of minor
severity which were not yet addressed, the upcoming fix and an
alternative fix for CVE-2022-4304).
_Later_ (once time permits) I would open a pu for Bullseye to include
the final release (1.1.1u) since it only contains fixes.

For Bookworm I would much rather prefer to upload 3.0.9 to unstable and
open a unblock bug for Bookworm. Looking at the history it contains 169
commits and only fixes which don't qualify as security issues. (Same for
the 1.1.1 series but I would prefer to do some testing first and push it
slowly via pu since it is much further behind (not that I expect
anything to happen)).
The Bookworm release is scheduled for the 10th and the announce mail
claims that the unblock should happen on the 28th (tomorrow) at the
latest. This will be hard to achieve given that my time machine is
currently out of operation. This probably means that I need to upload
to Bookworm-security unless there are exceptions.

Are there other preferences/ suggestions from the release or security
team? 

[0] https://mta.openssl.org/pipermail/openssl-announce/2023-May/000258.html

Sebastian

Bug#1035310: bullseye-pu: package xz-utils/5.2.11-0~deb11u1

[Sebastian Andrzej Siewior]

On 2023-04-30 18:43:18 [+0200], Helge Kreutzmann wrote:
> Hello Sebastian,
Hi Helge,

> > - the backport package of manpages-de and manpages-fr provides a
> >   man page for xz. These files conflict with the one provided by
> >   xz-utils package. The bpo package and xz-utils in Bookworm have proper
> >   Breaks: and Replaces: relation to allow smooth upgrades.
> >   This update of xz does not provide such a relation since the current
> >   version of manpages-{de|fr} in Bullseye does not provide this
> >   man page. As per testing, the Breaks: in manpages-{de|fr} forbids
> >   installing of this xz-utils. My understanding is that once these
> >   man pages are visible in Bullseye via xz-utils, the bpo packages of
> >   manpages-l10n stops creating them as part of the build process. They
> >   are not present in testing/ Bookworm version of the package.
> 
> No, we need to coordinate about this. You previously considered doing
> a backport and I asked you several if this is still the case; since
> you did not respond, I did not remove the conflicting pages in my
> bullseye packport. 

I added you to Cc: for reason of coordination. I always intended to do
-pu instead of a bpo. I intended to respond earlier but didn't manage to
do it until now. Sorry for that.

> As bookworm is about to release, I just wonder if that is really
> necessary to introduce the translation files in your backport. I'm all
> about translations, but this is a bit fragile with two backports with
> all the upgrade paths. So hopefully we get this right.

Stable Bullseye, no bpo.

> If you still feel this is necessary for your users, then please
> contact me and I can perform another upload with the file removed and
> appropriate package relationships. (This implies you tell me the
> version which introduces the files.)

I'm waiting for the stable team to confirm or deny my request. Once that
is clear we can see how to move forward.

> Please tell me as well which translated man pages you ship, as there
> are also Danish and Ukrainian ones in my backports.
> 
> Please not that I will not perform uploads to bullseye once bookworm
> has been released.

Only DE and FR made it into the 5.2 series.

> Greetings
> 
>Helge

Sebastian

Bug#1031536: bullseye-pu: package clamav/0.103.8+dfsg-0+deb11u1

[Sebastian Andrzej Siewior]

put values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by ClamAV $as_me 0.103.7, which was
+This file was extended by ClamAV $as_me 0.103.8, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES= $CONFIG_FILES
@@ -34880,7 +34880,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/&/g'`"
 ac_cs_version="\\
-ClamAV config.status 0.103.7
+ClamAV config.status 0.103.8
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru clamav-0.103.7+dfsg/configure.ac clamav-0.103.8+dfsg/configure.ac
--- clamav-0.103.7+dfsg/configure.ac	2022-08-14 21:27:54.0 +0200
+++ clamav-0.103.8+dfsg/configure.ac	2023-02-17 21:22:49.0 +0100
@@ -22,7 +22,7 @@
 
 dnl For a release change [devel] to the real version [0.xy]
 dnl also change VERSION below
-AC_INIT([ClamAV], [0.103.7], [https://github.com/Cisco-Talos/clamav/issues], [clamav], [https://www.clamav.net/])
+AC_INIT([ClamAV], [0.103.8], [https://github.com/Cisco-Talos/clamav/issues], [clamav], [https://www.clamav.net/])
 
 dnl put configure auxiliary into config
 AC_CONFIG_AUX_DIR([config])
diff -Nru clamav-0.103.7+dfsg/debian/changelog clamav-0.103.8+dfsg/debian/changelog
--- clamav-0.103.7+dfsg/debian/changelog	2022-08-21 21:28:52.0 +0200
+++ clamav-0.103.8+dfsg/debian/changelog	2023-02-17 21:43:57.0 +0100
@@ -1,3 +1,11 @@
+clamav (0.103.8+dfsg-0+deb11u1) bullseye; urgency=medium
+
+  * Import 0.103.8 (Closes: #1031509)
+- CVE-2023-20032 (Possible RCE in the HFS+ file parser).
+- CVE-2023-20052 (Possible information leak in the DMG file parser).
+
+ -- Sebastian Andrzej Siewior   Fri, 17 Feb 2023 21:43:57 +0100
+
 clamav (0.103.7+dfsg-0+deb11u1) bullseye; urgency=medium
 
   * Import 0.103.7
diff -Nru clamav-0.103.7+dfsg/debian/.git-dpm clamav-0.103.8+dfsg/debian/.git-dpm
--- clamav-0.103.7+dfsg/debian/.git-dpm	2022-08-21 21:28:52.0 +0200
+++ clamav-0.103.8+dfsg/debian/.git-dpm	2023-02-17 21:38:36.0 +0100
@@ -1,8 +1,8 @@
 # see git-dpm(1) from git-dpm package
-f2466c7aaf6e140ea150e0f219c86594f3bc04cb
-f2466c7aaf6e140ea150e0f219c86594f3bc04cb
-d1ea680af611ee417616ec3d8615a0e67a495795
-d1ea680af611ee417616ec3d8615a0e67a495795
-clamav_0.103.7+dfsg.orig.tar.xz
-f0708e3df3a432def23c384d28fb3a4628efcfd5
-7136624
+737c42d017cec50f0b64e8a5fb52ed2fe07d0d3b
+737c42d017cec50f0b64e8a5fb52ed2fe07d0d3b
+cf70fa22ae142444ba8e34594b2c29f69a65c1e4
+cf70fa22ae142444ba8e34594b2c29f69a65c1e4
+clamav_0.103.8+dfsg.orig.tar.xz
+23abb9015972460c9ead147ed691e46e857ca1a3
+7130804
diff -Nru clamav-0.103.7+dfsg/debian/libclamav9.symbols clamav-0.103.8+dfsg/debian/libclamav9.symbols
--- clamav-0.103.7+dfsg/debian/libclamav9.symbols	2022-08-21 21:28:52.0 +0200
+++ clamav-0.103.8+dfsg/debian/libclamav9.symbols	2023-02-17 21:38:36.0 +0100
@@ -1,20 +1,20 @@
 libclamav.so.9 libclamav9 #MINVER#
 * Build-Depends-Package: libclamav-dev
- CLAMAV_PRIVATE@CLAMAV_PRIVATE 0.103.7
+ CLAMAV_PRIVATE@CLAMAV_PRIVATE 0.103.8
  CLAMAV_PUBLIC@CLAMAV_PUBLIC 0.101.0
- __cli_strcasestr@CLAMAV_PRIVATE 0.103.7
- __cli_strndup@CLAMAV_PRIVATE 0.103.7
- __cli_strnlen@CLAMAV_PRIVATE 0.103.7
- __cli_strnstr@CLAMAV_PRIVATE 0.103.7
- base64Flush@CLAMAV_PRIVATE 0.103.7
- blobAddData@CLAMAV_PRIVATE 0.103.7
- blobCreate@CLAMAV_PRIVATE 0.103.7
- blobDestroy@CLAMAV_PRIVATE 0.103.7
- cl_ASN1_GetTimeT@CLAMAV_PRIVATE 0.103.7
+ __cli_strcasestr@CLAMAV_PRIVATE 0.103.8
+ __cli_strndup@CLAMAV_PRIVATE 0.103.8
+ __cli_strnlen@CLAMAV_PRIVATE 0.103.8
+ __cli_strnstr@CLAMAV_PRIVATE 0.103.8
+ base64Flush@CLAMAV_PRIVATE 0.103.8
+ blobAddData@CLAMAV_PRIVATE 0.103.8
+ blobCreate@CLAMAV_PRIVATE 0.103.8
+ blobDestroy@CLAMAV_PRIVATE 0.103.8
+ cl_ASN1_GetTimeT@CLAMAV_PRIVATE 0.103.8
  cl_always_gen_section_hash@CLAMAV_PUBLIC 0.101.0
- cl_base64_decode@CLAMAV_PRIVATE 0.103.7
- cl_base64_encode@CLAMAV_PRIVATE 0.103.7
- cl_cleanup_crypto@CLAMAV_PRIVATE 0.103.7
+ cl_base64_decode@CLAMAV_PRIVATE 0.103.8
+ cl_base64_encode@CLAMAV_PRIVATE 0.103.8
+ cl_cleanup_crypto@CLAMAV_PRIVATE 0.103.8
  cl_countsigs@CLAMAV_PUBLIC 0.101.0
  cl_cvdfree@CLAMAV_PUBLIC 0.101.0
  cl_cvdhead@CLAMAV_PUBLIC 0.101.0
@@ -54,21 +54,21 @@
  cl_fmap_close@CLAMAV_PUBLIC 0.101.0
  cl_fmap_open_handle@CLAMAV_PUBLIC 0.101.0
  cl_fmap_open_memory@CLAMAV_PUBLIC 0.101.0
- cl_get_pkey_file@CLAMAV_PRIVATE 0.103.7
- cl_get_x509_from_mem@CLAMAV_PRIVATE 0.103.7
- cl_hash_data@CLAMAV_PRIVATE 0.103.7
+ cl_get_pkey_file@CLAMAV_PRIVATE 0.103.8
+ cl_get_x509_from_mem@CLAMAV_PRIVATE 0.103.8
+ cl_hash_data@CLAMAV_PRIVATE 0.103.8
  cl_hash_destroy@CLAMAV_PUBLIC 0.101.0
- cl_hash_file_fd@CLAMAV_PRIVATE 0.103.7
- cl_hash_file_fd_ctx@CLAMAV_PRIVATE 0.103.7
- cl_hash_file_fp@CLAMAV_PRIVATE 0.103.7
+ cl_hash_file_fd@CLAMAV_PRIVATE 0.103.8
+ cl_hash_file_fd_ctx@CLAMAV_PRIVAT

Bug#1018904: bullseye-pu: package clamav/0.103.7+dfsg-0+deb11u1

[Sebastian Andrzej Siewior]

On 2022-09-02 17:02:38 [+0100], Adam D. Barratt wrote:
> Please go ahead, bearing in mind that the window for getting updates
> into 11.5 (and thus bullseye-updates prior to 11.5 being released)
> closes over this weekend.

just uploaded.

> Given that 11.5 is scheduled for a week tomorrow, would you still like
> us to make a stable-updates release sooner?

Nah, that is okay then. Thank you.

> Regards,
> 
> Adam

Sebastian

Bug#1018905: buster-pu: package clamav/0.103.7+dfsg-0+deb10u1

[Sebastian Andrzej Siewior]

6
+ClamAV config.status 0.103.7
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -34813,7 +34813,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by ClamAV $as_me 0.103.6, which was
+This file was extended by ClamAV $as_me 0.103.7, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES= $CONFIG_FILES
@@ -34880,7 +34880,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/&/g'`"
 ac_cs_version="\\
-ClamAV config.status 0.103.6
+ClamAV config.status 0.103.7
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index 9829ea3..561c4f9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,7 +22,7 @@ AC_PREREQ([2.59])
 
 dnl For a release change [devel] to the real version [0.xy]
 dnl also change VERSION below
-AC_INIT([ClamAV], [0.103.6], [https://github.com/Cisco-Talos/clamav/issues], [clamav], [https://www.clamav.net/])
+AC_INIT([ClamAV], [0.103.7], [https://github.com/Cisco-Talos/clamav/issues], [clamav], [https://www.clamav.net/])
 
 dnl put configure auxiliary into config
 AC_CONFIG_AUX_DIR([config])
diff --git a/debian/.git-dpm b/debian/.git-dpm
index f0e9893..b7eeca9 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,8 +1,8 @@
 # see git-dpm(1) from git-dpm package
-1db21df237c75b67094efd64dea59f4f528c36ba
-1db21df237c75b67094efd64dea59f4f528c36ba
-75754d0f4c00d0ac0864e2a506bfc1d977d55d00
-75754d0f4c00d0ac0864e2a506bfc1d977d55d00
-clamav_0.103.6+dfsg.orig.tar.xz
-6212705bf2cb168a55f76ae4cab31fa40909aed8
-7135300
+276875cec2e8a64a834e0c5e9f988aebe0d3ab25
+276875cec2e8a64a834e0c5e9f988aebe0d3ab25
+d1ea680af611ee417616ec3d8615a0e67a495795
+d1ea680af611ee417616ec3d8615a0e67a495795
+clamav_0.103.7+dfsg.orig.tar.xz
+f0708e3df3a432def23c384d28fb3a4628efcfd5
+7136624
diff --git a/debian/changelog b/debian/changelog
index ea81750..eb61075 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+clamav (0.103.7+dfsg-0+deb10u1) buster; urgency=medium
+
+  * Import 0.103.7
+- Update symbol file.
+
+ -- Sebastian Andrzej Siewior   Sun, 21 Aug 2022 21:42:22 +0200
+
 clamav (0.103.6+dfsg-0+deb10u1) buster; urgency=medium
 
   * Import 0.103.6
diff --git a/debian/libclamav9.symbols b/debian/libclamav9.symbols
index 7faf5b4..50c8cd8 100644
--- a/debian/libclamav9.symbols
+++ b/debian/libclamav9.symbols
@@ -1,20 +1,20 @@
 libclamav.so.9 libclamav9 #MINVER#
 * Build-Depends-Package: libclamav-dev
- CLAMAV_PRIVATE@CLAMAV_PRIVATE 0.103.6
+ CLAMAV_PRIVATE@CLAMAV_PRIVATE 0.103.7
  CLAMAV_PUBLIC@CLAMAV_PUBLIC 0.101.0
- __cli_strcasestr@CLAMAV_PRIVATE 0.103.6
- __cli_strndup@CLAMAV_PRIVATE 0.103.6
- __cli_strnlen@CLAMAV_PRIVATE 0.103.6
- __cli_strnstr@CLAMAV_PRIVATE 0.103.6
- base64Flush@CLAMAV_PRIVATE 0.103.6
- blobAddData@CLAMAV_PRIVATE 0.103.6
- blobCreate@CLAMAV_PRIVATE 0.103.6
- blobDestroy@CLAMAV_PRIVATE 0.103.6
- cl_ASN1_GetTimeT@CLAMAV_PRIVATE 0.103.6
+ __cli_strcasestr@CLAMAV_PRIVATE 0.103.7
+ __cli_strndup@CLAMAV_PRIVATE 0.103.7
+ __cli_strnlen@CLAMAV_PRIVATE 0.103.7
+ __cli_strnstr@CLAMAV_PRIVATE 0.103.7
+ base64Flush@CLAMAV_PRIVATE 0.103.7
+ blobAddData@CLAMAV_PRIVATE 0.103.7
+ blobCreate@CLAMAV_PRIVATE 0.103.7
+ blobDestroy@CLAMAV_PRIVATE 0.103.7
+ cl_ASN1_GetTimeT@CLAMAV_PRIVATE 0.103.7
  cl_always_gen_section_hash@CLAMAV_PUBLIC 0.101.0
- cl_base64_decode@CLAMAV_PRIVATE 0.103.6
- cl_base64_encode@CLAMAV_PRIVATE 0.103.6
- cl_cleanup_crypto@CLAMAV_PRIVATE 0.103.6
+ cl_base64_decode@CLAMAV_PRIVATE 0.103.7
+ cl_base64_encode@CLAMAV_PRIVATE 0.103.7
+ cl_cleanup_crypto@CLAMAV_PRIVATE 0.103.7
  cl_countsigs@CLAMAV_PUBLIC 0.101.0
  cl_cvdfree@CLAMAV_PUBLIC 0.101.0
  cl_cvdhead@CLAMAV_PUBLIC 0.101.0
@@ -54,21 +54,21 @@ libclamav.so.9 libclamav9 #MINVER#
  cl_fmap_close@CLAMAV_PUBLIC 0.101.0
  cl_fmap_open_handle@CLAMAV_PUBLIC 0.101.0
  cl_fmap_open_memory@CLAMAV_PUBLIC 0.101.0
- cl_get_pkey_file@CLAMAV_PRIVATE 0.103.6
- cl_get_x509_from_mem@CLAMAV_PRIVATE 0.103.6
- cl_hash_data@CLAMAV_PRIVATE 0.103.6
+ cl_get_pkey_file@CLAMAV_PRIVATE 0.103.7
+ cl_get_x509_from_mem@CLAMAV_PRIVATE 0.103.7
+ cl_hash_data@CLAMAV_PRIVATE 0.103.7
  cl_hash_destroy@CLAMAV_PUBLIC 0.101.0
- cl_hash_file_fd@CLAMAV_PRIVATE 0.103.6
- cl_hash_file_fd_ctx@CLAMAV_PRIVATE 0.103.6
- cl_hash_file_fp@CLAMAV_PRIVATE 0.103.6
+ cl_hash_file_fd@CLAMAV_PRIVATE 0.103.7
+ cl_hash_file_fd_ctx@CLAMAV_PRIVATE 0.103.7
+ cl_hash_file_fp@CLAMAV_PRIVATE 0.103.7
  cl_hash_init@CLAMAV_PUBLIC 0.101.0
  cl_init@CLAMAV_PUBLIC 0.101.0
- cl_initialize_crypto@CLAMAV_PRIVATE 0.103.6
+ cl_initialize_crypto@CLAMAV_PRIVATE 0.103.7
  cl_load@CLAMAV_PUBLIC 0.101.0
- cl_load_cert@CLAMAV_PRIVATE 0.103.6

Bug#1018904: bullseye-pu: package clamav/0.103.7+dfsg-0+deb11u1

[Sebastian Andrzej Siewior]

onf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -34813,7 +34813,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by ClamAV $as_me 0.103.6, which was
+This file was extended by ClamAV $as_me 0.103.7, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES= $CONFIG_FILES
@@ -34880,7 +34880,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/&/g'`"
 ac_cs_version="\\
-ClamAV config.status 0.103.6
+ClamAV config.status 0.103.7
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index 9829ea3..561c4f9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,7 +22,7 @@ AC_PREREQ([2.59])
 
 dnl For a release change [devel] to the real version [0.xy]
 dnl also change VERSION below
-AC_INIT([ClamAV], [0.103.6], [https://github.com/Cisco-Talos/clamav/issues], [clamav], [https://www.clamav.net/])
+AC_INIT([ClamAV], [0.103.7], [https://github.com/Cisco-Talos/clamav/issues], [clamav], [https://www.clamav.net/])
 
 dnl put configure auxiliary into config
 AC_CONFIG_AUX_DIR([config])
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 468dc5b..47bf279 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,8 +1,8 @@
 # see git-dpm(1) from git-dpm package
-dbab766c81312b2a8cbd37258a5a3510c4e98085
-dbab766c81312b2a8cbd37258a5a3510c4e98085
-75754d0f4c00d0ac0864e2a506bfc1d977d55d00
-75754d0f4c00d0ac0864e2a506bfc1d977d55d00
-clamav_0.103.6+dfsg.orig.tar.xz
-6212705bf2cb168a55f76ae4cab31fa40909aed8
-7135300
+f2466c7aaf6e140ea150e0f219c86594f3bc04cb
+f2466c7aaf6e140ea150e0f219c86594f3bc04cb
+d1ea680af611ee417616ec3d8615a0e67a495795
+d1ea680af611ee417616ec3d8615a0e67a495795
+clamav_0.103.7+dfsg.orig.tar.xz
+f0708e3df3a432def23c384d28fb3a4628efcfd5
+7136624
diff --git a/debian/changelog b/debian/changelog
index c540f6f..5210a94 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+clamav (0.103.7+dfsg-0+deb11u1) bullseye; urgency=medium
+
+  * Import 0.103.7
+- Update symbol file.
+
+ -- Sebastian Andrzej Siewior   Sun, 21 Aug 2022 21:28:52 +0200
+
 clamav (0.103.6+dfsg-0+deb11u1) bullseye; urgency=medium
 
   * Import 0.103.6
diff --git a/debian/libclamav9.symbols b/debian/libclamav9.symbols
index 7faf5b4..50c8cd8 100644
--- a/debian/libclamav9.symbols
+++ b/debian/libclamav9.symbols
@@ -1,20 +1,20 @@
 libclamav.so.9 libclamav9 #MINVER#
 * Build-Depends-Package: libclamav-dev
- CLAMAV_PRIVATE@CLAMAV_PRIVATE 0.103.6
+ CLAMAV_PRIVATE@CLAMAV_PRIVATE 0.103.7
  CLAMAV_PUBLIC@CLAMAV_PUBLIC 0.101.0
- __cli_strcasestr@CLAMAV_PRIVATE 0.103.6
- __cli_strndup@CLAMAV_PRIVATE 0.103.6
- __cli_strnlen@CLAMAV_PRIVATE 0.103.6
- __cli_strnstr@CLAMAV_PRIVATE 0.103.6
- base64Flush@CLAMAV_PRIVATE 0.103.6
- blobAddData@CLAMAV_PRIVATE 0.103.6
- blobCreate@CLAMAV_PRIVATE 0.103.6
- blobDestroy@CLAMAV_PRIVATE 0.103.6
- cl_ASN1_GetTimeT@CLAMAV_PRIVATE 0.103.6
+ __cli_strcasestr@CLAMAV_PRIVATE 0.103.7
+ __cli_strndup@CLAMAV_PRIVATE 0.103.7
+ __cli_strnlen@CLAMAV_PRIVATE 0.103.7
+ __cli_strnstr@CLAMAV_PRIVATE 0.103.7
+ base64Flush@CLAMAV_PRIVATE 0.103.7
+ blobAddData@CLAMAV_PRIVATE 0.103.7
+ blobCreate@CLAMAV_PRIVATE 0.103.7
+ blobDestroy@CLAMAV_PRIVATE 0.103.7
+ cl_ASN1_GetTimeT@CLAMAV_PRIVATE 0.103.7
  cl_always_gen_section_hash@CLAMAV_PUBLIC 0.101.0
- cl_base64_decode@CLAMAV_PRIVATE 0.103.6
- cl_base64_encode@CLAMAV_PRIVATE 0.103.6
- cl_cleanup_crypto@CLAMAV_PRIVATE 0.103.6
+ cl_base64_decode@CLAMAV_PRIVATE 0.103.7
+ cl_base64_encode@CLAMAV_PRIVATE 0.103.7
+ cl_cleanup_crypto@CLAMAV_PRIVATE 0.103.7
  cl_countsigs@CLAMAV_PUBLIC 0.101.0
  cl_cvdfree@CLAMAV_PUBLIC 0.101.0
  cl_cvdhead@CLAMAV_PUBLIC 0.101.0
@@ -54,21 +54,21 @@ libclamav.so.9 libclamav9 #MINVER#
  cl_fmap_close@CLAMAV_PUBLIC 0.101.0
  cl_fmap_open_handle@CLAMAV_PUBLIC 0.101.0
  cl_fmap_open_memory@CLAMAV_PUBLIC 0.101.0
- cl_get_pkey_file@CLAMAV_PRIVATE 0.103.6
- cl_get_x509_from_mem@CLAMAV_PRIVATE 0.103.6
- cl_hash_data@CLAMAV_PRIVATE 0.103.6
+ cl_get_pkey_file@CLAMAV_PRIVATE 0.103.7
+ cl_get_x509_from_mem@CLAMAV_PRIVATE 0.103.7
+ cl_hash_data@CLAMAV_PRIVATE 0.103.7
  cl_hash_destroy@CLAMAV_PUBLIC 0.101.0
- cl_hash_file_fd@CLAMAV_PRIVATE 0.103.6
- cl_hash_file_fd_ctx@CLAMAV_PRIVATE 0.103.6
- cl_hash_file_fp@CLAMAV_PRIVATE 0.103.6
+ cl_hash_file_fd@CLAMAV_PRIVATE 0.103.7
+ cl_hash_file_fd_ctx@CLAMAV_PRIVATE 0.103.7
+ cl_hash_file_fp@CLAMAV_PRIVATE 0.103.7
  cl_hash_init@CLAMAV_PUBLIC 0.101.0
  cl_init@CLAMAV_PUBLIC 0.101.0
- cl_initialize_crypto@CLAMAV_PRIVATE 0.103.6
+ cl_initialize_crypto@CLAMAV_PRIVATE 0.103.7
  cl_load@CLAMAV_PUBLIC 0.101.0
- cl_load_cert@CLAMAV_PRIVATE 0.103.6
- cl_load_crl@CLAMAV_PRIVATE 0.103.6
+ cl_loa

Bug#995636: transition: openssl

[Sebastian Andrzej Siewior]

On 2022-06-08 22:13:09 [+0200], Sebastian Ramacher wrote:
> That would be much appreciated, thanks!

Did so, sorry for the delay. I aimed for Monday but…

> Cheers

Sebastian

Bug#995636: transition: openssl

[Sebastian Andrzej Siewior]

On 5 June 2022 19:03:17 UTC, Kurt Roeckx  wrote:
>The suggestion was to make an openssl.cnf that's compatible with 1.1.1,
>and so remove or comment out everything related to providers.
>

Ah okay. In that case let me so that tomorrow and close that rc bug with this 
change.

>
>Kurt
>


-- 
Sebastian

Bug#995636: transition: openssl

[Sebastian Andrzej Siewior]

On 2022-06-05 19:42:43 [+0200], Sebastian Ramacher wrote:
> Hi Sebastian
Hi Sebastian,

> > Otherwise I'd fear that the only other options are openssl breaking
> > libssl1.1 or renaming /etc/ssl/openssl.cnf to have a version specific
> > name. Given the high number reverse dependencies involved in this
> > transition (and also those depending on bin:openssl), I'd prefer to
> > avoid a Breaks that could have the potential to force the libssl1.1 ->
> > libssl3 upgrade to be more of a lockstep transition than needed.
> 
> I see that there was another openssl upload. Any reason a fix for this
> issue wasn't included in the upload of 3.0.3-6?

I wasn't aware that this is something that we want do. Kurt pointed me
to the testsuite problem which was the primary motivation for the
upload.
Regarding dovecot, Kurt wanted to make some time for it. The patch in
ubuntu is working but is a giant duct tape which is not something I
would wan to upload…
Anyway, regarding the openssl.cnf. Do we want to use openssl-3.cnf for
libssl3? We can't make opnenssl-1.1.cnf happen. The modification
openssl.cnf already happend so people need to make changes manually…
Is this the request here?

> Cheers

Sebastian

Bug#995636: transition: openssl

[Sebastian Andrzej Siewior]

On 2022-05-26 18:26:57 [+0200], Sebastian Ramacher wrote:
> Hi Sebastian
Hi,

> We're now at the following blockers for openssl's migration:
…
> Bugs for the autopkgtest regressions have been filed and some are
> already fixed in unstable. So I'll add hints to ignore those
> regressions.

good.

> That leaves #1011051. What's your view on that bug?

I intend to fix dovecot which should address it at some point. I don't
know what we should expect if the syntax/anything changes between
releases and it remains incompatible. We had a case we steam (I think?)
and the they workarounded by overrideing the file.
Kurt?

> Cheers

Sebastian

Bug#1011746: bullseye-pu: package clamav/0.103.6+dfsg-0+deb11u1

[Sebastian Andrzej Siewior]

 config
 AC_CONFIG_AUX_DIR([config])
diff -Nru --exclude '*.html' --exclude searchindex.json --exclude 
searchindex.js clamav-0.103.5+dfsg/debian/changelog 
clamav-0.103.6+dfsg/debian/changelog
--- clamav-0.103.5+dfsg/debian/changelog    2022-01-13 21:49:00.0 
+0100
+++ clamav-0.103.6+dfsg/debian/changelog2022-05-26 10:17:16.0 
+0200
@@ -1,3 +1,20 @@
+clamav (0.103.6+dfsg-0+deb11u1) bullseye; urgency=medium
+
+  * Import 0.103.6
+- CVE-2022-20770 (Possible infinite loop vulnerability in the CHM file
+  parser).
+- CVE-2022-20796 (Possible NULL-pointer dereference crash in the scan
+  verdict cache check).
+- CVE-2022-20771 (Possible infinite loop vulnerability in the TIFF file
+  parser).
+- CVE-2022-20785 (Possible memory leak in the HTML file parser/
+  Javascript normalizer).
+- CVE-2022-20792 (Possible multi-byte heap buffer overflow write
+  vulnerability in the signature database load module.
+- Update symbol file.
+
+ -- Sebastian Andrzej Siewior   Thu, 26 May 2022 
10:17:16 +0200
+
 clamav (0.103.5+dfsg-0+deb11u1) bullseye; urgency=medium
 
   * Import 0.103.5
diff -Nru --exclude '*.html' --exclude searchindex.json --exclude 
searchindex.js clamav-0.103.5+dfsg/debian/.git-dpm 
clamav-0.103.6+dfsg/debian/.git-dpm
--- clamav-0.103.5+dfsg/debian/.git-dpm 2022-01-13 21:49:00.0 +0100
+++ clamav-0.103.6+dfsg/debian/.git-dpm 2022-05-26 10:14:47.0 +0200
@@ -1,8 +1,8 @@
 # see git-dpm(1) from git-dpm package
-d98f95bd2562d8205e1e0a209c06c7706b9107fc
-d98f95bd2562d8205e1e0a209c06c7706b9107fc
-857db6f7fe6291d39090c77afdefa94d97161cb2
-857db6f7fe6291d39090c77afdefa94d97161cb2
-clamav_0.103.5+dfsg.orig.tar.xz
-6b767150c6b8cb9c8c6b11a2ae3df961fd65533f
-7121136
+dbab766c81312b2a8cbd37258a5a3510c4e98085
+dbab766c81312b2a8cbd37258a5a3510c4e98085
+75754d0f4c00d0ac0864e2a506bfc1d977d55d00
+75754d0f4c00d0ac0864e2a506bfc1d977d55d00
+clamav_0.103.6+dfsg.orig.tar.xz
+6212705bf2cb168a55f76ae4cab31fa40909aed8
+7135300
diff -Nru --exclude '*.html' --exclude searchindex.json --exclude 
searchindex.js clamav-0.103.5+dfsg/debian/libclamav9.symbols 
clamav-0.103.6+dfsg/debian/libclamav9.symbols
--- clamav-0.103.5+dfsg/debian/libclamav9.symbols   2022-01-13 
21:49:00.0 +0100
+++ clamav-0.103.6+dfsg/debian/libclamav9.symbols   2022-05-26 
10:16:58.0 +0200
@@ -1,20 +1,20 @@
 libclamav.so.9 libclamav9 #MINVER#
 * Build-Depends-Package: libclamav-dev
- CLAMAV_PRIVATE@CLAMAV_PRIVATE 0.103.5
+ CLAMAV_PRIVATE@CLAMAV_PRIVATE 0.103.6
  CLAMAV_PUBLIC@CLAMAV_PUBLIC 0.101.0
- __cli_strcasestr@CLAMAV_PRIVATE 0.103.5
- __cli_strndup@CLAMAV_PRIVATE 0.103.5
- __cli_strnlen@CLAMAV_PRIVATE 0.103.5
- __cli_strnstr@CLAMAV_PRIVATE 0.103.5
- base64Flush@CLAMAV_PRIVATE 0.103.5
- blobAddData@CLAMAV_PRIVATE 0.103.5
- blobCreate@CLAMAV_PRIVATE 0.103.5
- blobDestroy@CLAMAV_PRIVATE 0.103.5
- cl_ASN1_GetTimeT@CLAMAV_PRIVATE 0.103.5
+ __cli_strcasestr@CLAMAV_PRIVATE 0.103.6
+ __cli_strndup@CLAMAV_PRIVATE 0.103.6
+ __cli_strnlen@CLAMAV_PRIVATE 0.103.6
+ __cli_strnstr@CLAMAV_PRIVATE 0.103.6
+ base64Flush@CLAMAV_PRIVATE 0.103.6
+ blobAddData@CLAMAV_PRIVATE 0.103.6
+ blobCreate@CLAMAV_PRIVATE 0.103.6
+ blobDestroy@CLAMAV_PRIVATE 0.103.6
+ cl_ASN1_GetTimeT@CLAMAV_PRIVATE 0.103.6
  cl_always_gen_section_hash@CLAMAV_PUBLIC 0.101.0
- cl_base64_decode@CLAMAV_PRIVATE 0.103.5
- cl_base64_encode@CLAMAV_PRIVATE 0.103.5
- cl_cleanup_crypto@CLAMAV_PRIVATE 0.103.5
+ cl_base64_decode@CLAMAV_PRIVATE 0.103.6
+ cl_base64_encode@CLAMAV_PRIVATE 0.103.6
+ cl_cleanup_crypto@CLAMAV_PRIVATE 0.103.6
  cl_countsigs@CLAMAV_PUBLIC 0.101.0
  cl_cvdfree@CLAMAV_PUBLIC 0.101.0
  cl_cvdhead@CLAMAV_PUBLIC 0.101.0
@@ -54,21 +54,21 @@
  cl_fmap_close@CLAMAV_PUBLIC 0.101.0
  cl_fmap_open_handle@CLAMAV_PUBLIC 0.101.0
  cl_fmap_open_memory@CLAMAV_PUBLIC 0.101.0
- cl_get_pkey_file@CLAMAV_PRIVATE 0.103.5
- cl_get_x509_from_mem@CLAMAV_PRIVATE 0.103.5
- cl_hash_data@CLAMAV_PRIVATE 0.103.5
+ cl_get_pkey_file@CLAMAV_PRIVATE 0.103.6
+ cl_get_x509_from_mem@CLAMAV_PRIVATE 0.103.6
+ cl_hash_data@CLAMAV_PRIVATE 0.103.6
  cl_hash_destroy@CLAMAV_PUBLIC 0.101.0
- cl_hash_file_fd@CLAMAV_PRIVATE 0.103.5
- cl_hash_file_fd_ctx@CLAMAV_PRIVATE 0.103.5
- cl_hash_file_fp@CLAMAV_PRIVATE 0.103.5
+ cl_hash_file_fd@CLAMAV_PRIVATE 0.103.6
+ cl_hash_file_fd_ctx@CLAMAV_PRIVATE 0.103.6
+ cl_hash_file_fp@CLAMAV_PRIVATE 0.103.6
  cl_hash_init@CLAMAV_PUBLIC 0.101.0
  cl_init@CLAMAV_PUBLIC 0.101.0
- cl_initialize_crypto@CLAMAV_PRIVATE 0.103.5
+ cl_initialize_crypto@CLAMAV_PRIVATE 0.103.6
  cl_load@CLAMAV_PUBLIC 0.101.0
- cl_load_cert@CLAMAV_PRIVATE 0.103.5
- cl_load_crl@CLAMAV_PRIVATE 0.103.5
+ cl_load_cert@CLAMAV_PRIVATE 0.103.6
+ cl_load_crl@CLAMAV_PRIVATE 0.103.6
  cl_retdbdir@CLAMAV_PUBLIC 0.101.0
- cl_retflevel@CLAMAV_PUBLIC 0.103.5
+ cl_retflevel@CLAMAV_PUBLIC 0.103.6
  cl_retver@CLAMAV_PUBLIC 0.101.0
  cl_scandesc@CLAMAV_PUBLIC 0.101.0
  cl_scandesc_callback@CLAMAV_PUBLIC 0.101.0
@@ -76,196 +76,19

Bug#1011745: buster-pu: package clamav/0.103.6+dfsg-0+deb10u1

[Sebastian Andrzej Siewior]

nfig
 AC_CONFIG_AUX_DIR([config])
diff -Nru --exclude '*.html' --exclude searchindex.json --exclude 
searchindex.js clamav-0.103.5+dfsg/debian/changelog 
clamav-0.103.6+dfsg/debian/changelog
--- clamav-0.103.5+dfsg/debian/changelog    2022-01-13 21:51:03.0 
+0100
+++ clamav-0.103.6+dfsg/debian/changelog2022-05-26 10:19:13.0 
+0200
@@ -1,3 +1,20 @@
+clamav (0.103.6+dfsg-0+deb10u1) buster; urgency=medium
+
+  * Import 0.103.6
+- CVE-2022-20770 (Possible infinite loop vulnerability in the CHM file
+  parser).
+- CVE-2022-20796 (Possible NULL-pointer dereference crash in the scan
+  verdict cache check).
+- CVE-2022-20771 (Possible infinite loop vulnerability in the TIFF file
+  parser).
+- CVE-2022-20785 (Possible memory leak in the HTML file parser/
+  Javascript normalizer).
+- CVE-2022-20792 (Possible multi-byte heap buffer overflow write
+  vulnerability in the signature database load module.
+- Update symbol file.
+
+ -- Sebastian Andrzej Siewior   Thu, 26 May 2022 
10:19:13 +0200
+
 clamav (0.103.5+dfsg-0+deb10u1) buster; urgency=medium
 
   * Import 0.103.5
diff -Nru --exclude '*.html' --exclude searchindex.json --exclude 
searchindex.js clamav-0.103.5+dfsg/debian/.git-dpm 
clamav-0.103.6+dfsg/debian/.git-dpm
--- clamav-0.103.5+dfsg/debian/.git-dpm 2022-01-13 21:51:03.0 +0100
+++ clamav-0.103.6+dfsg/debian/.git-dpm 2022-05-26 10:18:08.0 +0200
@@ -1,8 +1,8 @@
 # see git-dpm(1) from git-dpm package
-d06a6fa976e864503061203b84b498ce46b9513d
-d06a6fa976e864503061203b84b498ce46b9513d
-857db6f7fe6291d39090c77afdefa94d97161cb2
-857db6f7fe6291d39090c77afdefa94d97161cb2
-clamav_0.103.5+dfsg.orig.tar.xz
-6b767150c6b8cb9c8c6b11a2ae3df961fd65533f
-7121136
+1db21df237c75b67094efd64dea59f4f528c36ba
+1db21df237c75b67094efd64dea59f4f528c36ba
+75754d0f4c00d0ac0864e2a506bfc1d977d55d00
+75754d0f4c00d0ac0864e2a506bfc1d977d55d00
+clamav_0.103.6+dfsg.orig.tar.xz
+6212705bf2cb168a55f76ae4cab31fa40909aed8
+7135300
diff -Nru --exclude '*.html' --exclude searchindex.json --exclude 
searchindex.js clamav-0.103.5+dfsg/debian/libclamav9.symbols 
clamav-0.103.6+dfsg/debian/libclamav9.symbols
--- clamav-0.103.5+dfsg/debian/libclamav9.symbols   2022-01-13 
21:50:52.0 +0100
+++ clamav-0.103.6+dfsg/debian/libclamav9.symbols   2022-05-26 
10:18:59.0 +0200
@@ -1,20 +1,20 @@
 libclamav.so.9 libclamav9 #MINVER#
 * Build-Depends-Package: libclamav-dev
- CLAMAV_PRIVATE@CLAMAV_PRIVATE 0.103.5
+ CLAMAV_PRIVATE@CLAMAV_PRIVATE 0.103.6
  CLAMAV_PUBLIC@CLAMAV_PUBLIC 0.101.0
- __cli_strcasestr@CLAMAV_PRIVATE 0.103.5
- __cli_strndup@CLAMAV_PRIVATE 0.103.5
- __cli_strnlen@CLAMAV_PRIVATE 0.103.5
- __cli_strnstr@CLAMAV_PRIVATE 0.103.5
- base64Flush@CLAMAV_PRIVATE 0.103.5
- blobAddData@CLAMAV_PRIVATE 0.103.5
- blobCreate@CLAMAV_PRIVATE 0.103.5
- blobDestroy@CLAMAV_PRIVATE 0.103.5
- cl_ASN1_GetTimeT@CLAMAV_PRIVATE 0.103.5
+ __cli_strcasestr@CLAMAV_PRIVATE 0.103.6
+ __cli_strndup@CLAMAV_PRIVATE 0.103.6
+ __cli_strnlen@CLAMAV_PRIVATE 0.103.6
+ __cli_strnstr@CLAMAV_PRIVATE 0.103.6
+ base64Flush@CLAMAV_PRIVATE 0.103.6
+ blobAddData@CLAMAV_PRIVATE 0.103.6
+ blobCreate@CLAMAV_PRIVATE 0.103.6
+ blobDestroy@CLAMAV_PRIVATE 0.103.6
+ cl_ASN1_GetTimeT@CLAMAV_PRIVATE 0.103.6
  cl_always_gen_section_hash@CLAMAV_PUBLIC 0.101.0
- cl_base64_decode@CLAMAV_PRIVATE 0.103.5
- cl_base64_encode@CLAMAV_PRIVATE 0.103.5
- cl_cleanup_crypto@CLAMAV_PRIVATE 0.103.5
+ cl_base64_decode@CLAMAV_PRIVATE 0.103.6
+ cl_base64_encode@CLAMAV_PRIVATE 0.103.6
+ cl_cleanup_crypto@CLAMAV_PRIVATE 0.103.6
  cl_countsigs@CLAMAV_PUBLIC 0.101.0
  cl_cvdfree@CLAMAV_PUBLIC 0.101.0
  cl_cvdhead@CLAMAV_PUBLIC 0.101.0
@@ -54,21 +54,21 @@
  cl_fmap_close@CLAMAV_PUBLIC 0.101.0
  cl_fmap_open_handle@CLAMAV_PUBLIC 0.101.0
  cl_fmap_open_memory@CLAMAV_PUBLIC 0.101.0
- cl_get_pkey_file@CLAMAV_PRIVATE 0.103.5
- cl_get_x509_from_mem@CLAMAV_PRIVATE 0.103.5
- cl_hash_data@CLAMAV_PRIVATE 0.103.5
+ cl_get_pkey_file@CLAMAV_PRIVATE 0.103.6
+ cl_get_x509_from_mem@CLAMAV_PRIVATE 0.103.6
+ cl_hash_data@CLAMAV_PRIVATE 0.103.6
  cl_hash_destroy@CLAMAV_PUBLIC 0.101.0
- cl_hash_file_fd@CLAMAV_PRIVATE 0.103.5
- cl_hash_file_fd_ctx@CLAMAV_PRIVATE 0.103.5
- cl_hash_file_fp@CLAMAV_PRIVATE 0.103.5
+ cl_hash_file_fd@CLAMAV_PRIVATE 0.103.6
+ cl_hash_file_fd_ctx@CLAMAV_PRIVATE 0.103.6
+ cl_hash_file_fp@CLAMAV_PRIVATE 0.103.6
  cl_hash_init@CLAMAV_PUBLIC 0.101.0
  cl_init@CLAMAV_PUBLIC 0.101.0
- cl_initialize_crypto@CLAMAV_PRIVATE 0.103.5
+ cl_initialize_crypto@CLAMAV_PRIVATE 0.103.6
  cl_load@CLAMAV_PUBLIC 0.101.0
- cl_load_cert@CLAMAV_PRIVATE 0.103.5
- cl_load_crl@CLAMAV_PRIVATE 0.103.5
+ cl_load_cert@CLAMAV_PRIVATE 0.103.6
+ cl_load_crl@CLAMAV_PRIVATE 0.103.6
  cl_retdbdir@CLAMAV_PUBLIC 0.101.0
- cl_retflevel@CLAMAV_PUBLIC 0.103.5
+ cl_retflevel@CLAMAV_PUBLIC 0.103.6
  cl_retver@CLAMAV_PUBLIC 0.101.0
  cl_scandesc@CLAMAV_PUBLIC 0.101.0
  cl_scandesc_callback@CLAMAV_PUBLIC 0.101.0
@@ -76,196 +76,19

Bug#995636: transition: openssl

[Sebastian Andrzej Siewior]

On 2022-05-09 00:11:22 [+0200], Sebastian Ramacher wrote:
> Control: tags -1 = confirmed
> 
> Please go ahead

Thank you, done.

> Cheers

Sebastian

Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance

[Sebastian Andrzej Siewior]

On 2022-03-24 12:39:55 [+], Adam D. Barratt wrote:
> I've added that text to the announcement for the buster point release.
Thanks.

> If anyone has any changes, please yell ASAP.

The gnutls and perl changes are not yet built. I guess this is intended
;)

> Regards,
> 
> Adam

Sebastian

Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance

[Sebastian Andrzej Siewior]

On 2022-03-23 17:40:59 [+], Adam D. Barratt wrote:
> Right, let's have another go at this then:
> 
> "
> OpenSSL signature algorithm check tightening
> =
> 
> The OpenSSL update provided in this point release includes a
> change to ensure that the requested signature algorithm is
> supported by the active security level.
> 
> Although this will not affect most use-cases, it could lead to
> error messages being generated if a non-supported algorithm is
> requested - for example, use of RSA+SHA1 signatures with the default
> security level of 2.
> 
> In such cases, the security level will need to be explicitly
> lowered, either for individual requests or more globally. This
> may require changes to the configuration of aplications. For
> OpenSSL itself, per-request lowering can be achieved using a
> command-line option such as
> 
> -cipher "ALL:@SECLEVEL=1"
> 
> with the relevant system-level configuration being found in
> /etc/ssl/openssl.cnf
> "
> 
> Is that any better? Further suggestions welcome, but I'm trying not to
> make it longer than the rest of the text combined. :-)

This good Adam, thank you. I have nothing to add.

> Regards,
> 
> Adam

Sebastian

Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance

[Sebastian Andrzej Siewior]

On 2022-03-22 21:47:52 [+0100], Kurt Roeckx wrote:
> On Tue, Mar 22, 2022 at 08:19:01PM +, Adam D. Barratt wrote:
> > OpenSSL signature algorithm check tightening
> > =
> > 
> > The OpenSSL update included in this point release includes a change to
> > ensure that the requested signature algorithm is supported by the
> > active security level.
> > 
> > Although this will not affect most use-cases, it could lead to error
> > messages being generated if a non-supported algorithm is requested -
> > for example, use of SHA1 with the default security level of 2. In such
> > cases, the security level will need to be explicitly lowered when
> > invoking OpenSSL, using an option such as
> > 
> > -cipher "ALL:@SECLEVEL=1"
> > "
> 
> So reading it again, I think the "when invoking OpenSSL" is confusing.
> Not only the openssl binary is affected, but also all clients and
> server applications making use of the library are. Some applications
> might have a way to set the cipher in their own configuration file,
> others might need to change the defaults in /etc/ssl/openssl.cfg

s/openssl.cfg/openssl.cnf

Kurt correct me if I'm wrong:
This only affects clients which were using TLS1.2 while connecting to
the server and did not send a sig-alg string which let the server
fallback to the default (sha1) which was not checked vs security level.
Would the client have sent sha1 as the sig-cipher then it would fail in
the version d, too.
Would the client need a lower protocol (TLSv1.0) then it would fail, too.
In these two cases the server administrator must have lowered the
security level to 1 (for the announced low sig-alg) and/or allow TLSv1
in order for the client to connect. (The same for the other way around).

I don't know which clients/server don't send sig-alg version. The test
in gnutls explicitly used TLSv1.0. The server check from ssllabs does
not expose server's sig-alg that was used during the handshake. Someone
complained about it:
https://github.com/ssllabs/ssllabs-scan/issues/465

> 
> Kurt

Sebastian

Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance

[Sebastian Andrzej Siewior]

On 2022-03-21 22:11:17 [+0100], Julien Cristau wrote:
> Hi,
Hi,

> Specifically, we were hoping to better understand the risk of openssl
> changes breaking existing setups.  It's possible the issues with gnutls
> and libnet-ssleay-perl tests were narrowly scoped enough that that risk
> is low, but we're just not sure right now.  Other input would be
> welcome.

No matter how it turns out, I'm fine with it.
It would be nice in in case of postponing it, to keep in pu for the
following point release so that it receives more test coverage. [Unless
of course if this means that the pu is canceled.]

> Thanks,
> Julien

Sebastian

Bug#1008062: buster-pu: package gnutls28/3.6.7-4+deb10u7.1

[Sebastian Andrzej Siewior]

On 2022-03-21 22:04:08 [+0100], Salvatore Bonaccorso wrote:
> Hi Sebastian,
Hi Salvatore,

> > +gnutls28 (3.6.7-4+deb10u7.1) buster; urgency=medium
> 
> As not yet uploaded, can you change this to 3.6.7-4+deb10u8 instead.

Just did so.

> Regards,
> Salvatore

Sebastian

Bug#1008062: buster-pu: package gnutls28/3.6.7-4+deb10u7.1

[Sebastian Andrzej Siewior]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal

I prepared an update to fix the debci regression caused by the openssl
update. The complete analysis is in #959469.

The patch affects only the testsuite which is run as part of debci. The
testsuite which is run as part of the build build process is not
affeccted. The runtime code of the package is also not affected by the
patch.
Therefore I believe the impact is minimal.
I did verify this change in a local chroot.

Sebastian
diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog
--- gnutls28-3.6.7/debian/changelog	2021-05-14 13:33:38.0 +0200
+++ gnutls28-3.6.7/debian/changelog	2022-03-21 14:52:01.0 +0100
@@ -1,3 +1,11 @@
+gnutls28 (3.6.7-4+deb10u7.1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport testcompat-openssl-improve-testing-against-secured-O.patch to
+pass testsuite with openssl 1.1.1e.
+
+ -- Sebastian Andrzej Siewior   Mon, 21 Mar 2022 14:52:01 +0100
+
 gnutls28 (3.6.7-4+deb10u7) buster; urgency=medium
 
   * 46_handshake-reject-no_renegotiation-alert-if-handshake.patch pulled from
diff -Nru gnutls28-3.6.7/debian/patches/series gnutls28-3.6.7/debian/patches/series
--- gnutls28-3.6.7/debian/patches/series	2021-05-11 18:13:03.0 +0200
+++ gnutls28-3.6.7/debian/patches/series	2022-03-21 08:35:24.0 +0100
@@ -23,3 +23,4 @@
 47_rel3.6.16_04-pre_shared_key-avoid-use-after-free-around-realloc.patch
 47_rel3.6.16_05-_gnutls_buffer_resize-account-for-unused-area-if-AGG.patch
 47_rel3.6.16_06-str-suppress-Wunused-function-if-AGGRESSIVE_REALLOC-.patch
+testcompat-openssl-improve-testing-against-secured-O.patch
diff -Nru gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch
--- gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch	1970-01-01 01:00:00.0 +0100
+++ gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch	2022-03-21 08:37:07.0 +0100
@@ -0,0 +1,274 @@
+From: Dimitri John Ledkov 
+Date: Mon, 21 Mar 2022 07:44:25 +0100
+Subject: [PATCH] testcompat-openssl: improve testing against secured OpenSSL
+
+[bigeasy: This is backport of commit fbd3e261513d641dce6bd1b2c368ce25e79dc094 ]
+
+In Debian, and soon Ubuntu, OpenSSL is compiled with SECLEVEL=2 and
+requiring minimum TLSv1.2. However, smaller hashes/keys/versions are
+allowed if one enables SECLEVEL=1. Do so when testing pre v1.2 algos,
+and thus enabling testing more compatability combinations.
+
+Signed-off-by: Dimitri John Ledkov 
+Signed-off-by: Sebastian Andrzej Siewior 
+---
+ tests/suite/testcompat-main-openssl | 67 +
+ 1 file changed, 30 insertions(+), 37 deletions(-)
+
+diff --git a/tests/suite/testcompat-main-openssl b/tests/suite/testcompat-main-openssl
+index d2708bfa8c710..2ea762faebaca 100755
+--- a/tests/suite/testcompat-main-openssl
 b/tests/suite/testcompat-main-openssl
+@@ -74,7 +74,6 @@ NO_TLS1_2=$?
+ 
+ test $NO_TLS1_2 != 0 && echo "Disabling interop tests for TLS 1.2"
+ 
+-
+ ${SERV} version|grep -e '[1-9]\.[1-9]\.[0-9]' >/dev/null 2>&1
+ if test $? = 0;then
+ 	NO_DH_PARAMS=0
+@@ -82,18 +81,8 @@ else
+ 	NO_DH_PARAMS=1
+ fi
+ 
+-# Do not use DSS or curves <=256 bits in 1.1.1+ because these
+-# are not accepted by openssl on debian.
+-${SERV} version|grep -e '[1-9]\.[1-9]\.[1-9]' >/dev/null 2>&1
+-if test $? = 0;then
+-	NO_DSS=1
+-	FIPS_CURVES=1
+-else
+-	${SERV} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1
+-	NO_DSS=$?
+-fi
+-
+-test $FIPS_CURVES = 1 && echo "Running with FIPS140-2 enabled curves enabled"
++${SERV} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1
++NO_DSS=$?
+ 
+ if test $NO_DSS != 0;then
+ 	echo "Disabling interop tests for DSS ciphersuites"
+@@ -121,6 +110,10 @@ NO_NULL=$?
+ 
+ test $NO_NULL != 0 && echo "Disabling interop tests for NULL ciphersuites"
+ 
++${SERV} ecparam -list_curves 2>&1|grep -e prime192v1 >/dev/null 2>&1
++NO_PRIME192v1=$?
++
++test $NO_PRIME192v1 != 0 && echo "Disabling interop tests for prime192v1 ecparam"
+ 
+ if test "${NO_DH_PARAMS}" = 0;then
+ 	OPENSSL_DH_PARAMS_OPT=""
+@@ -218,7 +211,7 @@ run_client_suite() {
+ 
+ 	#-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA
+ 	eval "${GETPORT}"
+-	launch_bare_server $$ s_server -cipher "ALL" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
++	launch_bare_server $$ s_server -cipher "ALL:@SECLEVEL=1" -quie

Bug#1008056: [Pkg-openssl-devel] Bug#1008056: buster-pu: package libnet-ssleay-perl/1.85-2.1

[Sebastian Andrzej Siewior]

On 2022-03-21 17:55:00 [+0200], Adrian Bunk wrote:

> >   * Backport upstream fix for test failures with OpenSSL 1.1.1n.
> > (Closes: #1008055)

Thank you Adrian.

Sebastian

Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance

[Sebastian Andrzej Siewior]

On 2022-03-21 00:12:11 [+0100], To Kurt Roeckx wrote:
> doesn't help here but
>-cipher "ALL:@SECLEVEL=1"
> 
> does. 

Only debci is affected. The package builds because this testsuite is not
part of the build process.
I prepared a NMU against Buster for gnutls. I can open later today a
buster-pu and do the upload unless someone objects or gnutls folks have
something in their queue.
Please let me know.

> > Kurt

Sebastian
diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog
--- gnutls28-3.6.7/debian/changelog	2021-05-14 13:33:38.0 +0200
+++ gnutls28-3.6.7/debian/changelog	2022-03-21 14:52:01.0 +0100
@@ -1,3 +1,11 @@
+gnutls28 (3.6.7-4+deb10u7.1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport testcompat-openssl-improve-testing-against-secured-O.patch to
+pass testsuite with openssl 1.1.1e.
+
+ -- Sebastian Andrzej Siewior   Mon, 21 Mar 2022 14:52:01 +0100
+
 gnutls28 (3.6.7-4+deb10u7) buster; urgency=medium
 
   * 46_handshake-reject-no_renegotiation-alert-if-handshake.patch pulled from
diff -Nru gnutls28-3.6.7/debian/patches/series gnutls28-3.6.7/debian/patches/series
--- gnutls28-3.6.7/debian/patches/series	2021-05-11 18:13:03.0 +0200
+++ gnutls28-3.6.7/debian/patches/series	2022-03-21 08:35:24.0 +0100
@@ -23,3 +23,4 @@
 47_rel3.6.16_04-pre_shared_key-avoid-use-after-free-around-realloc.patch
 47_rel3.6.16_05-_gnutls_buffer_resize-account-for-unused-area-if-AGG.patch
 47_rel3.6.16_06-str-suppress-Wunused-function-if-AGGRESSIVE_REALLOC-.patch
+testcompat-openssl-improve-testing-against-secured-O.patch
diff -Nru gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch
--- gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch	1970-01-01 01:00:00.0 +0100
+++ gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch	2022-03-21 08:37:07.0 +0100
@@ -0,0 +1,274 @@
+From: Dimitri John Ledkov 
+Date: Mon, 21 Mar 2022 07:44:25 +0100
+Subject: [PATCH] testcompat-openssl: improve testing against secured OpenSSL
+
+[bigeasy: This is backport of commit fbd3e261513d641dce6bd1b2c368ce25e79dc094 ]
+
+In Debian, and soon Ubuntu, OpenSSL is compiled with SECLEVEL=2 and
+requiring minimum TLSv1.2. However, smaller hashes/keys/versions are
+allowed if one enables SECLEVEL=1. Do so when testing pre v1.2 algos,
+and thus enabling testing more compatability combinations.
+
+Signed-off-by: Dimitri John Ledkov 
+Signed-off-by: Sebastian Andrzej Siewior 
+---
+ tests/suite/testcompat-main-openssl | 67 +
+ 1 file changed, 30 insertions(+), 37 deletions(-)
+
+diff --git a/tests/suite/testcompat-main-openssl b/tests/suite/testcompat-main-openssl
+index d2708bfa8c710..2ea762faebaca 100755
+--- a/tests/suite/testcompat-main-openssl
 b/tests/suite/testcompat-main-openssl
+@@ -74,7 +74,6 @@ NO_TLS1_2=$?
+ 
+ test $NO_TLS1_2 != 0 && echo "Disabling interop tests for TLS 1.2"
+ 
+-
+ ${SERV} version|grep -e '[1-9]\.[1-9]\.[0-9]' >/dev/null 2>&1
+ if test $? = 0;then
+ 	NO_DH_PARAMS=0
+@@ -82,18 +81,8 @@ else
+ 	NO_DH_PARAMS=1
+ fi
+ 
+-# Do not use DSS or curves <=256 bits in 1.1.1+ because these
+-# are not accepted by openssl on debian.
+-${SERV} version|grep -e '[1-9]\.[1-9]\.[1-9]' >/dev/null 2>&1
+-if test $? = 0;then
+-	NO_DSS=1
+-	FIPS_CURVES=1
+-else
+-	${SERV} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1
+-	NO_DSS=$?
+-fi
+-
+-test $FIPS_CURVES = 1 && echo "Running with FIPS140-2 enabled curves enabled"
++${SERV} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1
++NO_DSS=$?
+ 
+ if test $NO_DSS != 0;then
+ 	echo "Disabling interop tests for DSS ciphersuites"
+@@ -121,6 +110,10 @@ NO_NULL=$?
+ 
+ test $NO_NULL != 0 && echo "Disabling interop tests for NULL ciphersuites"
+ 
++${SERV} ecparam -list_curves 2>&1|grep -e prime192v1 >/dev/null 2>&1
++NO_PRIME192v1=$?
++
++test $NO_PRIME192v1 != 0 && echo "Disabling interop tests for prime192v1 ecparam"
+ 
+ if test "${NO_DH_PARAMS}" = 0;then
+ 	OPENSSL_DH_PARAMS_OPT=""
+@@ -218,7 +211,7 @@ run_client_suite() {
+ 
+ 	#-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA
+ 	eval "${GETPORT}"
+-	launch_bare_server $$ s_server -cipher "ALL" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
++	launch_bare_server $$ s_server -cipher "ALL:@SECLEVEL=1" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_P

Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance

[Sebastian Andrzej Siewior]

On 2022-03-20 23:15:57 [+0100], Kurt Roeckx wrote:
> > https://ci.debian.net/data/autopkgtest/oldstable/amd64/g/gnutls28/20199677/log.gz
> > 
> > Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)...
> > %COMPAT: Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)...
> > *** Fatal error: A TLS fatal alert has been received.
> > Failure: Failed
> > *** Fatal error: A TLS fatal alert has been received.
> > %NO_ETM: Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)...
> > Failure: Failed
> > *** Fatal error: A TLS fatal alert has been received.
> > Failure: Failed
> > FAIL [11]../../tests/suite/testcompat-main-openssl
> > 
> > Which, according to me, is this check:
> > https://sources.debian.org/src/gnutls28/3.6.7-4%2Bdeb10u7/tests/suite/testcompat-main-openssl/#L307
> 
> That test still seems to exist, but is just moved to a different file:
> https://github.com/gnutls/gnutls/blob/master/tests/suite/testcompat-openssl-cli-common.sh#L255
> 
> My understanding is that gnutls now passes the correct list of signature
> algorithms to use to OpenSSL's s_client to be able to do that test, and
> that this is probably fixed by:
> https://github.com/gnutls/gnutls/commit/23958322865a8a77c2f924f569484e5fd150a24b
> (and 
> https://github.com/gnutls/gnutls/commit/8259a1dc8503ad760c0887eb95278f9957a00667)
> 
> I'm trying to remember what was changed and why, but I can't
> find/remember it.

The change in openssl is commit
   cc7c6eb8135b ("Check that the default signature type is allowed")

The server is
openssl s_server -quiet -www -accept 57687 -keyform pem -certform pem 
-tls1 \
 -key tests/certs/ecc384.pem -cert tests/certs/cert-ecc384.pem -Verify 
1 \
 -named_curve secp384r1 -CAfile tests/certs/ca-cert-ecc.pem

The client is
/usr/bin/gnutls-cli -p 57687 127.0.0.1 \
  --priority 
NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL
 \
  --insecure --x509certfile tests/certs/cert-ecc384.pem --x509keyfile 
tests/certs/ecc384.pem

Before the commit in question it connects as:
  - Description: (TLS1.0)-(ECDHE-SECP384R1)-(AES-256-CBC)-(SHA1)

after that, the server throws:
  140490373015360:error:14201044:SSL routines:tls_choose_sigalg:internal 
error:../ssl/t1_lib.c:2880:

and it appears that the security level in openssl forbids SHA1 here.
The argument on the s_server side
 -sigalgs RSA+SHA1:RSA+SHA256:DSA+SHA1:DSA+SHA256

doesn't help here but
 -cipher "ALL:@SECLEVEL=1"

does. 

> Kurt

Sebastian

Bug#1003484: bullseye-pu: package openssl/1.1.1m-0+deb11u1

[Sebastian Andrzej Siewior]

On 2022-03-18 14:51:32 [+], Adam D. Barratt wrote:
> Boo. Hope you're doing better.

Thanks, yes.

> > I would also do the upload for Buster, would that work? I remember
> > that
> > the packages, that broken, were already uploaded a few cycles ago.
> 
> Also as 1.1.1n?

Yes.

> I assume there haven't been any regressions reported with l/m/n in the
> meantime.

Not that I am aware of. I'm adding Kurt explicit in To: in case has some
secret knowledge.
Just uploaded the Bullseye version.

> Regards,
> 
> Adm

Sebastian

Bug#1003484: bullseye-pu: package openssl/1.1.1m-0+deb11u1

[Sebastian Andrzej Siewior]

On 2022-03-18 09:21:50 [+], Adam D. Barratt wrote:
> Apologies if the status here got confused - based on the above, I was
> assuming that in the absence of a negative response you would proceed
> with the 1.1.1n-0+deb11u1 plan. For complete clarity, please feel free
> to do so, bearing in mind that the window for the 11.3 point release
> closes over this weekend.

No need to apologies. I did plan to do it on WED but got busy with other
things, got sick on THU and couldn't anything so the plan is indeed
today.

I would also do the upload for Buster, would that work? I remember that
the packages, that broken, were already uploaded a few cycles ago.

Thank you!

> Regards,
> 
> Adam

Sebastian

Bug#1003484: bullseye-pu: package openssl/1.1.1m-0+deb11u1

[Sebastian Andrzej Siewior]

On 2022-02-19 17:57:25 [+], Adam D. Barratt wrote:
> Feel free to upload; we'll wait for the d-i ack before accepting the
> package into p-u.

There will be the release of 1.1.1n on Tuesday 15th March 2022 including
a security fix. Therefore I will:
- prepare a security release against 1.1.1k-1+deb11u1 which will be
  released via d-security.
- respond to this bug with a debdiff against 1.1.1m-0+deb11u1
- upload 1.1.1n-0+deb11u1.

Please say if I should delay my upload until a request from the release
team happens, prepare a debdiff against another release or if there is
something else.

> Regards,
> 
> Adam

Sebastian

Bug#995636: transition: openssl

[Sebastian Andrzej Siewior]

Control: tags -1 - moreinfo

Removing moreinfo tag since I provide more information in my previous
reply.

On 2022-02-28 00:23:22 [+0100], To 995...@bugs.debian.org wrote:
> On 2022-02-14 15:01:34 [+0100], To Sebastian Ramacher wrote:
> > On 2022-02-01 21:11:11 [+0100], Sebastian Ramacher wrote:
> > > > Could you please update this transition request?  It's open for four
> > > > months and no visible response.
> > > 
> > > Kurt mention some 100 packages failing to build. I only see a handfull
> > > of bugs filed. So what's the status on those build failures?
> > 
> > So new logs probably…
> 
> Gathered new logs and finally processed them \o/. The list at
>
> https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-openssl-de...@lists.alioth.debian.org=ftbfs-3.0
> 
> has been updated accordingly. I added bugs for packages for FTBFS which
> existed without new openssl (say due new gcc, old debhelper, …). I was
> not able to build a few packages (25) because the build dependency could
> not have been satisfied at the time.
 
Sebastian

Bug#995636: transition: openssl

[Sebastian Andrzej Siewior]

On 2022-02-14 15:01:34 [+0100], To Sebastian Ramacher wrote:
> On 2022-02-01 21:11:11 [+0100], Sebastian Ramacher wrote:
> > > Could you please update this transition request?  It's open for four
> > > months and no visible response.
> > 
> > Kurt mention some 100 packages failing to build. I only see a handfull
> > of bugs filed. So what's the status on those build failures?
> 
> So new logs probably…

Gathered new logs and finally processed them \o/. The list at
   
https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-openssl-de...@lists.alioth.debian.org=ftbfs-3.0

has been updated accordingly. I added bugs for packages for FTBFS which
existed without new openssl (say due new gcc, old debhelper, …). I was
not able to build a few packages (25) because the build dependency could
not have been satisfied at the time.

Sebastian

Bug#1003484: bullseye-pu: package openssl/1.1.1m-0+deb11u1

[Sebastian Andrzej Siewior]

On 2022-02-19 17:57:25 [+], Adam D. Barratt wrote:
> 
> Feel free to upload; we'll wait for the d-i ack before accepting the
> package into p-u.

Okay. The Bullseye package has been uploaded.

> Regards,
> 
> Adam

Sebastian

Bug#1003484: bullseye-pu: package openssl/1.1.1m-0+deb11u1

[Sebastian Andrzej Siewior]

On 2022-02-19 17:04:16 [+], Adam D. Barratt wrote:
> Control: tags -1 + confirmed d-i
…
> Thanks. Assuming the above is still accurate, then this looks good to
> me.
> 
> As the package builds a udeb, it will need a d-i ack; tagging and CCing
> accordingly.

I'm confused. May I upload or do I wait for the d-i ack?

> Regards,
> 
> Adam

Sebastian

Bug#995636: transition: openssl

[Sebastian Andrzej Siewior]

On 2022-02-01 21:11:11 [+0100], Sebastian Ramacher wrote:
> > Could you please update this transition request?  It's open for four
> > months and no visible response.
> 
> Kurt mention some 100 packages failing to build. I only see a handfull
> of bugs filed. So what's the status on those build failures?

I'm not sure. I checked & filled some bugs over the weekend and added a
few which were filled by ubuntu dev but not tagged as Kurt did. This
took more time than expected.
I will probably do a rebuild of the packages to be sure to have the view
of today. Some build failures got fixed in the meantime while the
packages are listed as "fail" in my old (OCT) logs (php, ruby3 (not
ruby2 but is going to be removed)).
So new logs probably…

> Cheers

Sebastian

Bug#1002298: bullseye-pu: package clamav/0.103.4+dfsg-0+deb11u1

[Sebastian Andrzej Siewior]

On 2022-01-25 18:46:16 [+], Adam D. Barratt wrote:
> For the record, .5 was released via {buster,bullseye}-updates last
> night; see SUA211-1 / 
> https://lists.debian.org/debian-stable-announce/2022/01/msg1.html

Thank you.

> Regards,
> 
> Adam

Sebastian

Bug#1002298: bullseye-pu: package clamav/0.103.4+dfsg-0+deb11u1

[Sebastian Andrzej Siewior]

103.4 to adapt to many kinds of systems.
+\`configure' configures ClamAV 0.103.5 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1687,7 +1687,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
- short | recursive ) echo "Configuration of ClamAV 0.103.4:";;
+ short | recursive ) echo "Configuration of ClamAV 0.103.5:";;
esac
   cat <<\_ACEOF
   --enable-dependency-tracking
@@ -1922,7 +1922,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-ClamAV configure 0.103.4
+ClamAV configure 0.103.5
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2550,7 +2550,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by ClamAV $as_me 0.103.4, which was
+It was created by ClamAV $as_me 0.103.5, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4308,7 +4308,7 @@
 
 # Define the identity of the package.
  PACKAGE='clamav'
- VERSION='0.103.4'
+ VERSION='0.103.5'
 
 
 # Some tools Automake needs.
@@ -6036,7 +6036,7 @@
 $as_echo "#define PACKAGE PACKAGE_NAME" >>confdefs.h
 
 
-VERSION="0.103.4"
+VERSION="0.103.5"
 
 major=`echo $PACKAGE_VERSION |cut -d. -f1 | sed -e "s/^0-9//g"`
 minor=`echo $PACKAGE_VERSION |cut -d. -f2 | sed -e "s/^0-9//g"`
@@ -31896,7 +31896,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by ClamAV $as_me 0.103.4, which was
+This file was extended by ClamAV $as_me 0.103.5, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES= $CONFIG_FILES
@@ -31963,7 +31963,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/&/g'`"
 ac_cs_version="\\
-ClamAV config.status 0.103.4
+ClamAV config.status 0.103.5
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -34813,7 +34813,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by ClamAV $as_me 0.103.4, which was
+This file was extended by ClamAV $as_me 0.103.5, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES= $CONFIG_FILES
@@ -34880,7 +34880,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/&/g'`"
 ac_cs_version="\\
-ClamAV config.status 0.103.4
+ClamAV config.status 0.103.5
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru clamav-0.103.4+dfsg/configure.ac clamav-0.103.5+dfsg/configure.ac
--- clamav-0.103.4+dfsg/configure.ac	2021-11-13 21:57:13.0 +0100
+++ clamav-0.103.5+dfsg/configure.ac	2022-01-12 20:53:22.0 +0100
@@ -1,4 +1,4 @@
-dnl   Copyright (C) 2013-2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+dnl   Copyright (C) 2013-2022 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
 dnl   Copyright (C) 2007-2013 Sourcefire, Inc.
 dnl   Copyright (C) 2002-2007 Tomasz Kojm 
 dnl   socklen_t check (c) Alexander V. Lukyanov 
@@ -22,7 +22,7 @@
 
 dnl For a release change [devel] to the real version [0.xy]
 dnl also change VERSION below
-AC_INIT([ClamAV], [0.103.4], [https://github.com/Cisco-Talos/clamav/issues], [clamav], [https://www.clamav.net/])
+AC_INIT([ClamAV], [0.103.5], [https://github.com/Cisco-Talos/clamav/issues], [clamav], [https://www.clamav.net/])
 
 dnl put configure auxiliary into config
 AC_CONFIG_AUX_DIR([config])
diff -Nru clamav-0.103.4+dfsg/debian/changelog clamav-0.103.5+dfsg/debian/changelog
--- clamav-0.103.4+dfsg/debian/changelog	2021-12-16 21:02:29.0 +0100
+++ clamav-0.103.5+dfsg/debian/changelog	2022-01-13 21:49:00.0 +0100
@@ -1,3 +1,11 @@
+clamav (0.103.5+dfsg-0+deb11u1) bullseye; urgency=medium
+
+  * Import 0.103.5
+   - CVE-2022-20698 (Fix for invalid pointer read that may cause a crash).
+   - Update symbol file.
+
+ -- Sebastian Andrzej Siewior   Thu, 13 Jan 2022 21:49:00 +0100
+
 clamav (0.103.4+dfsg-0+deb11u1) bullseye; urgency=medium
 
   * Import 0.103.4
diff -Nru clamav-0.103.4+dfsg/debian/.git-dpm clamav-0.103.5+dfsg/debian/.git-dpm
--- clamav-0.103.4+dfsg/debian/.git-dpm	2021-12-16 21:02:29.0 +0100
+++ clamav-0.103.5+dfsg/debian/.git-dpm	2022-01-13 21:49:00.0 +0100
@@ -1,8 +1,8 @@
 # see git-dpm(1) from git-dpm package
-a9367dca1bb602551ab6475b4a4582a6b1de45c5
-a9367dca1bb602551ab6475b4a4582a6b1de45c5
-86cddd22c95e08757ac21ab

Bug#1002298: bullseye-pu: package clamav/0.103.4+dfsg-0+deb11u1

[Sebastian Andrzej Siewior]

On 2022-01-11 21:17:54 [+], Adam D. Barratt wrote:
> Now that the equivalent update made it to stretch, this seems as good a
> time as any - I'm assuming that no major issues have ben reported in
> unstable in the meantime?

correct.

> I wasn't really sure which of the changes made sense to mention, but
> had a go at an initial draft for an announcement. Tweaks, updates or
> complete rewrites welcome:
> 
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> ClamAV is an AntiVirus toolkit for Unix.
> 
> Upstream published version 0.103.4.
> 
> This is a bug-fix release and an upstream LTS release. The changes are not
> currently required for operation, but upstream strongly recommends that users
> update.

Maybe adding something like
  ", but upstream strongly recommends that users update for continued
  support."

Upstream asks to use latest patch level version for support which
includes access to the signature database.

Speaking of latest patch version: Upstream released today .5. Would you
prefer to wait with this until I upload .5 to unstable and
stable/oldstable for this (and avoiding a second announcement)?

> Changes since 0.103.3 currently in buster and bullseye include fixes for
> several possible crashes, corrected handling of 0-byte incremental database
> updates and the renaming of several heuristic-based alerts.
> 
> If you use clamav, we recommend that you install this update.
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> 
> Regards,
> 
> Adam

Sebastian

Bug#1002298: bullseye-pu: package clamav/0.103.4+dfsg-0+deb11u1

[Sebastian Andrzej Siewior]

On 2021-12-23 15:38:16 [+], Adam D. Barratt wrote:
> Hi,
Hi Adam,

> fwiw, even with the reduced diffs, neither request made it to debian-
> release.

Oh shoot. You're the best Adam. I meant to ping the list in case it
didn't make through but forgot to check…

> Were you anticipating that 0.103.4 would get published via -updates, or
> simply with the next point releases?

it would be good to get it published via -updates. No need to rush.

> Regards,
> 
> Adam

Sebastian

Bug#995636: OpenSSL 3.0 - Apache 2.0 vs GPL 2 (Re: Bug#995636: transition: openssl)

[Sebastian Andrzej Siewior]

On 2021-10-05 20:03:49 [+0200], Michael Biebl wrote:
> Hi Kurt, hi Luca, hi everyone,
Hi Michael,

> That said, I'm not a lawyer and reading license texts hurts my brain.
> So my goal is is mainly to raise awareness of this issue and seek input from
> the community.

GPL code which linked against OpenSSL usually has a "gpl-exception
clause for OpenSSL". This should be still accepted since it refers
specifically to OpenSSL.

Additionally OpenSSL is considered system library, see
  https://bugs.debian.org/951780
  https://bugs.debian.org/972181

> Regards,
> Michael

Sebastian

Bug#993822: bullseye-pu: package clamav/0.103.3+dfsg-0+deb11u1

[Sebastian Andrzej Siewior]

On 2021-09-10 11:49:39 [+0100], Adam D. Barratt wrote:
> It appears that the bullseye upload is stuck on the upload queue,
> because:

Thank you.

> Regards,
> 
> Adam
Sebastian

Bug#993823: buster-pu: package clamav/0.103.3+dfsg-0+deb10u1

[Sebastian Andrzej Siewior]

 0.103.2, which was
+This file was extended by ClamAV $as_me 0.103.3, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES= $CONFIG_FILES
@@ -31963,7 +31963,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; 
s/[\\""\`\$]/&/g'`"
 ac_cs_version="\\
-ClamAV config.status 0.103.2
+ClamAV config.status 0.103.3
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -34813,7 +34813,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by ClamAV $as_me 0.103.2, which was
+This file was extended by ClamAV $as_me 0.103.3, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES= $CONFIG_FILES
@@ -34880,7 +34880,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; 
s/[\\""\`\$]/&/g'`"
 ac_cs_version="\\
-ClamAV config.status 0.103.2
+ClamAV config.status 0.103.3
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru clamav-0.103.2+dfsg/configure.ac clamav-0.103.3+dfsg/configure.ac
--- clamav-0.103.2+dfsg/configure.ac2021-04-12 20:43:41.0 +0200
+++ clamav-0.103.3+dfsg/configure.ac2021-06-27 21:39:58.0 +0200
@@ -22,7 +22,7 @@
 
 dnl For a release change [devel] to the real version [0.xy]
 dnl also change VERSION below
-AC_INIT([ClamAV], [0.103.2], [https://bugzilla.clamav.net/], [clamav], 
[https://www.clamav.net/])
+AC_INIT([ClamAV], [0.103.3], [https://bugzilla.clamav.net/], [clamav], 
[https://www.clamav.net/])
 
 dnl put configure auxiliary into config
 AC_CONFIG_AUX_DIR([config])
diff -Nru clamav-0.103.2+dfsg/debian/changelog 
clamav-0.103.3+dfsg/debian/changelog
--- clamav-0.103.2+dfsg/debian/changelog2021-04-14 08:38:52.0 
+0200
+++ clamav-0.103.3+dfsg/debian/changelog2021-09-04 15:51:26.0 
+0200
@@ -1,3 +1,14 @@
+clamav (0.103.3+dfsg-0+deb10u1) buster; urgency=medium
+
+  * Import 0.103.3
+- Update symbol file.
+- Regression: clamdscan segfaults with --fdpass --multipass and
+  ExcludePath (Closes: #988218).
+  * Remove clamav user on purge (Closes: #987861).
+  * Remove freshclam.dat on purge.
+
+ -- Sebastian Andrzej Siewior   Sat, 04 Sep 2021 
15:51:26 +0200
+
 clamav (0.103.2+dfsg-0+deb10u1) buster; urgency=medium
 
   [ Sebastian Andrzej Siewior ]
diff -Nru clamav-0.103.2+dfsg/debian/clamav-base.postrm 
clamav-0.103.3+dfsg/debian/clamav-base.postrm
--- clamav-0.103.2+dfsg/debian/clamav-base.postrm   2021-04-14 
08:38:52.0 +0200
+++ clamav-0.103.3+dfsg/debian/clamav-base.postrm   2021-09-04 
15:51:26.0 +0200
@@ -41,6 +41,7 @@
   rm -f /var/log/clamav/*.log* /etc/clamav/*.conf.dpkg-old
   rm -f /var/lib/clamav/*.md5sum || true
   rm -f $DATABASEDIR/main.cvd $DATABASEDIR/daily.cvd $DATABASEDIR/bytecode.cvd 
$DATABASEDIR/bytecode.cld
+  userdel clamav || true
   ;;
   remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
   ;;
diff -Nru clamav-0.103.2+dfsg/debian/clamav-freshclam.postrm 
clamav-0.103.3+dfsg/debian/clamav-freshclam.postrm
--- clamav-0.103.2+dfsg/debian/clamav-freshclam.postrm  2021-04-14 
08:38:52.0 +0200
+++ clamav-0.103.3+dfsg/debian/clamav-freshclam.postrm  2021-09-04 
15:51:26.0 +0200
@@ -45,6 +45,7 @@
 ${workdir}/daily.inc/* \
 ${workdir}/main.inc/* \
 ${workdir}/mirrors.dat \
+${workdir}/freshclam.dat \
 ${workdir}/interface"
   for i in $RMLIST; do
 rm -f $i > /dev/null 2>&1 || true
diff -Nru clamav-0.103.2+dfsg/debian/.git-dpm 
clamav-0.103.3+dfsg/debian/.git-dpm
--- clamav-0.103.2+dfsg/debian/.git-dpm 2021-04-14 08:38:52.0 +0200
+++ clamav-0.103.3+dfsg/debian/.git-dpm 2021-09-04 15:51:26.0 +0200
@@ -1,8 +1,8 @@
 # see git-dpm(1) from git-dpm package
-5938bac12638f6fe722adbc5e382c347268f0431
-5938bac12638f6fe722adbc5e382c347268f0431
-21b35cadc5ce6e45c2700201681499bc45eb5419
-21b35cadc5ce6e45c2700201681499bc45eb5419
-clamav_0.103.2+dfsg.orig.tar.xz
-461ec3a7b45851e31a1cd9a4458473f9b4dc2677
-5123788
+72146c7665650e0727a520e5235130c229c1e5eb
+72146c7665650e0727a520e5235130c229c1e5eb
+576c3dc22d608d90c712c86aab8905d8d5ce619a
+576c3dc22d608d90c712c86aab8905d8d5ce619a
+clamav_0.103.3+dfsg.orig.tar.xz
+1c8ffd98a7bdeec6bc329218da5d4f8e1f912333
+5124272
diff -Nru clamav-0.103.2+dfsg/debian/libclamav9.symbols 
clamav-0.103.3+dfsg/debian/libclamav9.symbols
--- clamav-0.103.2+dfsg/debian/libclamav9.symbols   2021-04-14 
08:38:52.0 +0200
+++ clamav-0.103.3+dfsg/debian/libclamav9.symbols   2021-09-04 
15:51:26.0 +0200
@@ -1,20 +1,20 @@
 libclamav.so.9 libclamav9 #MINVER#
 * Build-Depends-Package: l

Bug#993822: bullseye-pu: package clamav/0.103.3+dfsg-0+deb11u1

[Sebastian Andrzej Siewior]

as_me 0.103.3, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES= $CONFIG_FILES
@@ -31963,7 +31963,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; 
s/[\\""\`\$]/&/g'`"
 ac_cs_version="\\
-ClamAV config.status 0.103.2
+ClamAV config.status 0.103.3
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -34813,7 +34813,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by ClamAV $as_me 0.103.2, which was
+This file was extended by ClamAV $as_me 0.103.3, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES= $CONFIG_FILES
@@ -34880,7 +34880,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; 
s/[\\""\`\$]/&/g'`"
 ac_cs_version="\\
-ClamAV config.status 0.103.2
+ClamAV config.status 0.103.3
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru clamav-0.103.2+dfsg/configure.ac clamav-0.103.3+dfsg/configure.ac
--- clamav-0.103.2+dfsg/configure.ac2021-04-12 20:43:41.0 +0200
+++ clamav-0.103.3+dfsg/configure.ac2021-06-27 21:39:58.0 +0200
@@ -22,7 +22,7 @@
 
 dnl For a release change [devel] to the real version [0.xy]
 dnl also change VERSION below
-AC_INIT([ClamAV], [0.103.2], [https://bugzilla.clamav.net/], [clamav], 
[https://www.clamav.net/])
+AC_INIT([ClamAV], [0.103.3], [https://bugzilla.clamav.net/], [clamav], 
[https://www.clamav.net/])
 
 dnl put configure auxiliary into config
 AC_CONFIG_AUX_DIR([config])
diff -Nru clamav-0.103.2+dfsg/debian/changelog 
clamav-0.103.3+dfsg/debian/changelog
--- clamav-0.103.2+dfsg/debian/changelog2021-04-15 21:59:11.0 
+0200
+++ clamav-0.103.3+dfsg/debian/changelog2021-09-04 16:48:13.0 
+0200
@@ -1,3 +1,14 @@
+clamav (0.103.3+dfsg-0+deb11u1) bullseye; urgency=medium
+
+  * Import 0.103.3
+- Update symbol file.
+- Regression: clamdscan segfaults with --fdpass --multipass and
+  ExcludePath (Closes: #988218).
+  * Remove clamav user on purge (Closes: #987861).
+  * Remove freshclam.dat on purge.
+
+ -- Sebastian Andrzej Siewior   Sat, 04 Sep 2021 
16:48:13 +0200
+
 clamav (0.103.2+dfsg-2) unstable; urgency=medium
 
   * Remove deprecated option SafeBrowsing from debconf templates.
diff -Nru clamav-0.103.2+dfsg/debian/clamav-base.postrm 
clamav-0.103.3+dfsg/debian/clamav-base.postrm
--- clamav-0.103.2+dfsg/debian/clamav-base.postrm   2021-04-15 
21:43:06.0 +0200
+++ clamav-0.103.3+dfsg/debian/clamav-base.postrm   2021-09-04 
16:48:13.0 +0200
@@ -41,6 +41,7 @@
   rm -f /var/log/clamav/*.log* /etc/clamav/*.conf.dpkg-old
   rm -f /var/lib/clamav/*.md5sum || true
   rm -f $DATABASEDIR/main.cvd $DATABASEDIR/daily.cvd $DATABASEDIR/bytecode.cvd 
$DATABASEDIR/bytecode.cld
+  userdel clamav || true
   ;;
   remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
   ;;
diff -Nru clamav-0.103.2+dfsg/debian/clamav-freshclam.postrm 
clamav-0.103.3+dfsg/debian/clamav-freshclam.postrm
--- clamav-0.103.2+dfsg/debian/clamav-freshclam.postrm  2021-04-15 
21:43:06.0 +0200
+++ clamav-0.103.3+dfsg/debian/clamav-freshclam.postrm  2021-09-04 
16:48:13.0 +0200
@@ -45,6 +45,7 @@
 ${workdir}/daily.inc/* \
 ${workdir}/main.inc/* \
 ${workdir}/mirrors.dat \
+${workdir}/freshclam.dat \
 ${workdir}/interface"
   for i in $RMLIST; do
 rm -f $i > /dev/null 2>&1 || true
diff -Nru clamav-0.103.2+dfsg/debian/.git-dpm 
clamav-0.103.3+dfsg/debian/.git-dpm
--- clamav-0.103.2+dfsg/debian/.git-dpm 2021-04-15 21:43:06.0 +0200
+++ clamav-0.103.3+dfsg/debian/.git-dpm 2021-09-04 16:44:34.0 +0200
@@ -1,8 +1,8 @@
 # see git-dpm(1) from git-dpm package
-d1675a89d94c7e6e90e5087f587cdeb23b9af66d
-d1675a89d94c7e6e90e5087f587cdeb23b9af66d
-21b35cadc5ce6e45c2700201681499bc45eb5419
-21b35cadc5ce6e45c2700201681499bc45eb5419
-clamav_0.103.2+dfsg.orig.tar.xz
-461ec3a7b45851e31a1cd9a4458473f9b4dc2677
-5123788
+de2e7f2bf2479a18a94f0bbe2e32fe67f49b845d
+de2e7f2bf2479a18a94f0bbe2e32fe67f49b845d
+576c3dc22d608d90c712c86aab8905d8d5ce619a
+576c3dc22d608d90c712c86aab8905d8d5ce619a
+clamav_0.103.3+dfsg.orig.tar.xz
+1c8ffd98a7bdeec6bc329218da5d4f8e1f912333
+5124272
diff -Nru clamav-0.103.2+dfsg/debian/libclamav9.symbols 
clamav-0.103.3+dfsg/debian/libclamav9.symbols
--- clamav-0.103.2+dfsg/debian/libclamav9.symbols   2021-04-15 
21:43:06.0 +0200
+++ clamav-0.103.3+dfsg/debian/libclamav9.symbols   2021-09-04 
16:47:50.0 +0200
@@ -1,20 +1,20 @@
 libclamav.so.9 libclamav9 #MINVER#
 * Build-Depends-Package: libclamav-dev
- CLAMAV_

Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1

[Sebastian Andrzej Siewior]

On 2021-04-23 08:21:44 [+0100], Adam D. Barratt wrote:
> Ah, apologies for not spotting that from your earlier mail. An updated
> draft:

This is perfect Adam, thank you.

> 
> Regards,
> 
> Adam
> 

Sebastian

Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1

[Sebastian Andrzej Siewior]

On 2021-04-22 16:58:46 [+0100], Adam D. Barratt wrote:
> On Wed, 2021-04-21 at 21:35 +0200, Sebastian Andrzej Siewior wrote:
> > On 2021-04-20 20:52:09 [+0100], Adam D. Barratt wrote:
> > > Please feel free to upload. I assume that, given there are security
> > > fixes involved, you'd prefer an early release via stable-updates as
> > > we've done with a number of updates in the past?
> > 
> > Thank you, uploaded. Yes, please. In the past we had it stable-pu for
> > a day or two and then enabled it via stable/updates if I remember
> > correctly. 
> 
> I think that's more a function of the time it takes to notice that
> everything built, prepare the SUA text and then have an SRM be
> available near enough to a dinstall to release the announcement mail,
> rather than a deliberate choice.

I see.

> I drafted some text for an SUA; comments / complete rewriting welcome:
> 
> =
> ClamAV is an AntiVirus toolkit for Unix.
> 
> Upstream published version 0.103.2.
> 
> This is a bug-fix release.
> 
> Changes since 0.102.3 currently in buster include the removal of the
> "safe browsing" signature database, and fixes for security issues.
This version also introduced non-blocking database reloads in which
clamd temporary requires twice as much memory. The behaviour is
controlled by the ConcurrentDatabaseReload option.

> CVE-2021-1405
> 
> A vulnerability in the email parsing module could allow an
> unauthenticated, remote attacker to cause a denial of service
> condition on an affected device
> 
> If you use clamav, we recommend that you install this update.
> =
> 
> I realise that there are fixes for more CVEs in 0.103.2, but did not
> mention them as they're not changes relative to the current buster
> package AIUI.

This is correct.

> I also removed our usual "[t]he changes are not strictly
> required for operation" text, as I wasn't sure if that's actually
> accurate in this case.

Yes, at least due to the CVEs in here I would consider that this is
required for operation due to security aspect.

Thank you.

> Regards,
> 
> Adam

Sebastian

Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1

[Sebastian Andrzej Siewior]

On 2021-04-20 20:52:09 [+0100], Adam D. Barratt wrote:
> 
> I'm certainly happy to defer to your judgement here, given our previous
> experience with clamav updates in stable. I was simply trying to
> ascertain the scale of the update involved, but fear I may have just
> confused the discussion; perhaps it doesn't really matter that much, in
> the end.

Sure thing. I tried to cover some bits regarding the update in the
initial bug report. If you have any questions feel free to ask.

> Please feel free to upload. I assume that, given there are security
> fixes involved, you'd prefer an early release via stable-updates as
> we've done with a number of updates in the past?

Thank you, uploaded. Yes, please. In the past we had it stable-pu for a
day or two and then enabled it via stable/updates if I remember
correctly. If you want me draft a SUA, I could try to.

> Regards,
> 
> Adam

Sebastian

Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1

[Sebastian Andrzej Siewior]

On 2021-04-19 21:15:06 [+0100], Adam D. Barratt wrote:
> > > I guess the diff against the current buster package is quite large
> > > by
> > > this point?
> > 
> > What do you mean by this point? We did full clamav uploads in the
> > past.
> > Please excuse if I miss something obvious.
> 
> Sorry, that may have been poor phrasing on my part. I simply meant
> between the current and proposed packages, as we're changing the
> upstream major version tree being followed.

Correct, we advance from 102 to 103. The 102 series seems not to be
updated anymore. As I tried to argue why I don't think it that is enough
to backport that one CVE that also applies to 102 (as done by the LTS
team) it terms of security and support.
This is not the first time that a major version is advanced within a
stable update. We did have 0.101.2+dfsg-1+deb10u1 before it was updated
to 102. Stretch went from 0.99.2+dfsg-6+deb9u1 to 0.102.3+dfsg-0~deb9u1
(not counting LTS).

> Regards,
> 
> Adam

Sebastian

Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1

[Sebastian Andrzej Siewior]

On 2021-04-19 19:41:58 [+0100], Adam D. Barratt wrote:
> On Fri, 2021-04-16 at 09:27 +0200, Sebastian Andrzej Siewior wrote:
> > This is an update from ClamAV from 0.102.4 to 0.103.2. The 103
> > release was in unstable since the beginning. I skipped it for Buster
> > back then because the 102 based release recevied a security update
> > and it appeared to contain the important bits.
> > 
> > Now, with the 103.2 release there is no update for the 102 based
> > release. At least one CVE was identified as also affecting Buster. 
> 
> I guess the diff against the current buster package is quite large by
> this point?

What do you mean by this point? We did full clamav uploads in the past.
Please excuse if I miss something obvious.

> Regards,
> 
> Adam

Sebastian

Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1

[Sebastian Andrzej Siewior]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal

This is an update from ClamAV from 0.102.4 to 0.103.2. The 103 release
was in unstable since the beginning. I skipped it for Buster back then
because the 102 based release recevied a security update and it appeared
to contain the important bits.

Now, with the 103.2 release there is no update for the 102 based
release. At least one CVE was identified as also affecting Buster. There
is also another change regarding "memory leak in PNG parser" which has
no attribution and a memory leak in clamav, which is often in an email
setup scanning incomming mail, could be exploited and brining the system
to an OOM condition and hopefully killing only the clamav daemon.
Looking further, I identified two changes 

  
https://github.com/Cisco-Talos/clamav-devel/commit/ba6467a6a6f7d749f3011c38e76573c75676e37f
  
https://github.com/Cisco-Talos/clamav-devel/commit/1a8b164b4f513460c8334521f0797aaf81d15699

which fix two leaks which also apply to the version currently in Buster.
I didn't look further…
The 103.2 release also received updates regarding freshclam including
improved error codes handling. Probably related to CDN, they are using.
The "safebrowsing" has been disabled in clamav. It has been announced
half a year ago [0] and they are asking [1] now to finally disable it as
the file is now no longer served. The current release disables it and
removes it from the config file (and debconf templates).

Testing wise the 103.0 release landed last October in unstable and we
managed to fix various apparmor related issue since. I'm not aware of
any issues so far. I upload recently 103.2 to unstable and uploaded an
update yesterday after noticing that the postinst script still enables
the safebrowsing option (my clunky eyes didn't see it earler). This
change is also part of the propsed Buster version. I had it deployed on
a server for two+ days now.

One last disclosure: The clamav daemon now supports reloading the
database without blocking. The advantage is that email scanning isn't
blocked while the database is reloaded. The disadvantage is that it
consumes more memory as it prepares the new database in memory and after
it is done, it switches over and releases the old one.

[0] https://blog.clamav.net/2020/06/the-future-of-clamav-safebrowsing.html
[1] https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html

Sebastian

Bug#959469: buster-pu: package openssl/1.1.1g-1

[Sebastian Andrzej Siewior]

 */
 ret = check_curve(x);
-if (ret < 0)
+if (ret < 0) {
 ctx->error = X509_V_ERR_UNSPECIFIED;
-else if (ret == 0)
+ret = 0;
+} else if (ret == 0) {
 ctx->error = X509_V_ERR_EC_KEY_EXPLICIT_PARAMS;
 }
-if ((x->ex_flags & EXFLAG_CA) == 0
+}
+if (ret > 0
+&& (x->ex_flags & EXFLAG_CA) == 0
 && x->ex_pathlen != -1
 && (ctx->param->flags & X509_V_FLAG_X509_STRICT)) {
 ctx->error = X509_V_ERR_INVALID_EXTENSION;
diff --git a/debian/changelog b/debian/changelog
index 45bfdb99fe8d9..9d1b9d6590ab9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,16 @@
-openssl (1.1.1j-0+deb10u1) buster; urgency=medium
+openssl (1.1.1k-0+deb10u1) buster; urgency=medium
 
   * New upstream version
+- CVE-2021-3450 (CA certificate check bypass with X509_V_FLAG_X509_STRICT).
   * Update symbol list.
 
- -- Sebastian Andrzej Siewior   Tue, 23 Feb 2021 23:13:13 +0100
+ -- Sebastian Andrzej Siewior   Fri, 26 Mar 2021 21:49:22 +0100
+
+openssl (1.1.1d-0+deb10u6) buster-security; urgency=medium
+
+  * CVE-2021-3449 (NULL pointer deref in signature_algorithms processing).
+
+ -- Sebastian Andrzej Siewior   Tue, 23 Mar 2021 00:08:47 +0100
 
 openssl (1.1.1d-0+deb10u5) buster-security; urgency=medium
 
diff --git a/debian/patches/c_rehash-compat.patch b/debian/patches/c_rehash-compat.patch
index 1ed5050f07d22..5606691bb9f9f 100644
--- a/debian/patches/c_rehash-compat.patch
+++ b/debian/patches/c_rehash-compat.patch
@@ -7,7 +7,7 @@ Subject: [PATCH] also create old hash for compatibility
  1 file changed, 14 insertions(+), 6 deletions(-)
 
 diff --git a/tools/c_rehash.in b/tools/c_rehash.in
-index 421fd892086f..5ad1ab1d655f 100644
+index fa7c6c9fef91..a7e538a72d7d 100644
 --- a/tools/c_rehash.in
 +++ b/tools/c_rehash.in
 @@ -17,8 +17,6 @@ my $prefix = {- quotify1($config{prefix}) -};
@@ -46,7 +46,7 @@ index 421fd892086f..5ad1ab1d655f 100644
  sub link_hash_cert {
  		my $fname = $_[0];
 +		my $x509hash = $_[1] || '-subject_hash';
- 		$fname =~ s/'/'\\''/g;
+ 		$fname =~ s/\"/\\\"/g;
  		my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
  		chomp $hash;
 @@ -198,10 +196,20 @@ sub link_hash_cert {
diff --git a/debian/patches/man-section.patch b/debian/patches/man-section.patch
index 982e16a14a2a2..002015b628ab1 100644
--- a/debian/patches/man-section.patch
+++ b/debian/patches/man-section.patch
@@ -8,7 +8,7 @@ Subject: man-section
  2 files changed, 6 insertions(+), 3 deletions(-)
 
 diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index 3a24d551359b..d0c90cb2546c 100644
+index 41648c952667..e013d464bd73 100644
 --- a/Configurations/unix-Makefile.tmpl
 +++ b/Configurations/unix-Makefile.tmpl
 @@ -281,7 +281,8 @@ HTMLDIR=$(DOCDIR)/html
diff --git a/fuzz/x509.c b/fuzz/x509.c
index 1a20ca21db543..ceaec0797b438 100644
--- a/fuzz/x509.c
+++ b/fuzz/x509.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL licenses, (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index cd5c23217a51b..0cd6b2f948585 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -39,8 +39,8 @@ extern "C" {
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x101010afL
-# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.1j  16 Feb 2021"
+# define OPENSSL_VERSION_NUMBER  0x101010bfL
+# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.1k  25 Mar 2021"
 
 /*-
  * The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 4511b52c9afcb..b256a4b93503e 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
@@ -4629,6 +4629,7 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
 
 OPENSSL_clear_free(s->s3->tmp.psk, psklen);
 s

Bug#961654: buster-pu: package bzip2/1.0.6-9.2~deb10u1

[Sebastian Andrzej Siewior]

On 2020-07-21 16:53:23 [+0200], Santiago Ruano Rincón wrote:
> diff -Nru bzip2-1.0.6/debian/rules bzip2-1.0.6/debian/rules
> --- bzip2-1.0.6/debian/rules  2019-06-24 22:16:40.0 +0200
> +++ bzip2-1.0.6/debian/rules  2020-07-21 10:31:21.0 +0200
> @@ -14,6 +14,9 @@
>  DEB_BUILD_MAINT_OPTIONS := hardening=+all
>  DEB_CFLAGS_MAINT_APPEND := -Wall -Winline
>  DEB_CPPFLAGS_MAINT_APPEND := -D_REENTRANT
> +# This -D_FILE_OFFSET_BITS=64 is needed to make bzip2 able to handle > 
> 2GB-size
> +# files in 32-bit archs. See #944557
> +DEB_CPPFLAGS_MAINT_APPEND += -D_FILE_OFFSET_BITS=64

Isn't the preferred way to add "future=+lfs" to DEB_BUILD_MAINT_OPTIONS
?
>  include /usr/share/dpkg/buildflags.mk
>  
>  include /usr/share/dpkg/pkg-info.mk

Sebastian

Bug#959469: buster-pu: package openssl/1.1.1g-1

[Sebastian Andrzej Siewior]

Resending because I managed to accidently clear TO:

On 2021-03-22 19:48:31 [+0100], Cc 959...@bugs.debian.org wrote:
> On 2021-02-24 23:23:07 [+0100], To Kurt Roeckx wrote:
> > On 2021-02-10 21:52:46 [+0100], To Kurt Roeckx wrote:
> > > OpenSSL upstream announced [0] 1.1.1j for next Tuesday with a security
> > > fix classified as MODERATE [1].
> 
> So this happened. OpenSSL upstream announced [0] 1.1.1k for next
> Thursday (25th).
> 
> I will prepare 1.1.1k for unstable, do buster-security based on
> 1.1.1d-0+deb10u5 and then come back with an updated pu :)
> 
> [0] https://mta.openssl.org/pipermail/openssl-announce/2021-March/000196.html
>  
Sebastian

Bug#959469: buster-pu: package openssl/1.1.1g-1

[Sebastian Andrzej Siewior]

On 2021-02-24 23:23:07 [+0100], To Kurt Roeckx wrote:
> On 2021-02-10 21:52:46 [+0100], To Kurt Roeckx wrote:
> > OpenSSL upstream announced [0] 1.1.1j for next Tuesday with a security
> > fix classified as MODERATE [1].

So this happened. OpenSSL upstream announced [0] 1.1.1k for next
Thursday (25th).

I will prepare 1.1.1k for unstable, do buster-security based on
1.1.1d-0+deb10u5 and then come back with an updated pu :)

[0] https://mta.openssl.org/pipermail/openssl-announce/2021-March/000196.html
 
Sebastian

Bug#985570: unblock: clamtk/6.03-3

[Sebastian Andrzej Siewior]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package clamtk

A change introduced in libgtk3-perl (0.038) uncovered a bug in clamtk
leaving it almost unuseable. clamtk is frontend for the clamav binary
and due to the bug I see no results from the buttons "scan file" and
"scan directory". It renders the tool unusable imho.
I uploaded the fixed version to experimental almost two weeks ago asking
one of persons in the bug report to verify the change. This did not
happen and today I verified it myself (I'm not a regular user of the
tool so I also upgraded the severity of the initial bug report once
I figured out that it is the main function that is no longer working).

The change is based on a diff vs the current upstream version which has
the bug also fixed.
The whole change is low risk from my point of view. It is not useable
now, it is with change.
Please find attached the diff against testing.

unblock clamtk/6.03-3

Sebastian
diff -Nru clamtk-6.03/debian/changelog clamtk-6.03/debian/changelog
--- clamtk-6.03/debian/changelog	2020-04-29 07:22:23.0 +0200
+++ clamtk-6.03/debian/changelog	2021-03-20 09:37:26.0 +0100
@@ -1,3 +1,15 @@
+clamtk (6.03-3) unstable; urgency=medium
+
+  * Upload to unstable.
+
+ -- Sebastian Andrzej Siewior   Sat, 20 Mar 2021 09:37:26 +0100
+
+clamtk (6.03-2) experimental; urgency=medium
+
+  * Remove no-separator from window decoration (Closes: #981384).
+
+ -- Sebastian Andrzej Siewior   Sun, 07 Mar 2021 23:38:23 +0100
+
 clamtk (6.03-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru clamtk-6.03/debian/patches/Remove-no-separator.patch clamtk-6.03/debian/patches/Remove-no-separator.patch
--- clamtk-6.03/debian/patches/Remove-no-separator.patch	1970-01-01 01:00:00.0 +0100
+++ clamtk-6.03/debian/patches/Remove-no-separator.patch	2021-03-07 23:37:29.0 +0100
@@ -0,0 +1,62 @@
+From: Sebastian Andrzej Siewior 
+Date: Sun, 7 Mar 2021 23:31:29 +0100
+Subject: [PATCH] Remove no-separator
+
+The `no-separator' parameter which is passed to Gtk3::Dialog->new is
+invalid. This has been exposed by perl's GTK3 binding in version 0.038.
+Remove the `no-separator' as it has been in upstream repository for
+clamtk.
+
+BTS: #981384
+
+Signed-off-by: Sebastian Andrzej Siewior 
+---
+ lib/Analysis.pm | 3 +--
+ lib/History.pm  | 2 +-
+ lib/Scan.pm | 3 +--
+ 3 files changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/lib/Analysis.pm b/lib/Analysis.pm
+index f44a981269d56..2c50e6d0d4956 100644
+--- a/lib/Analysis.pm
 b/lib/Analysis.pm
+@@ -48,8 +48,7 @@ sub show_window {
+ ( undef, $from_scan, $parent ) = @_;
+ $window = Gtk3::Dialog->new(
+ undef, $parent,
+-[   qw| modal destroy-with-parent no-separator
+-use-header-bar |
++[   qw| modal destroy-with-parent use-header-bar |
+ ],
+ );
+ $window->signal_connect(
+diff --git a/lib/History.pm b/lib/History.pm
+index 623cd52a91c1b..aeaf7d8fdf619 100644
+--- a/lib/History.pm
 b/lib/History.pm
+@@ -148,7 +148,7 @@ sub view_history {
+ 
+ my $win = Gtk3::Dialog->new(
+ sprintf( _( 'Viewing %s' ), $basename ),
+-undef, [ qw| modal destroy-with-parent no-separator | ],
++undef, [ qw| modal destroy-with-parent | ],
+ );
+ $win->signal_connect( destroy => sub { $win->destroy; 1 } );
+ $win->set_default_size( 800, 350 );
+diff --git a/lib/Scan.pm b/lib/Scan.pm
+index 794ce3ceee8b9..79d03c80a0be3 100644
+--- a/lib/Scan.pm
 b/lib/Scan.pm
+@@ -90,8 +90,7 @@ sub filter {
+ # Begin popup scanning
+ $window = Gtk3::Dialog->new(
+ undef, undef,
+-[   qw| modal destroy-with-parent no-separator
+-use-header-bar |
++[   qw| modal destroy-with-parent use-header-bar |
+ ],
+ );
+ $window->set_deletable( FALSE );
+-- 
+2.30.1
+
diff -Nru clamtk-6.03/debian/patches/series clamtk-6.03/debian/patches/series
--- clamtk-6.03/debian/patches/series	2020-04-29 07:22:23.0 +0200
+++ clamtk-6.03/debian/patches/series	2021-03-07 23:37:40.0 +0100
@@ -1 +1,2 @@
 py3-clamtk-gnome.patch
+Remove-no-separator.patch

Bug#983485: buster-pu: package m2crypto/0.31.0-4+deb10u2

[Sebastian Andrzej Siewior]

On 2021-03-13 17:31:50 [+], Adam D. Barratt wrote:
> Please go ahead.

Thanks, uploaded.

> Regards,
> 
> Adam

Sebastian

Bug#983071: unblock: xz-utils/5.2.5-1.1

[Sebastian Andrzej Siewior]

On 2021-03-08 18:54:22 [+0100], Paul Gevers wrote:
> Hi,
Hi,

> Please upload to unstable. As said, we'll let it age a bit there.

Thanks, uploaded.

> Paul

Sebastian

Bug#983071: unblock: xz-utils/5.2.5-1.1

[Sebastian Andrzej Siewior]

On 2021-03-04 12:32:48 [+0100], Paul Gevers wrote:
> Hi Sebastian
Hi,

> Can you please send a debdiff where you undo the renaming (where
> applicable), such that we get a better understanding of the real changes?

Sure. Please find attached.

> What I *think* we're going to do is accept the package in unstable, but
> have it age a bit in unstable before unblocking (which is going to
> happen automatically due to the hard freeze).

Oki.

> Paul

Sebastian
diff -Nru xz-utils-5.2.5/debian/changelog xz-utils-5.2.5/debian/changelog
--- xz-utils-5.2.5/debian/changelog	2020-12-28 11:25:06.0 +0100
+++ xz-utils-5.2.5/debian/changelog	2021-03-02 21:50:25.0 +0100
@@ -1,3 +1,11 @@
+xz-utils (5.2.5-1.1) experimental; urgency=medium
+
+  * Non-maintainer upload.
+  * Update the patches for #844770 and #975981 to what upstream applied.
+  * Add a SIGPIPE fix to xzgrep (similar to xzcmp in #844770).
+
+ -- Sebastian Andrzej Siewior   Tue, 02 Mar 2021 21:50:25 +0100
+
 xz-utils (5.2.5-1.0) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru xz-utils-5.2.5/debian/patches/0001-Scripts-Fix-exit-status-of-xzdiff-xzcmp.patch xz-utils-5.2.5/debian/patches/0001-Scripts-Fix-exit-status-of-xzdiff-xzcmp.patch
--- xz-utils-5.2.5/debian/patches/0001-Scripts-Fix-exit-status-of-xzdiff-xzcmp.patch	1970-01-01 01:00:00.0 +0100
+++ xz-utils-5.2.5/debian/patches/0001-Scripts-Fix-exit-status-of-xzdiff-xzcmp.patch	2021-03-02 21:50:25.0 +0100
@@ -0,0 +1,118 @@
+From: Lasse Collin 
+Date: Mon, 11 Jan 2021 22:01:51 +0200
+Subject: Scripts: Fix exit status of xzdiff/xzcmp.
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+This is a minor fix since this affects only the situation when
+the files differ and the exit status is something else than 0.
+In such case there could be SIGPIPE from a decompression tool
+and that would result in exit status of 2 from xzdiff/xzcmp
+while the correct behavior would be to return 1 or whatever
+else diff or cmp may have returned.
+
+This commit omits the -q option from xz/gzip/bzip2/lzop arguments.
+I'm not sure why the -q was used in the first place, perhaps it
+hides warnings in some situation that I cannot see at the moment.
+Hopefully the removal won't introduce a new bug.
+
+With gzip the -q option was harmful because it made gzip return 2
+instead of >= 128 with SIGPIPE. Ignoring exit status 2 (warning
+from gzip) isn't practical because bzip2 uses exit status 2 to
+indicate corrupt input file. It's better if SIGPIPE results in
+exit status >= 128.
+
+With bzip2 the removal of -q seems to be good because with -q
+it prints nothing if input is corrupt. The other tools aren't
+silent in this situation even with -q. On the other hand, if
+zstd support is added, it will need -q since otherwise it's
+noisy in normal situations.
+
+Thanks to Étienne Mollier and Sebastian Andrzej Siewior.
+---
+ src/scripts/xzdiff.in | 35 +--
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/src/scripts/xzdiff.in b/src/scripts/xzdiff.in
+index eb7825c..98ac0e5 100644
+--- a/src/scripts/xzdiff.in
 b/src/scripts/xzdiff.in
+@@ -116,23 +116,18 @@ elif test $# -eq 2; then
+   if test "$1$2" = --; then
+ xz_status=$(
+   exec 4>&1
+-  ($xz1 -cdfq - 4>&-; echo $? >&4) 3>&- |
++  ($xz1 -cdf - 4>&-; echo $? >&4) 3>&- |
+ eval "$cmp" - - >&3
+ )
+   elif # Reject Solaris 8's buggy /bin/bash 2.03.
+   echo X | (echo X | eval "$cmp" /dev/fd/5 - >/dev/null 2>&1) 5<&0; then
++# NOTE: xz_status will contain two numbers.
+ xz_status=$(
+   exec 4>&1
+-  ($xz1 -cdfq -- "$1" 4>&-; echo $? >&4) 3>&- |
+-( ($xz2 -cdfq -- "$2" 4>&-; echo $? >&4) 3>&- 5<&- &-; echo $? >&4) 3>&- |
++( ($xz2 -cdf -- "$2" 4>&-; echo $? >&4) 3>&- 5<&- &3) 5<&0
+ )
+-cmp_status=$?
+-case $xz_status in
+-  *[1-9]*) xz_status=1;;
+-  *) xz_status=0;;
+-esac
+-(exit $cmp_status)
+   else
+ F=`expr "/$2" : '.*/\(.*\)[-.][ablmotxz2]*$'` || F=$prog
+ tmp=
+@@ -161,10 +156,10 @@ elif test $# -eq 2; then
+   mkdir -- "${TMPDIR-/tmp}/$prog.$$" || exit 2
+   tmp="${TMPDIR-/tmp}/$prog.$$"
+ fi
+-$xz2 -cdfq -- "$2" > "$tmp/$F" || exit 2
++$xz2 -cdf -- "$2" > "$tmp/$F" || exit 2
+ xz_status=$(
+   exec 4>

Bug#983071: unblock: xz-utils/5.2.5-1.1

[Sebastian Andrzej Siewior]

On 2021-03-02 19:44:58 [+0100], Paul Gevers wrote:
> Hi Sebastian,
Hi Paul,

> Unfortunately we haven't made up our mind yet, but to get some (albeit
> limited) exposure and autopkgtest coverage (via the pseudo-excuses) [2],
> I think your chances for a go are higher if the proposed package is
> available in experimental.

Just uploaded to experimental. I added the SIGPIPE fix to xzgrep (as
mentioned).

> Paul

Sebastian

Bug#983485: buster-pu: package m2crypto/0.31.0-4+deb10u2

[Sebastian Andrzej Siewior]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal

This is the proposed update for Buster to fix a build failure against
openssl 1.1.1j which is proposed for Buster.
The changes touch only the test suite:
- A fix in openssl for the SSLv23 padding led to a failure in the
  m2crypto test suite. The fix is to remove the offending test.

- The test suite fails in an IPv6 only environment. This has been
  observed in the last buster-pu upload as well in unstable. In
  unstable it has been dealt by temporary disabling the test_ssl.py file
  in which a lot of tests are failing in an IPv6 only environment.
  I added the same change to this update. If it is preferred to keep
  test running, I could remove it again and retriggred the build as
  needed.

I verified that the proposed m2crypto package builds against the
proposed openssl package.

Sebastian
diff -Nru m2crypto-0.31.0/debian/changelog m2crypto-0.31.0/debian/changelog
--- m2crypto-0.31.0/debian/changelog2021-01-24 12:01:15.0 +0100
+++ m2crypto-0.31.0/debian/changelog2021-02-23 23:41:19.0 +0100
@@ -1,3 +1,14 @@
+m2crypto (0.31.0-4+deb10u2) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/patches/MR262.patch
+- fix test failure with recent openssl; Closes: #983013
+  * debian/rules
+- skip test_ssl.py during tests, more than 50% of its tests fail on an
+  IPv6-only machine; Closes: #979865
+
+ -- Sebastian Andrzej Siewior   Tue, 23 Feb 2021 
23:41:19 +0100
+
 m2crypto (0.31.0-4+deb10u1) buster; urgency=medium
 
   * Non-maintainer upload.
diff -Nru m2crypto-0.31.0/debian/patches/MR262.patch 
m2crypto-0.31.0/debian/patches/MR262.patch
--- m2crypto-0.31.0/debian/patches/MR262.patch  1970-01-01 01:00:00.0 
+0100
+++ m2crypto-0.31.0/debian/patches/MR262.patch  2021-02-23 23:35:25.0 
+0100
@@ -0,0 +1,29 @@
+From d06eaa88a5f491827733f32027c46de3557fbd05 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= 
+Date: Fri, 19 Feb 2021 15:53:02 +0100
+Subject: [PATCH] Use of RSA_SSLV23_PADDING has been deprecated.
+
+Fixes #293.
+---
+ tests/test_rsa.py | 5 -
+ 1 file changed, 5 deletions(-)
+
+diff --git a/tests/test_rsa.py b/tests/test_rsa.py
+index 3de5016a..7299785f 100644
+--- a/tests/test_rsa.py
 b/tests/test_rsa.py
+@@ -124,11 +124,6 @@ class RSATestCase(unittest.TestCase):
+ ptxt = priv.private_decrypt(ctxt, p)
+ self.assertEqual(ptxt, self.data)
+ 
+-# sslv23_padding
+-ctxt = priv.public_encrypt(self.data, RSA.sslv23_padding)
+-res = priv.private_decrypt(ctxt, RSA.sslv23_padding)
+-self.assertEqual(res, self.data)
+-
+ # no_padding
+ with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
+ priv.public_encrypt(self.data, RSA.no_padding)
+-- 
+GitLab
+
diff -Nru m2crypto-0.31.0/debian/patches/series 
m2crypto-0.31.0/debian/patches/series
--- m2crypto-0.31.0/debian/patches/series   2021-01-24 12:00:36.0 
+0100
+++ m2crypto-0.31.0/debian/patches/series   2021-02-23 23:35:48.0 
+0100
@@ -5,3 +5,4 @@
 0005-tests.test_rsa-Fix-typo-to-match-for-proper-exceptio.patch
 0006-Be-resilient-against-the-situation-when-no-erorr-hap.patch
 MR261.patch
+MR262.patch
diff -Nru m2crypto-0.31.0/debian/rules m2crypto-0.31.0/debian/rules
--- m2crypto-0.31.0/debian/rules2018-12-19 07:59:56.0 +0100
+++ m2crypto-0.31.0/debian/rules2021-02-23 23:41:19.0 +0100
@@ -18,7 +18,7 @@
 endif
 
 override_dh_auto_test:
-   PYBUILD_SYSTEM=custom PYBUILD_TEST_ARGS="{interpreter} -Wd -m pytest -v 
-rs" dh_auto_test
+   PYBUILD_SYSTEM=custom PYBUILD_TEST_ARGS="{interpreter} -Wd -m pytest 
--ignore tests/test_ssl.py -v -rs" dh_auto_test
 
 override_dh_auto_install:
dh_auto_install

Bug#983071: unblock: xz-utils/5.2.5-1.1

[Sebastian Andrzej Siewior]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package xz-utils.

I NMUed xz-utils to 5.2.5-1.0 fixing a few bugs including #844770 and
#975981. Both bugs were fixed by upstream differently / more complete.
I prepared an NMU 5.2.5-1.1, #983067 by replacing my patches with
upstream patches:
- #844770 "xzcmp: SIGPIPE is raised because CMP does exit while the XZ
  commands are still writing to the pipe"
  
https://git.tukaani.org/?p=xz.git;a=commitdiff;h=194029ffaf74282a81f0c299c07f73caca3232ca

- #975981 "xz-utils: "unxz -k" should not refuse to decompress a file
  because it has more than one hard link"
  
https://git.tukaani.org/?p=xz.git;a=commitdiff;h=074259f4f3966aeac6edb205fecbc1a8d2b58bb2

I would like to avoid having different changes to the package (and
possibly creating new bugs) and therefore keep what upstream applied
here. The patches were reviewed at least by the maintainer of the
upstream package.
During that review a similar SIGPIPE problem was found and fixed in
xzgrep:
   Scripts: Fix exit status of xzgrep.
   
https://git.tukaani.org/?p=xz.git;a=commitdiff;h=73c555b3077c19dda29b6f4592ced2af876f8333

This bug was never reported and fixed within the Debian package. If it
is okay with the release then I would backport the patch and NMU it as
part of the 5.2.5-1.1 upload.
Otherwise I would stick with the replacement of the two patches as can
been seen in the attached debdiff.
The package was not yet uploaded, I plan to upload it to delayed/5 once
the release team agrees.

unblock xz-utils/5.2.5-1.1

Sebastian
diff -Nru xz-utils-5.2.5/debian/changelog xz-utils-5.2.5/debian/changelog
--- xz-utils-5.2.5/debian/changelog 2020-12-28 11:25:06.0 +0100
+++ xz-utils-5.2.5/debian/changelog 2021-02-18 23:12:30.0 +0100
@@ -1,3 +1,10 @@
+xz-utils (5.2.5-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Update the patches for #844770 and #975981 to what upstream applied.
+
+ -- Sebastian Andrzej Siewior   Thu, 18 Feb 2021 
23:12:30 +0100
+
 xz-utils (5.2.5-1.0) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru 
xz-utils-5.2.5/debian/patches/0001-Scripts-Fix-exit-status-of-xzdiff-xzcmp.patch
 
xz-utils-5.2.5/debian/patches/0001-Scripts-Fix-exit-status-of-xzdiff-xzcmp.patch
--- 
xz-utils-5.2.5/debian/patches/0001-Scripts-Fix-exit-status-of-xzdiff-xzcmp.patch
1970-01-01 01:00:00.0 +0100
+++ 
xz-utils-5.2.5/debian/patches/0001-Scripts-Fix-exit-status-of-xzdiff-xzcmp.patch
2021-02-17 23:52:05.0 +0100
@@ -0,0 +1,118 @@
+From: Lasse Collin 
+Date: Mon, 11 Jan 2021 22:01:51 +0200
+Subject: Scripts: Fix exit status of xzdiff/xzcmp.
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+This is a minor fix since this affects only the situation when
+the files differ and the exit status is something else than 0.
+In such case there could be SIGPIPE from a decompression tool
+and that would result in exit status of 2 from xzdiff/xzcmp
+while the correct behavior would be to return 1 or whatever
+else diff or cmp may have returned.
+
+This commit omits the -q option from xz/gzip/bzip2/lzop arguments.
+I'm not sure why the -q was used in the first place, perhaps it
+hides warnings in some situation that I cannot see at the moment.
+Hopefully the removal won't introduce a new bug.
+
+With gzip the -q option was harmful because it made gzip return 2
+instead of >= 128 with SIGPIPE. Ignoring exit status 2 (warning
+from gzip) isn't practical because bzip2 uses exit status 2 to
+indicate corrupt input file. It's better if SIGPIPE results in
+exit status >= 128.
+
+With bzip2 the removal of -q seems to be good because with -q
+it prints nothing if input is corrupt. The other tools aren't
+silent in this situation even with -q. On the other hand, if
+zstd support is added, it will need -q since otherwise it's
+noisy in normal situations.
+
+Thanks to Étienne Mollier and Sebastian Andrzej Siewior.
+---
+ src/scripts/xzdiff.in | 35 +--
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/src/scripts/xzdiff.in b/src/scripts/xzdiff.in
+index eb7825c..98ac0e5 100644
+--- a/src/scripts/xzdiff.in
 b/src/scripts/xzdiff.in
+@@ -116,23 +116,18 @@ elif test $# -eq 2; then
+   if test "$1$2" = --; then
+ xz_status=$(
+   exec 4>&1
+-  ($xz1 -cdfq - 4>&-; echo $? >&4) 3>&- |
++  ($xz1 -cdf - 4>&-; echo $? >&4) 3>&- |
+ eval "$cmp" - - >&3
+ )
+   elif # Reject Solaris 8's buggy /bin/bash 2.03.
+   echo X | (echo X | eval "$cmp" /dev/fd/5 - >/dev/null 2>&1) 
5<&0; then
++# NOTE: xz_status will contain two numbers.
+ xz

Bug#959469: buster-pu: package openssl/1.1.1g-1

[Sebastian Andrzej Siewior]

On 2021-02-01 23:50:03 [+0100], To Kurt Roeckx wrote:
> in case someone wants to test.
> I think the ship for this pu is sailing without me but I'm ready for the
> next cruise :)

OpenSSL upstream announced [0] 1.1.1j for next Tuesday with a security
fix classified as MODERATE [1].

[0] https://mta.openssl.org/pipermail/openssl-announce/2021-February/000191.html
[1] https://www.openssl.org/policies/secpolicy.html#moderate

Sebastian

Bug#959469: buster-pu: package openssl/1.1.1g-1

[Sebastian Andrzej Siewior]

On 2021-01-29 20:35:52 [+0100], To Kurt Roeckx wrote:
> On 2021-01-28 00:28:03 [+0100], Kurt Roeckx wrote:
> > On Thu, Jan 14, 2021 at 07:03:37PM +0100, Kurt Roeckx wrote:
> > > There are a whole bunch of other issues and pull requests related to
> > > this. I hope this is the end of the regressions in the X509 code.
> > 
> > So there is something else now:
> > https://github.com/openssl/openssl/issues/13931
> > https://github.com/openssl/openssl/pull/13982
> 
> So what is the plan here? Upload to unstable and prepare a pu once it
> migrate to testing or right away?

fed to unstable, migrated to testing. The small diff towards the
previous is attached. I uploaded the whole thing (source package +
amd64 binary) to
https://breakpoint.cc/openssl-pu.tar

in case someone wants to test.
I think the ship for this pu is sailing without me but I'm ready for the
next cruise :)
The complete diff vs the last package is comming soon.

> > Kurt

Sebastian
diff --git a/debian/changelog b/debian/changelog
index 56a950734f01d..89ce61e9d6be7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,8 +5,9 @@ openssl (1.1.1i-0+deb10u1) buster; urgency=medium
   (Closes: #947949).
   * Update symbol list.
   * Apply two patches from upstream to address x509 related regressions.
+  * Cherry-pick a patch from upstream to address #13931.
 
- -- Sebastian Andrzej Siewior   Sun, 24 Jan 2021 11:22:16 +0100
+ -- Sebastian Andrzej Siewior   Mon, 01 Feb 2021 23:23:03 +0100
 
 openssl (1.1.1d-0+deb10u4) buster-security; urgency=medium
 
diff --git a/debian/patches/check_sig_alg_match-weaken-sig-nid-comparison-to-base-alg.patch b/debian/patches/check_sig_alg_match-weaken-sig-nid-comparison-to-base-alg.patch
new file mode 100644
index 0..2b2dfd420cb28
--- /dev/null
+++ b/debian/patches/check_sig_alg_match-weaken-sig-nid-comparison-to-base-alg.patch
@@ -0,0 +1,244 @@
+From: "Dr. David von Oheimb" 
+Date: Tue, 26 Jan 2021 11:53:15 +0100
+Subject: check_sig_alg_match(): weaken sig nid comparison to base alg
+
+This (re-)allows RSA-PSS signers
+
+Fixes #13931
+
+Reviewed-by: Tomas Mraz 
+(Merged from https://github.com/openssl/openssl/pull/13982)
+---
+ crypto/x509v3/v3_purp.c   |  9 ++---
+ test/certs/ca-pss-cert.pem| 21 +
+ test/certs/ca-pss-key.pem | 28 
+ test/certs/ee-pss-cert.pem| 21 +
+ test/certs/mkcert.sh  | 22 +-
+ test/certs/setup.sh   | 13 +
+ test/recipes/25-test_verify.t |  5 -
+ 7 files changed, 106 insertions(+), 13 deletions(-)
+ create mode 100644 test/certs/ca-pss-cert.pem
+ create mode 100644 test/certs/ca-pss-key.pem
+ create mode 100644 test/certs/ee-pss-cert.pem
+
+diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
+index 93b5ca4d4283..3f5ce5c91c5d 100644
+--- a/crypto/x509v3/v3_purp.c
 b/crypto/x509v3/v3_purp.c
+@@ -348,14 +348,17 @@ static int setup_crldp(X509 *x)
+ /* Check that issuer public key algorithm matches subject signature algorithm */
+ static int check_sig_alg_match(const EVP_PKEY *pkey, const X509 *subject)
+ {
+-int pkey_nid;
++int pkey_sig_nid, subj_sig_nid;
+ 
+ if (pkey == NULL)
+ return X509_V_ERR_NO_ISSUER_PUBLIC_KEY;
++if (OBJ_find_sigid_algs(EVP_PKEY_base_id(pkey),
++NULL, _sig_nid) == 0)
++pkey_sig_nid = EVP_PKEY_base_id(pkey);
+ if (OBJ_find_sigid_algs(OBJ_obj2nid(subject->cert_info.signature.algorithm),
+-NULL, _nid) == 0)
++NULL, _sig_nid) == 0)
+ return X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM;
+-if (EVP_PKEY_type(pkey_nid) != EVP_PKEY_base_id(pkey))
++if (pkey_sig_nid != EVP_PKEY_type(subj_sig_nid))
+ return X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH;
+ return X509_V_OK;
+ }
+diff --git a/test/certs/ca-pss-cert.pem b/test/certs/ca-pss-cert.pem
+new file mode 100644
+index ..566b63a800f7
+--- /dev/null
 b/test/certs/ca-pss-cert.pem
+@@ -0,0 +1,21 @@
++-BEGIN CERTIFICATE-
++MIIDXjCCAhagAwIBAgIBAjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEa
++MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIDASMRAwDgYDVQQDDAdSb290
++IENBMCAXDTIxMDEyNjEwMDUwOFoYDzIxMjEwMTI3MTAwNTA4WjARMQ8wDQYDVQQD
++DAZDQS1QU1MwggEgMAsGCSqGSIb3DQEBCgOCAQ8AMIIBCgKCAQEAtclsFtJOQgAC
++ZxTPn2T2ksmibRNVAnEfVCgfJxsPN3aEERgqqhWbC4LmGHRIIjQ9DpobarydJivw
++epDaiu11rgwXgenIobIVvVr2+L3ngalYdkwmmPVImNN8Ef575ybE/kVgTu9X37DJ
++t+8psfVGeFg4RKykOi7SfPCSKHKSeZUXPj9AYwZDw4HX2rhstRopXAmUzz2/uAaR
++fmU7tYOG5qhfMUpP+Ce0ZBlLE9JjasY+d20/mDFuvFEc5qjfzNqv/7okyBjaWB4h
++gwnjXASrqKlqHKVU1UyrJc76yAniimy+IoXKAELetIJGSN15GYaWJcAIs0Eybjyk
++gyAu7Zlf/wIDAQABo2AwXjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAd
++BgNVHQ4EFgQUGfmhA/VcxWkh7VUBHxUdHHQLgrAwHwYDVR0jBBgwFoAUjvUlrx6b
++a4Q9fICayVOcTXL3o1IwPQYJKoZIhvcNAQEKMDCgDTALBglghkgB

Bug#959469: buster-pu: package openssl/1.1.1g-1

[Sebastian Andrzej Siewior]

On 2021-01-28 00:28:03 [+0100], Kurt Roeckx wrote:
> On Thu, Jan 14, 2021 at 07:03:37PM +0100, Kurt Roeckx wrote:
> > There are a whole bunch of other issues and pull requests related to
> > this. I hope this is the end of the regressions in the X509 code.
> 
> So there is something else now:
> https://github.com/openssl/openssl/issues/13931
> https://github.com/openssl/openssl/pull/13982

So what is the plan here? Upload to unstable and prepare a pu once it
migrate to testing or right away?

> Kurt

Sebastian

Bug#959469: buster-pu: package openssl/1.1.1g-1

[Sebastian Andrzej Siewior]

On 2021-01-25 19:57:18 [+0100], Cyril Brulebois wrote:
> Not really *much* easier, to be honest. I can definitely build a package
> locally given a source debdiff, or slightly better, given a source
> package I can run dget against (since we're talking about new upstream
> releases, by the looks of it), and do whatever testing with the
> generated packages built into d-i and/or fetched from the network as
> required (similarly to what's done for the various kernel udebs).
> 
> IOW that can be tested before even having to make a decision regarding a
> possible acceptance into p-u.

in case it helps, I uploaded
  https://breakpoint.cc/openssl-pu.tar

| $ sha512sum openssl-pu.tar 
| 
1a3df2e37aa9312a378046691794bf7d7d72570ed9ade7ffbf50f87c8c8a7dd5e671a7f704fc4f1ebdbada1dda3007a5db24b426deefd33fff39b81e7be38aa3
  openssl-pu.tar

containing the source package and amd64 packages.

> Cheers,

Sebastian


signature.asc
Description: PGP signature

Bug#980919: buster-pu: package m2crypto/0.31.0-4+deb10u1

[Sebastian Andrzej Siewior]

On 2021-01-25 17:51:28 [+], Adam D. Barratt wrote:
> Please go ahead; thanks.

Uploaded. Thank you.

> Regards,
> 
> Adam

Sebastian

Bug#959469: buster-pu: package openssl/1.1.1g-1

[Sebastian Andrzej Siewior]

On 2021-01-22 16:38:28 [+], Adam D. Barratt wrote:
> Assuming that a patched m2crypto will also build fine against openssl
> 1.1.1d, then there's no reason that the two shouldn't proceed in
> parallel (i.e. feel free to file the m2crypto request already).

Yes, it does. Bug filled. Thank you.

> Regards,
> 
> Adam

Sebastian

Bug#980919: buster-pu: package m2crypto/0.31.0-4+deb10u1

[Sebastian Andrzej Siewior]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal

This is the proposed update for Buster to fix a build failure against
openssl 1.1.1i which is proposed for Buster.
The patch touches only the testsuite.

The m2crypto issue is tracked upstream
   https://gitlab.com/m2crypto/m2crypto/-/issues/289

and I aligned the patch name and description (in debian/changelog) with
what has been applied for unstable as 0.37.1-1.
The package did not yet migrate to testing because it FTBFS on an IPv6
only buildd (unrelated issue, just built but has this RC bug).

I verified that the proposed m2crypto package builds against the
proposed openssl package.

Sebastian
diff -Nru m2crypto-0.31.0/debian/changelog m2crypto-0.31.0/debian/changelog
--- m2crypto-0.31.0/debian/changelog	2019-06-09 09:42:32.0 +0200
+++ m2crypto-0.31.0/debian/changelog	2021-01-24 12:01:15.0 +0100
@@ -1,3 +1,11 @@
+m2crypto (0.31.0-4+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/patches/MR261.patch
+- fix compatibility with openssl/1.1.1i+; Closes: #954402
+
+ -- Sebastian Andrzej Siewior   Sun, 24 Jan 2021 12:01:15 +0100
+
 m2crypto (0.31.0-4) unstable; urgency=medium
 
   * Add a few patches from upstream to avoid a testsuite
diff -Nru m2crypto-0.31.0/debian/patches/MR261.patch m2crypto-0.31.0/debian/patches/MR261.patch
--- m2crypto-0.31.0/debian/patches/MR261.patch	1970-01-01 01:00:00.0 +0100
+++ m2crypto-0.31.0/debian/patches/MR261.patch	2021-01-24 11:55:01.0 +0100
@@ -0,0 +1,46 @@
+From: Casey Deccio 
+Date: Fri, 8 Jan 2021 12:43:09 -0700
+Subject: [PATCH] Allow verify_cb_* to be called with ok=True
+
+With https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58
+OpenSSL allowed verificaton to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE
+---
+ tests/test_ssl.py | 14 --
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/tests/test_ssl.py b/tests/test_ssl.py
+index 92b6942c729a3..7a3271aa3dbc2 100644
+--- a/tests/test_ssl.py
 b/tests/test_ssl.py
+@@ -59,8 +59,13 @@ srv_host = 'localhost'
+ 
+ 
+ def verify_cb_new_function(ok, store):
+-assert not ok
+ err = store.get_error()
++# If err is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, then instead of
++# aborting, this callback is called to retrieve additional error
++# information.  In this case, ok might not be False.
++# See https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58
++if err != m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
++assert not ok
+ assert err in [m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
+m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
+m2.X509_V_ERR_CERT_UNTRUSTED,
+@@ -618,7 +623,12 @@ sleepTime = float(os.getenv('M2CRYPTO_TEST_SSL_SLEEP', '1.5'))
+ 
+ def verify_cb_old(self, ctx_ptr, x509_ptr, err, depth, ok):
+ try:
+-self.assertFalse(ok)
++# If err is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, then instead of
++# aborting, this callback is called to retrieve additional error
++# information.  In this case, ok might not be False.
++# See https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58
++if err != m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
++self.assertFalse(ok)
+ self.assertIn(err,
+   [m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
+m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
+-- 
+2.30.0
+
diff -Nru m2crypto-0.31.0/debian/patches/series m2crypto-0.31.0/debian/patches/series
--- m2crypto-0.31.0/debian/patches/series	2019-06-09 09:42:08.0 +0200
+++ m2crypto-0.31.0/debian/patches/series	2021-01-24 12:00:36.0 +0100
@@ -4,3 +4,4 @@
 0004-Limit-tests.test_rsa.RSATestCase.test_public_encrypt.patch
 0005-tests.test_rsa-Fix-typo-to-match-for-proper-exceptio.patch
 0006-Be-resilient-against-the-situation-when-no-erorr-hap.patch
+MR261.patch

Bug#959469: buster-pu: package openssl/1.1.1g-1

[Sebastian Andrzej Siewior]

On 2021-01-22 16:38:28 [+], Adam D. Barratt wrote:
> Both would be good, please.

here is the with the two additional patches.

Sebastian
diff --git a/debian/changelog b/debian/changelog
index 088c914a3dd4a..56a950734f01d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,8 +4,9 @@ openssl (1.1.1i-0+deb10u1) buster; urgency=medium
 - CVE-2019-1551 (Overflow in the x64_64 Montgomery squaring procedure),
   (Closes: #947949).
   * Update symbol list.
+  * Apply two patches from upstream to address x509 related regressions.
 
- -- Sebastian Andrzej Siewior   Wed, 06 Jan 2021 21:04:15 +0100
+ -- Sebastian Andrzej Siewior   Sun, 24 Jan 2021 11:22:16 +0100
 
 openssl (1.1.1d-0+deb10u4) buster-security; urgency=medium
 
diff --git a/debian/patches/X509_cmp-Fix-comparison-in-case-x509v3_cache_extensions-f.patch b/debian/patches/X509_cmp-Fix-comparison-in-case-x509v3_cache_extensions-f.patch
new file mode 100644
index 0..4e6a391da269d
--- /dev/null
+++ b/debian/patches/X509_cmp-Fix-comparison-in-case-x509v3_cache_extensions-f.patch
@@ -0,0 +1,232 @@
+From: "Dr. David von Oheimb" 
+Date: Wed, 30 Dec 2020 09:57:49 +0100
+Subject: X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed
+ to due to invalid cert
+
+This is the backport of #13755 to v1.1.1.
+Fixes #13698
+
+Reviewed-by: Tomas Mraz 
+(Merged from https://github.com/openssl/openssl/pull/13756)
+---
+ crypto/x509/x509_cmp.c| 18 ++
+ crypto/x509/x_all.c   |  2 +-
+ crypto/x509v3/v3_purp.c   |  3 ++-
+ doc/man3/X509_get_extension_flags.pod |  9 +++--
+ include/openssl/x509v3.h  |  5 +++--
+ test/certs/invalid-cert.pem   | 19 +++
+ test/recipes/80-test_x509aux.t| 13 -
+ test/x509aux.c| 17 +++--
+ 8 files changed, 61 insertions(+), 25 deletions(-)
+ create mode 100644 test/certs/invalid-cert.pem
+
+diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
+index ad620af0aff4..c9d89336406f 100644
+--- a/crypto/x509/x509_cmp.c
 b/crypto/x509/x509_cmp.c
+@@ -133,19 +133,21 @@ unsigned long X509_subject_name_hash_old(X509 *x)
+  */
+ int X509_cmp(const X509 *a, const X509 *b)
+ {
+-int rv;
++int rv = 0;
+ 
+ if (a == b) /* for efficiency */
+ return 0;
+-/* ensure hash is valid */
+-if (X509_check_purpose((X509 *)a, -1, 0) != 1)
+-return -2;
+-if (X509_check_purpose((X509 *)b, -1, 0) != 1)
+-return -2;
+ 
+-rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH);
+-if (rv)
++/* try to make sure hash is valid */
++(void)X509_check_purpose((X509 *)a, -1, 0);
++(void)X509_check_purpose((X509 *)b, -1, 0);
++
++if ((a->ex_flags & EXFLAG_NO_FINGERPRINT) == 0
++&& (b->ex_flags & EXFLAG_NO_FINGERPRINT) == 0)
++rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH);
++if (rv != 0)
+ return rv;
++
+ /* Check for match against stored encoding too */
+ if (!a->cert_info.enc.modified && !b->cert_info.enc.modified) {
+ if (a->cert_info.enc.len < b->cert_info.enc.len)
+diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
+index aa5ccba44899..bec850af5797 100644
+--- a/crypto/x509/x_all.c
 b/crypto/x509/x_all.c
+@@ -363,7 +363,7 @@ int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
+ unsigned int *len)
+ {
+ if (type == EVP_sha1() && (data->ex_flags & EXFLAG_SET) != 0
+-&& (data->ex_flags & EXFLAG_INVALID) == 0) {
++&& (data->ex_flags & EXFLAG_NO_FINGERPRINT) == 0) {
+ /* Asking for SHA1 and we already computed it. */
+ if (len != NULL)
+ *len = sizeof(data->sha1_hash);
+diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
+index 2b06dba05398..93b5ca4d4283 100644
+--- a/crypto/x509v3/v3_purp.c
 b/crypto/x509v3/v3_purp.c
+@@ -391,7 +391,8 @@ static void x509v3_cache_extensions(X509 *x)
+ }
+ 
+ if (!X509_digest(x, EVP_sha1(), x->sha1_hash, NULL))
+-x->ex_flags |= EXFLAG_INVALID;
++x->ex_flags |= (EXFLAG_NO_FINGERPRINT | EXFLAG_INVALID);
++
+ /* V1 should mean no extensions ... */
+ if (!X509_get_version(x))
+ x->ex_flags |= EXFLAG_V1;
+diff --git a/doc/man3/X509_get_extension_flags.pod b/doc/man3/X509_get_extension_flags.pod
+index 43c9c952c6b7..cca72c71fcab 100644
+--- a/doc/man3/X509_get_extension_flags.pod
 b/doc/man3/X509_get_extension_flags.pod
+@@ -78,12 +78,17 @@ The certificate contains an unhandled critical extension.
+ 
+ =item B
+ 
+-Some certificate extension values are invalid or inconsistent. The
+-certificate should be rejected.
++Some certificate extension values are invalid or inconsistent.
++The certificate should be rejected.
+ This bit may also 

Bug#959469: buster-pu: package openssl/1.1.1g-1

[Sebastian Andrzej Siewior]

On 2021-01-16 19:14:53 [+0100], Kurt Roeckx wrote:
> So I went over the open issues and pull requests, and currently
> don't see a reason not to upload it to unstable with those 2
> patches. I don't know about any other regressions in 1.1.1.

The openssl package migrated to testing.
I would prepare the pu package for Buster. Should I post here the
complete diff or an incremental containing only the new patches?
Once the openssl pu is acked I would open a pu for m2crypto. Or should
it be done now? (just asking).

> Kurt

Sebastian

Bug#959469: buster-pu: package openssl/1.1.1g-1

[Sebastian Andrzej Siewior]

On 2021-01-14 19:03:37 [+0100], Kurt Roeckx wrote:
> > Do you have pointers to upstream issues?
> 
> There are a whole bunch of other issues and pull requests related to
> this. I hope this is the end of the regressions in the X509 code.

Okay. Please ping once this gets sorted out and I will prepease
unstalbe/stable uploads. The m2crypto issue got resolved in unstable
\o/.

> Kurt

Sebastianc

Bug#959469: buster-pu: package openssl/1.1.1g-1

[Sebastian Andrzej Siewior]

On 2020-11-24 20:18:15 [+], Adam D. Barratt wrote:
> That would be preferable at this point, yes, sorry. We should try and
> make sure it's sorted soon afterwards though, to avoid things getting
> stuck again.

I will set up an alarm on my side :)

> At some point, could we please have a combined / single diff between
> the current 1.1.1d-0+deb10u3 and the proposed 1.1.1h-0+deb10u1 (I
> assume)?

Sure. I will prepare one tomorrow.

> Regards,
> 
> Adam

Sebastian

Bug#959469: buster-pu: package openssl/1.1.1g-1

[Sebastian Andrzej Siewior]

On 2020-11-20 17:24:30 [+], Adam D. Barratt wrote:
> Predictably we're again quite close to a point release. :-( (One week
> from freeze, specifically.)

oh.

> Looking at the upstream issues regarding certificate validation changes
> between 1.1.1e and f/g, #11456 appears to have been addressed already,
> but #11625 is still open and looks stalled. Have you seen any more
> reports of that issue?

Not that I am aware of.

I don't want to rush anything. I have no problem to delay this until
after the point release if you prefer to do so.

> Regards,
> 
> Adam

Sebastian

Bug#959469: buster-pu: package openssl/1.1.1g-1

[Sebastian Andrzej Siewior]

On 2020-11-15 20:59:18 [+0100], Paul Gevers wrote:
> Hi Sebastian,
Hi Paul,

> I don't fully understand what you say here. We *do* run autopkgtests in
> stable to check for issues. 

Yes, but the package does not use it in stable.

Sebastian

Bug#959469: buster-pu: package openssl/1.1.1g-1

[Sebastian Andrzej Siewior]

control: retitle -1 buster-pu: package openssl/1.1.1h-1

On 2020-05-02 22:34:40 [+0100], Adam D. Barratt wrote:
> > > Do we have any feeling for how widespread such certificates might
> > > be?
> > > The fact that there have been two different upstream reports isn't
> > > particularly comforting.
> > 
> > This is correct. I don't know if there is tooling that is generating
> > broken certificates or just some individuals. I updated my two
> > OpenVPN instances and I saw clients connecting again.
> 
> Thanks for the information.

look at that. I deployed it locally and forgot all about it. Now I was
going to open a pu for 1.1.1h and noticed that I didn't finish this one.

I hereby propose an update to 1.1.1h.
There were no dramatic CVEs closed according to the news file, only

| o Disallow explicit curve parameters in verifications chains when
|   X509_V_FLAG_X509_STRICT is used
| o Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS
|   contexts
| o Oracle Developer Studio will start reporting deprecation warnings

is listed under "major changes" since the g release.

We have h in unstable and testing. It took almost a month to migrate. It
was first blocked by swi-prolog (#972862) which was cause by an
"interesting" test suite. Test suite errors do not lead to build
failures, only debci is/was affected. The fix included only an update
to the testsuite.
The same error is also present in the stable version of swi-prolog.
However, this is not the only failure in the test suite (it also
complains about too small keys) and there is no debci for stable which
would cause a regression so I don't think that it is worth to address
this in stable. The package builds fine from source.

I'm attaching a debdiff against the proposed g release.

> Regards,
> 
> Adam

Sebastian


1.1.1h.diff.xz
Description: application/xz

Bug#965257: buster-pu: package clamav/0.102.4+dfsg-0+deb10u1

[Sebastian Andrzej Siewior]

>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; 
s/[\\""\`\$]/&/g'`"
 ac_cs_version="\\
-ClamAV config.status 0.102.3
+ClamAV config.status 0.102.4
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -34548,7 +34548,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by ClamAV $as_me 0.102.3, which was
+This file was extended by ClamAV $as_me 0.102.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES= $CONFIG_FILES
@@ -34615,7 +34615,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; 
s/[\\""\`\$]/&/g'`"
 ac_cs_version="\\
-ClamAV config.status 0.102.3
+ClamAV config.status 0.102.4
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru clamav-0.102.3+dfsg/configure.ac clamav-0.102.4+dfsg/configure.ac
--- clamav-0.102.3+dfsg/configure.ac2020-05-16 11:23:53.0 +0200
+++ clamav-0.102.4+dfsg/configure.ac2020-07-17 20:19:54.0 +0200
@@ -22,7 +22,7 @@
 
 dnl For a release change [devel] to the real version [0.xy]
 dnl also change VERSION below
-AC_INIT([ClamAV], [0.102.3], [https://bugzilla.clamav.net/], [clamav], 
[https://www.clamav.net/])
+AC_INIT([ClamAV], [0.102.4], [https://bugzilla.clamav.net/], [clamav], 
[https://www.clamav.net/])
 
 dnl put configure auxiliary into config
 AC_CONFIG_AUX_DIR([config])
diff -Nru clamav-0.102.3+dfsg/debian/changelog 
clamav-0.102.4+dfsg/debian/changelog
--- clamav-0.102.3+dfsg/debian/changelog    2020-05-30 00:07:05.0 
+0200
+++ clamav-0.102.4+dfsg/debian/changelog2020-07-18 00:22:32.0 
+0200
@@ -1,3 +1,13 @@
+clamav (0.102.4+dfsg-0+deb10u1) buster; urgency=medium
+
+  * Import 0.102.4
+- CVE-2020-3350 (A malicious user trick clamav into moving a different 
file).
+- CVE-2020-3327 (A vulnerability in the ARJ archive parsing module).
+- CVE-2020-3481 (A vulnerability in the EGG archive module).
+  * Update symbol file.
+
+ -- Sebastian Andrzej Siewior   Sat, 18 Jul 2020 
00:22:32 +0200
+
 clamav (0.102.3+dfsg-0+deb10u1) buster; urgency=medium
 
   [ Sebastian Andrzej Siewior ]
diff -Nru clamav-0.102.3+dfsg/debian/.git-dpm 
clamav-0.102.4+dfsg/debian/.git-dpm
--- clamav-0.102.3+dfsg/debian/.git-dpm 2020-05-30 00:03:59.0 +0200
+++ clamav-0.102.4+dfsg/debian/.git-dpm 2020-07-18 00:19:32.0 +0200
@@ -1,8 +1,8 @@
 # see git-dpm(1) from git-dpm package
-04fd79ea5eace5273a13bd66b095e2fef0ea3bff
-04fd79ea5eace5273a13bd66b095e2fef0ea3bff
-07c9b9ef63bc584a39143a6cd002d199d1d46397
-07c9b9ef63bc584a39143a6cd002d199d1d46397
-clamav_0.102.3+dfsg.orig.tar.xz
-694c77d0aed527d3d135a3ccd7e30729fff55404
-5018320
+c07899f43b92f63e9ad0ccefa5379ca649603d4a
+c07899f43b92f63e9ad0ccefa5379ca649603d4a
+2e5f12d74d7065a47a1cf072e703445b81878e07
+2e5f12d74d7065a47a1cf072e703445b81878e07
+clamav_0.102.4+dfsg.orig.tar.xz
+a139e4b00726fbd97ad88c7b65e88000ebee38ab
+5023528
diff -Nru clamav-0.102.3+dfsg/debian/libclamav9.symbols 
clamav-0.102.4+dfsg/debian/libclamav9.symbols
--- clamav-0.102.3+dfsg/debian/libclamav9.symbols   2020-05-24 
13:13:40.0 +0200
+++ clamav-0.102.4+dfsg/debian/libclamav9.symbols   2020-07-18 
00:22:08.0 +0200
@@ -1,20 +1,20 @@
 libclamav.so.9 libclamav9 #MINVER#
 * Build-Depends-Package: libclamav-dev
- CLAMAV_PRIVATE@CLAMAV_PRIVATE 0.102.3
+ CLAMAV_PRIVATE@CLAMAV_PRIVATE 0.102.4
  CLAMAV_PUBLIC@CLAMAV_PUBLIC 0.101.0
- __cli_strcasestr@CLAMAV_PRIVATE 0.102.3
- __cli_strndup@CLAMAV_PRIVATE 0.102.3
- __cli_strnlen@CLAMAV_PRIVATE 0.102.3
- __cli_strnstr@CLAMAV_PRIVATE 0.102.3
- base64Flush@CLAMAV_PRIVATE 0.102.3
- blobAddData@CLAMAV_PRIVATE 0.102.3
- blobCreate@CLAMAV_PRIVATE 0.102.3
- blobDestroy@CLAMAV_PRIVATE 0.102.3
- cl_ASN1_GetTimeT@CLAMAV_PRIVATE 0.102.3
+ __cli_strcasestr@CLAMAV_PRIVATE 0.102.4
+ __cli_strndup@CLAMAV_PRIVATE 0.102.4
+ __cli_strnlen@CLAMAV_PRIVATE 0.102.4
+ __cli_strnstr@CLAMAV_PRIVATE 0.102.4
+ base64Flush@CLAMAV_PRIVATE 0.102.4
+ blobAddData@CLAMAV_PRIVATE 0.102.4
+ blobCreate@CLAMAV_PRIVATE 0.102.4
+ blobDestroy@CLAMAV_PRIVATE 0.102.4
+ cl_ASN1_GetTimeT@CLAMAV_PRIVATE 0.102.4
  cl_always_gen_section_hash@CLAMAV_PUBLIC 0.101.0
- cl_base64_decode@CLAMAV_PRIVATE 0.102.3
- cl_base64_encode@CLAMAV_PRIVATE 0.102.3
- cl_cleanup_crypto@CLAMAV_PRIVATE 0.102.3
+ cl_base64_decode@CLAMAV_PRIVATE 0.102.4
+ cl_base64_encode@CLAMAV_PRIVATE 0.102.4
+ cl_cleanup_crypto@CLAMAV_PRIVATE 0.102.4
  cl_countsigs@CLAMAV_PUBLIC 0.101.0
  cl_cvdfree@CLAMAV_PUBLIC 0.101.0
  cl_cvdhead@CLAMAV_PUBLIC 0.101.0
@@ -54,19 +54,19 @@
  cl_fmap_close@CLAMAV_PUBLIC 0.101.0
  cl_fmap_open_handle@CLAMAV_PUBLIC 0.101.0
  cl_fmap_op