[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
This bug was fixed in the package gnutls28 - 3.2.11-2ubuntu1.2 --- gnutls28 (3.2.11-2ubuntu1.2) trusty; urgency=medium * debian/patches/check_same_certificate_not_only_issuer.patch: when verifying, check for the same certificate in the trusted list, not only the issuer. * debian/patches/compare_ca_name_and_key.patch: when comparing a CA certificate with the trusted list, compare the name and key. (LP: #1722411) -- Anders Kaseorg Wed, 17 Jan 2018 16:23:47 -0500 ** Changed in: gnutls28 (Ubuntu Trusty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
@andersk The requirement has been around either since always or at least since a very long time, please see SRU acceptance comment #18: "(...) If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. (...)" It's been multiple times where people were testing versions from PPAs instead of the -proposed pocket. Also, the SRU team by accepting a package validation needs to have some level of certainty that the tester actually performed the required tests on the package. We had countless cases of testers just marking packages as verified without doing anything, or not going through all the required test cases. Having a version number at least gives us some information and a better sense that the test result can be trusted. Of course, people can just copy- paste and cheat anyway, but that's one additional step they need to perform at least. In most cases we're not even accepting test results without mentioning what specific tests have been performed. The more verbosity the better, since we have more proof. If we'd believe blindly in whatever anyone just says we'd have more broken packages for no reason. Anyone can say "works for me", and many people do, but then subtle things like: "whoops, I actually tested the wrong version" pop up here and there because the tested PPA-built package that seemingly had the same contents could be busted in the -proposed archives due to different package dependencies being available. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
Łukasz: 3.2.11-2ubuntu1.2 in trusty-proposed. (What else could I be verifying? I’ve never encountered a requirement to explicitly state the version number when it’s already clear, but I’ll be sure to do so in the future.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
Which version of the package is working for you? Test verification should include package version information for us to be sure that we're releasing the same version of the package that has been tested. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
Er, yeah, this has been working for me. Thanks for the reminder to actually set the tags. ** Tags removed: verification-needed verification-needed-trusty ** Tags added: verification-done verification-done-trusty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
Hey, Anders, don't you want to verify it? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
Hello Anders, or anyone else affected, Accepted gnutls28 into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gnutls28/3.2.11-2ubuntu1.2 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: gnutls28 (Ubuntu Trusty) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-trusty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
Uploaded the updated debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
> I'll try with the updated debdiff. Thanks. Looks good. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
> I'm pretty sure that it's the "compare_ca_name_and_key.patch", which introduces "raw_spki", but doesn't seem to do anything to free it. Oh, now I see how https://gitlab.com/gnutls/gnutls/commit/cdd60f7013d5e64702f3b04e6fe93218e88a2213 fixes the leak -- by avoiding the allocation in the first place. I wasn't paying attention this morning :) I'll try with the updated debdiff. Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
Er, right, I uploaded the wrong file, here’s the right one. I’ll leave it to the sponsor to figure out whether the version needs to be bumped again, as the previous upload is still unapproved (https://launchpad.net/ubuntu/trusty/+queue?queue_state=1). ** Patch added: "debdiff with memory leak actually fixed" https://bugs.launchpad.net/ubuntu/trusty/+source/gnutls28/+bug/1722411/+attachment/5039125/+files/gnutls28_3.2.11-2ubuntu1.1_lp1722411_v2.debdiff ** Patch removed: "debdiff with memory leak fixed" https://bugs.launchpad.net/ubuntu/trusty/+source/gnutls28/+bug/1722411/+attachment/5038515/+files/gnutls28_3.2.11-2ubuntu1.1_lp1722411.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
In my testing, that patch appears to fix the memory leak. I'm attaching it properly. I have no idea how to get it in a .debdiff. Also, does that require a version bump to "ubuntu1.3"? ** Patch added: "compare_ca_name_and_key_free.patch" https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+attachment/5039078/+files/compare_ca_name_and_key_free.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
I'm trying it with the following extra patch: diff -ruN gnutls28-3.2.11-orig/lib/x509/x509.c gnutls28-3.2.11/lib/x509/x509.c --- gnutls28-3.2.11-orig/lib/x509/x509.c2014-01-01 17:14:59.0 + +++ gnutls28-3.2.11/lib/x509/x509.c 2018-01-18 14:52:52.617834001 + @@ -136,6 +136,7 @@ asn1_delete_structure(>cert); gnutls_free(cert->raw_dn.data); gnutls_free(cert->raw_issuer_dn.data); + gnutls_free(cert->raw_spki.data); gnutls_free(cert); } @@ -202,6 +203,7 @@ asn1_delete_structure(>cert); _gnutls_free_datum(>raw_dn); _gnutls_free_datum(>raw_issuer_dn); + _gnutls_free_datum(>raw_spki); result = asn1_create_element(_gnutls_get_pkix(), "PKIX1.Certificate", @@ -252,6 +262,7 @@ _gnutls_free_datum(&_data); _gnutls_free_datum(>raw_dn); _gnutls_free_datum(>raw_issuer_dn); + _gnutls_free_datum(>raw_spki); return result; } -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
"debdiff with memory leak fixed" appears to be identical to the original debdiff. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
I'm pretty sure that it's the "compare_ca_name_and_key.patch", which introduces "raw_spki", but doesn't seem to do anything to free it. I'll do some more investigation today. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
