Bug#836910: jessie-pu: package kamailio/4.2.0-2+deb8u1

2016-09-13 Thread Julien Cristau 
On Sun, Sep 11, 2016 at 20:48:07 +0200, Julien Cristau wrote:

> > +diff --git a/modules/tls/tls_init.c b/modules/tls/tls_init.c
> > +index a381be1..7bfc10f 100644
> > +--- a/modules/tls/tls_init.c
> >  b/modules/tls/tls_init.c
> > +@@ -543,8 +543,10 @@ int init_tls_h(void)
> > + #endif
> > +   ssl_version=SSLeay();
> > +   /* check if version have the same major minor and fix level
> > +-   * (e.g. 0.9.8a & 0.9.8c are ok, but 0.9.8 and 0.9.9x are not) */
> > +-  if ((ssl_version>>8)!=(OPENSSL_VERSION_NUMBER>>8)){
> > ++   * (e.g. 0.9.8a & 0.9.8c are ok, but 0.9.8 and 0.9.9x are not)
> > ++   * - values is represented as 0xMMNNFFPPS: major minor fix patch status
> > ++   *   0x00090705f == 0.9.7e release */
> > ++  if ((ssl_version>>12)!=(OPENSSL_VERSION_NUMBER>>12)){
> > +   LOG(L_CRIT, "ERROR: tls: init_tls_h: installed openssl library "
> > +   "version is too different from the library the 
> > ser tls module "
> > +   "was compiled with: installed \"%s\" (0x%08lx), 
> > compiled "
> 
> TBH, this seems just as wrong; libssl has a SONAME for a reason, no need
> to reinvent broken checks in each user.
> 
If I'm reading it right, the new check will still be unhappy with
libssl1.0.0 1.0.2h-1~bpo8+2 from jessie-backports, whereas that should
be ABI-compatible with libssl1.0.0 1.0.1t-1+deb8u2 from stable.

Cheers,
Julien

Bug#836910: jessie-pu: package kamailio/4.2.0-2+deb8u1

2016-09-11 Thread Julien Cristau 
On Wed, Sep  7, 2016 at 11:48:46 +0200, Victor Seva wrote:

> diff -Nru kamailio-4.2.0/debian/patches/fix_tls.patch 
> kamailio-4.2.0/debian/patches/fix_tls.patch
> --- kamailio-4.2.0/debian/patches/fix_tls.patch   1970-01-01 
> 01:00:00.0 +0100
> +++ kamailio-4.2.0/debian/patches/fix_tls.patch   2016-09-07 
> 10:00:32.0 +0200
> @@ -0,0 +1,34 @@
> +From 0a5f99b28d01d79cf2675df6d2a6220167e2476e Mon Sep 17 00:00:00 2001
> +From: Daniel-Constantin Mierla 
> +Date: Tue, 7 Jun 2016 15:21:06 +0200
> +Subject: [PATCH] tls: proper check of libssl versions used for compilation 
> and
> + available on system
> +
> +- shift out the last 12bits, being the patch version and status (see man
> +  SSLeay)
> +- reported by Victor Seva, GH #662
> +
> +(cherry picked from commit c38b4c7345a6806f48a0cdb07841e10bc962e1bf)
> +(cherry picked from commit 253909bf673c0a59e7adf578bb5df73eb157d0f2)
> +(cherry picked from commit 5632abc108bf8ed8157a77806ea80b962db3fa4f)
> +---
> + modules/tls/tls_init.c | 6 --
> + 1 file changed, 4 insertions(+), 2 deletions(-)
> +
> +diff --git a/modules/tls/tls_init.c b/modules/tls/tls_init.c
> +index a381be1..7bfc10f 100644
> +--- a/modules/tls/tls_init.c
>  b/modules/tls/tls_init.c
> +@@ -543,8 +543,10 @@ int init_tls_h(void)
> + #endif
> + ssl_version=SSLeay();
> + /* check if version have the same major minor and fix level
> +- * (e.g. 0.9.8a & 0.9.8c are ok, but 0.9.8 and 0.9.9x are not) */
> +-if ((ssl_version>>8)!=(OPENSSL_VERSION_NUMBER>>8)){
> ++ * (e.g. 0.9.8a & 0.9.8c are ok, but 0.9.8 and 0.9.9x are not)
> ++ * - values is represented as 0xMMNNFFPPS: major minor fix patch status
> ++ *   0x00090705f == 0.9.7e release */
> ++if ((ssl_version>>12)!=(OPENSSL_VERSION_NUMBER>>12)){
> + LOG(L_CRIT, "ERROR: tls: init_tls_h: installed openssl library "
> + "version is too different from the library the 
> ser tls module "
> + "was compiled with: installed \"%s\" (0x%08lx), 
> compiled "

TBH, this seems just as wrong; libssl has a SONAME for a reason, no need
to reinvent broken checks in each user.

Cheers,
Julien

Bug#836910: jessie-pu: package kamailio/4.2.0-2+deb8u1

2016-09-09 Thread Adam D. Barratt 
Control: tags -1 + pending

On Fri, 2016-09-09 at 01:52 +0100, Adam D. Barratt wrote:
> Control: tags -1 -moreinfo +confirmed
> 
> On Wed, 2016-09-07 at 11:48 +0200, Victor Seva wrote:
> > 2016-09-07 9:30 GMT+02:00 Adam D. Barratt :
> > > Thanks for caring about fixing this in jessie.
> > >
> > > In order to okay an upload, however, we'd need to see a source debdiff for
> > > the proposed package, built and tested on a jessie system.
> > 
> > Sure.
> 
> Thanks; please go ahead.

Uploaded and flagged for acceptance.

Regards,

Adam

Processed: Re: Bug#836910: jessie-pu: package kamailio/4.2.0-2+deb8u1

2016-09-09 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + pending
Bug #836910 [release.debian.org] jessie-pu: package kamailio/4.2.0-2+deb8u1
Added tag(s) pending.

-- 
836910: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836910
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#836910: jessie-pu: package kamailio/4.2.0-2+deb8u1

2016-09-08 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 -moreinfo +confirmed
Bug #836910 [release.debian.org] jessie-pu: package kamailio/4.2.0-2+deb8u1
Removed tag(s) moreinfo.
Bug #836910 [release.debian.org] jessie-pu: package kamailio/4.2.0-2+deb8u1
Added tag(s) confirmed.

-- 
836910: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836910
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#836910: jessie-pu: package kamailio/4.2.0-2+deb8u1

2016-09-08 Thread Adam D. Barratt 
Control: tags -1 -moreinfo +confirmed

On Wed, 2016-09-07 at 11:48 +0200, Victor Seva wrote:
> 2016-09-07 9:30 GMT+02:00 Adam D. Barratt :
> > Thanks for caring about fixing this in jessie.
> >
> > In order to okay an upload, however, we'd need to see a source debdiff for
> > the proposed package, built and tested on a jessie system.
> 
> Sure.

Thanks; please go ahead.

Regards,

Adam

Bug#836910: jessie-pu: package kamailio/4.2.0-2+deb8u1

2016-09-07 Thread Victor Seva 
2016-09-07 9:30 GMT+02:00 Adam D. Barratt :
> Thanks for caring about fixing this in jessie.
>
> In order to okay an upload, however, we'd need to see a source debdiff for
> the proposed package, built and tested on a jessie system.

Sure.

Before:
dpkg -l | grep kamailio
ii  kamailio   4.2.0-2+deb8u1  amd64
 very fast and configurable SIP proxy
ii  kamailio-tls-modules:amd64 4.2.0-2+deb8u1  amd64
 contains the TLS kamailio transport module

root@debian-jessie-plain:/etc/kamailio# systemctl status kamailio -l
● kamailio.service - LSB: Start the Kamailio SIP proxy server
   Loaded: loaded (/etc/init.d/kamailio)
   Active: active (exited) since Wed 2016-09-07 11:36:47 CEST; 44s ago
  Process: 16399 ExecStop=/etc/init.d/kamailio stop (code=exited,
status=0/SUCCESS)
  Process: 16410 ExecStart=/etc/init.d/kamailio start (code=exited,
status=0/SUCCESS)

Sep 07 11:36:47 debian-jessie-plain kamailio[16410]: udp: localhost:5060
Sep 07 11:36:47 debian-jessie-plain /usr/sbin/kamailio[16426]: INFO:
rr [../outbound/api.h:54]: ob_load_api(): Failed to import bind_ob
Sep 07 11:36:47 debian-jessie-plain /usr/sbin/kamailio[16426]: INFO:
rr [rr_mod.c:160]: mod_init(): outbound module not available
Sep 07 11:36:47 debian-jessie-plain /usr/sbin/kamailio[16426]: INFO:
usrloc [hslot.c:53]: ul_init_locks(): locks array size 1024
Sep 07 11:36:47 debian-jessie-plain /usr/sbin/kamailio[16426]: INFO:
tls [tls_mod.c:346]: mod_init(): With ECDH-Support!
Sep 07 11:36:47 debian-jessie-plain /usr/sbin/kamailio[16426]: INFO:
tls [tls_mod.c:349]: mod_init(): With Diffie Hellman
Sep 07 11:36:47 debian-jessie-plain /usr/sbin/kamailio[16426]: : tls
[tls_init.c:515]: init_tls_h(): ERROR: tls: init_tls_h: installed
openssl library version is too different from the library the ser tls
module was compiled with: installed "OpenSSL 1.0.1t  3 May 2016"
(0x1000114f), compiled "OpenSSL 1.0.1k 8 Jan 2015" (0x100010bf).
Please
make sure a compatible version is used (tls_force_run in ser.cfg will
override this check)
Sep 07 11:36:47 debian-jessie-plain /usr/sbin/kamailio[16426]:
CRITICAL:  [main.c:2521]: main(): could not initialize tls,
exiting...
Sep 07 11:36:47 debian-jessie-plain kamailio[16410]: already running ... failed!
Sep 07 11:36:47 debian-jessie-plain kamailio[16410]: .

$ dpkg -l | grep openssl
ii  libgnutls-openssl27:amd64  3.3.8-6+deb8u3  amd64
 GNU TLS library - OpenSSL wrapper
ii  openssl1.0.1k-3+deb8u5 amd64
 Secure Sockets Layer toolkit - cryptographic utility


After:
$ dpkg -l | grep kamailio
ii  kamailio   4.2.0-2+deb8u2  amd64
 very fast and configurable SIP proxy
ii  kamailio-tls-modules:amd64 4.2.0-2+deb8u2  amd64
 contains the TLS kamailio transport module

$ systemctl status kamailio -l
● kamailio.service - LSB: Start the Kamailio SIP proxy server
   Loaded: loaded (/etc/init.d/kamailio)
   Active: active (running) since Wed 2016-09-07 11:45:11 CEST; 7s ago
   CGroup: /system.slice/kamailio.service

Installing previous openssl version has no effect, so fix works properly
diff -Nru kamailio-4.2.0/debian/changelog kamailio-4.2.0/debian/changelog
--- kamailio-4.2.0/debian/changelog 2016-03-21 00:24:40.0 +0100
+++ kamailio-4.2.0/debian/changelog 2016-09-07 10:00:32.0 +0200
@@ -1,3 +1,12 @@
+kamailio (4.2.0-2+deb8u2) stable-proposed-updates; urgency=medium
+
+  * use my DD account \o/
+  * add upstream fix for:
+proper check of libssl versions used for compilation
+and available on system (Closes: #833973)
+
+ -- Victor Seva   Wed, 07 Sep 2016 10:00:32 +0200
+
 kamailio (4.2.0-2+deb8u1) jessie-security; urgency=medium
 
   * CVE-2016-2385
diff -Nru kamailio-4.2.0/debian/control kamailio-4.2.0/debian/control
--- kamailio-4.2.0/debian/control   2015-01-28 20:48:03.0 +0100
+++ kamailio-4.2.0/debian/control   2016-09-07 10:00:32.0 +0200
@@ -2,7 +2,7 @@
 Section: net
 Priority: optional
 Maintainer: Debian VoIP Team 
-Uploaders: Victor Seva ,
+Uploaders: Victor Seva ,
Tzafrir Cohen 
 Build-Depends: bison,
debhelper (>= 9),
diff -Nru kamailio-4.2.0/debian/patches/fix_tls.patch 
kamailio-4.2.0/debian/patches/fix_tls.patch
--- kamailio-4.2.0/debian/patches/fix_tls.patch 1970-01-01 01:00:00.0 
+0100
+++ kamailio-4.2.0/debian/patches/fix_tls.patch 2016-09-07 10:00:32.0 
+0200
@@ -0,0 +1,34 @@
+From 0a5f99b28d01d79cf2675df6d2a6220167e2476e Mon Sep 17 00:00:00 2001
+From: Daniel-Constantin Mierla 
+Date: Tue, 7 Jun 2016 15:21:06 +0200
+Subject: [PATCH] tls: proper check of libssl versions used for compilation and
+ available on system

Bug#836910: jessie-pu: package kamailio/4.2.0-2+deb8u1

2016-09-07 Thread Adam D. Barratt 

Control: tags -1 + moreinfo

On 2016-09-07 8:14, Victor Seva wrote:

kamailio in jessie has a bug described at #833973 that makes impossible
to use TLS with kamailio without downgrading openssl.

The issue was reported by me [0] to upstream and a fix was merged [1]

I would like to push this fix to jessie


Thanks for caring about fixing this in jessie.

In order to okay an upload, however, we'd need to see a source debdiff 
for the proposed package, built and tested on a jessie system.


Regards,

Adam

Processed: Re: Bug#836910: jessie-pu: package kamailio/4.2.0-2+deb8u1

2016-09-07 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + moreinfo
Bug #836910 [release.debian.org] jessie-pu: package kamailio/4.2.0-2+deb8u1
Added tag(s) moreinfo.

-- 
836910: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836910
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#836910: jessie-pu: package kamailio/4.2.0-2+deb8u1

2016-09-07 Thread Victor Seva 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

kamailio in jessie has a bug described at #833973 that makes impossible
to use TLS with kamailio without downgrading openssl.

The issue was reported by me [0] to upstream and a fix was merged [1]

I would like to push this fix to jessie

Victor


[0] https://github.com/kamailio/kamailio/issues/662
[1] 
https://github.com/kamailio/kamailio/commit/0a5f99b28d01d79cf2675df6d2a6220167e2476e

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (650, 'testing'), (600, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)