** Patch added: "Patch with memory leak fixed" https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+attachment/5038515/+files/gnutls28_3.2.11-2ubuntu1.1_lp1722411.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
8-roger: That’s probably because 3.2 is lacking https://gitlab.com/gnutls/gnutls/commit/cdd60f7013d5e64702f3b04e6fe93218e88a2213. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
The debdiff introduces a memory leak. With the simple program at https://gist.github.com/rlipscombe/78d6e3bbfc67e010f1e7a9ddd8c87099, the previous version is fine, but this one leaks. Valgrind reports the following: ==11134== ==11134== HEAP SUMMARY: ==11134== in use at exit: 1,014,363 bytes in 3,794 blocks ==11134== total heap usage: 978,656 allocs, 974,862 frees, 572,269,255 bytes allocated ==11134== ==11134== 53,462 bytes in 148 blocks are definitely lost in loss record 33 of 37 ==11134==at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==11134==by 0x4E6DF61: _gnutls_set_datum (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4E98A4C: _gnutls_x509_get_raw_dn2 (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4EBBDB8: gnutls_x509_crt_import (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4EC0C9D: gnutls_x509_crt_list_import (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4EC0EF6: gnutls_x509_crt_list_import2 (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4E7DCF3: gnutls_certificate_set_x509_trust_mem (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4E7E037: gnutls_certificate_set_x509_trust_file (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x40107C: main (in /vagrant/gnutls-client) ==11134== ==11134== 294,000 bytes in 1,000 blocks are definitely lost in loss record 35 of 37 ==11134==at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==11134==by 0x4E6DF61: _gnutls_set_datum (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4E98A4C: _gnutls_x509_get_raw_dn2 (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4EBBDB8: gnutls_x509_crt_import (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4E81246: gnutls_pcert_import_x509_raw (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4EE0FC6: _gnutls_proc_crt (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4E67836: _gnutls_recv_server_certificate (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4E64B0F: gnutls_handshake (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x401253: main (in /vagrant/gnutls-client) ==11134== ==11134== 294,000 bytes in 1,000 blocks are definitely lost in loss record 36 of 37 ==11134==at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==11134==by 0x4E6DF61: _gnutls_set_datum (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4E98A4C: _gnutls_x509_get_raw_dn2 (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4EBBDB8: gnutls_x509_crt_import (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4E81246: gnutls_pcert_import_x509_raw (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4EE427A: _gnutls_proc_dhe_signature (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4EEBB2C: proc_ecdhe_server_kx (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4E674B3: _gnutls_recv_server_kx_message (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4E64AB7: gnutls_handshake (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x401253: main (in /vagrant/gnutls-client) ==11134== ==11134== 294,000 bytes in 1,000 blocks are definitely lost in loss record 37 of 37 ==11134==at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==11134==by 0x4E6DF61: _gnutls_set_datum (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4E98A4C: _gnutls_x509_get_raw_dn2 (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4EBBDB8: gnutls_x509_crt_import (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4E7C05F: _gnutls_x509_cert_verify_peers (in /usr/lib/x86_64-linux-gnu/libgnutls.so.28.30.1) ==11134==by 0x4012AF: main (in /vagrant/gnutls-client) ==11134== ==11134== LEAK SUMMARY: ==11134==definitely lost: 935,462 bytes in 3,148 blocks ==11134==indirectly lost: 0 bytes in 0 blocks ==11134== possibly lost: 0 bytes in 0 blocks ==11134==still reachable: 78,901 bytes in 646 blocks ==11134== suppressed: 0 bytes in 0 blocks ==11134== Reachable blocks (those to which a pointer was found) are not shown. ==11134== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==11134== ==11134== For counts of detected and suppressed errors, rerun with: -v ==11134== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
** Changed in: gnutls28 (Ubuntu Trusty) Importance: Undecided => Medium ** Changed in: gnutls28 (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
Built the package, run the command in the test, verified that it worked. popped the 2 patches, ran make again, verified that the command did not work. => tested OK Uploaded. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
Just to record my analysis of the debdiff: The changes are basically the same as the upstream commits, except for the PKCS#11 changes. This means that PKCS#11 certificates are still checked in full. I'm not sure where that would be used, but it is not a security problem (less is allowed than upstream, not more). I have verified that xenial contains the same fixes by checking that _gnutls_check_if_same_key() exists there. The changelog mentions trusty-updates, and does not close the bug report. I added (LP: #1722411) as a final line and changed the distribution to trusty to match other uploads. I'm building now, and will verify that the bug is fixed and upload afterwards. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
Looking at it. First patch looks OK, have to compare the other patch with the upstream changes. ** Changed in: gnutls28 (Ubuntu Trusty) Status: Confirmed => In Progress ** Changed in: gnutls28 (Ubuntu Trusty) Assignee: (unassigned) => Julian Andres Klode (juliank) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: gnutls28 (Ubuntu Trusty) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
** Also affects: gnutls28 (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: gnutls28 (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
Here is a patch for trusty that backports the relevant parts of the three upstream commits fixing this bug. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
Here is a patch for trusty that backports the relevant parts of the three upstream commits fixing this bug. ** Patch added: "gnutls28_3.2.11-2ubuntu1.1_lp1722411.debdiff" https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+attachment/4966289/+files/gnutls28_3.2.11-2ubuntu1.1_lp1722411.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs