Your message dated Fri, 13 Mar 2009 20:00:48 +0000
with message-id <[email protected]>
and subject line Bug#514807: fixed in gnutls26 2.4.2-6+lenny1
has caused the Debian Bug report #514807,
regarding X.509v1 CA certs no longer trusted implicitly
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
514807: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514807
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libgnutls13
Version: 1.4.4-3+etch3
Severity: important
After the upgrade all embedded uses of LDAP fail with connection errors.
On investigations these seem to be caused by certificate validation
problems.
This was first noticed with nss_ldap. After enabling debugging, running
`getent group` produced error messages like:
TLS certificate verification: depth: 0, err: 130, subject: <snip DN/>
TLS certificate verification: Error, Unknown error
Similar problems occur for pam_ldap and apache mod_authnz_ldap.
Strangely, gnutls-cli verifies the server certificate with no problems.
The error was first seen in a STARTTLS only configuration. I have since
enabled ldaps to ease testing with gnutls-cli and confirmed it still
affects nss_ldap and apache switched to ldaps.
The root (trusted) certificate of our cert chain is an x509v1 cert, however I'd
expect gnutls-cli to complain if this were the issue.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-xen-amd64
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Versions of packages libgnutls13 depends on:
ii libc6 2.3.6.ds1-13etch8 GNU C Library: Shared libraries
ii libgcrypt11 1.2.3-2 LGPL Crypto library - runtime libr
ii libgpg-error0 1.4-1 library for common error values an
ii liblzo1 1.08-3 data compression library (old vers
ii libopencdk8 0.5.9-2 Open Crypto Development Kit (OpenC
ii libtasn1-3 0.3.6-2 Manage ASN.1 structures (runtime)
ii zlib1g 1:1.2.3-13 compression library - runtime
libgnutls13 recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: gnutls26
Source-Version: 2.4.2-6+lenny1
We believe that the bug you reported is fixed in the latest version of
gnutls26, which is due to be installed in the Debian FTP archive:
gnutls-bin_2.4.2-6+lenny1_amd64.deb
to pool/main/g/gnutls26/gnutls-bin_2.4.2-6+lenny1_amd64.deb
gnutls-doc_2.4.2-6+lenny1_all.deb
to pool/main/g/gnutls26/gnutls-doc_2.4.2-6+lenny1_all.deb
gnutls26_2.4.2-6+lenny1.diff.gz
to pool/main/g/gnutls26/gnutls26_2.4.2-6+lenny1.diff.gz
gnutls26_2.4.2-6+lenny1.dsc
to pool/main/g/gnutls26/gnutls26_2.4.2-6+lenny1.dsc
guile-gnutls_2.4.2-6+lenny1_amd64.deb
to pool/main/g/gnutls26/guile-gnutls_2.4.2-6+lenny1_amd64.deb
libgnutls-dev_2.4.2-6+lenny1_amd64.deb
to pool/main/g/gnutls26/libgnutls-dev_2.4.2-6+lenny1_amd64.deb
libgnutls26-dbg_2.4.2-6+lenny1_amd64.deb
to pool/main/g/gnutls26/libgnutls26-dbg_2.4.2-6+lenny1_amd64.deb
libgnutls26_2.4.2-6+lenny1_amd64.deb
to pool/main/g/gnutls26/libgnutls26_2.4.2-6+lenny1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Florian Weimer <[email protected]> (supplier of updated gnutls26 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 23 Feb 2009 21:56:10 +0100
Source: gnutls26
Binary: libgnutls-dev libgnutls26 libgnutls26-dbg gnutls-bin gnutls-doc
guile-gnutls
Architecture: source all amd64
Version: 2.4.2-6+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Debian GnuTLS Maintainers <[email protected]>
Changed-By: Florian Weimer <[email protected]>
Description:
gnutls-bin - the GNU TLS library - commandline utilities
gnutls-doc - the GNU TLS library - documentation and examples
guile-gnutls - the GNU TLS library - GNU Guile bindings
libgnutls-dev - the GNU TLS library - development files
libgnutls26 - the GNU TLS library - runtime library
libgnutls26-dbg - GNU TLS library - debugger symbols
Closes: 514735 514807
Changes:
gnutls26 (2.4.2-6+lenny1) stable-security; urgency=high
.
* Add patch from Simon Josefsson to reenable X.509v1 support for root
CAs. Closes: #514807, #514735.
Checksums-Sha1:
37f83316cb8e928e03451cccaa7fe5396eb08d36 1904 gnutls26_2.4.2-6+lenny1.dsc
e6df35963239c18cff3e5072f172898bb4400ca5 5984345 gnutls26_2.4.2.orig.tar.gz
1528851268eb498e1a25522be696bcd76b038e66 20298 gnutls26_2.4.2-6+lenny1.diff.gz
29f64bc9ff24e9ae115d92998171fed28d4b5c3d 2751582
gnutls-doc_2.4.2-6+lenny1_all.deb
dd6ee2fe6d2fda09f0f76de7b3b70c2d83b673b7 586148
libgnutls-dev_2.4.2-6+lenny1_amd64.deb
d8af7f1546c07c856efc532db2327411faa721a0 505908
libgnutls26_2.4.2-6+lenny1_amd64.deb
d065535756478d9c50e4c00ed0e7acb4074af522 1136770
libgnutls26-dbg_2.4.2-6+lenny1_amd64.deb
0f25817b4470f512b1a832c78f9380563cccd5e2 285624
gnutls-bin_2.4.2-6+lenny1_amd64.deb
baf3bbbbf03fe236923c5376650d3c15f3507793 215802
guile-gnutls_2.4.2-6+lenny1_amd64.deb
Checksums-Sha256:
4f4adcac881b3f963d0f389bc317502c03f664b868521ef735d5bf60611cd79a 1904
gnutls26_2.4.2-6+lenny1.dsc
ab3c3ef1a55ab0a4dbcd8a5013f9c2ddf0ba98081349bc8f64b53eb1720b3aca 5984345
gnutls26_2.4.2.orig.tar.gz
96a7ad14052427c3100a6c71c7371f20ba9772a5e600fef70d8cd8687076de93 20298
gnutls26_2.4.2-6+lenny1.diff.gz
96a9654f755e217694e0267e1552a96f5ae04eeb580396959c25319b65c852dd 2751582
gnutls-doc_2.4.2-6+lenny1_all.deb
9d63f910ca6ca06510a4304604d821fd9dda16cd5791ad05aa68f70c1ae46f2c 586148
libgnutls-dev_2.4.2-6+lenny1_amd64.deb
08ac583df22aa5decd8feb1e611381d0667d5603262161e78b77548c5d94353e 505908
libgnutls26_2.4.2-6+lenny1_amd64.deb
80f9ca88143fe518d22315b1e4cfa0a6de10dd7fe9faff5d2a12699587067910 1136770
libgnutls26-dbg_2.4.2-6+lenny1_amd64.deb
9439785c969807f12306db80f0a94434455e8c2dad6e0976e3f7d924754410d3 285624
gnutls-bin_2.4.2-6+lenny1_amd64.deb
b00b53913b8bea1dd39457392814bd6783000369cbdb3f9609da9d6df63afae4 215802
guile-gnutls_2.4.2-6+lenny1_amd64.deb
Files:
3410a16fe6f7dcce25f1c55946357dc6 1904 devel optional
gnutls26_2.4.2-6+lenny1.dsc
8fea7c57f4badcafcd31eb0f981f169a 5984345 devel optional
gnutls26_2.4.2.orig.tar.gz
e6bb02c6522cf6b6842e0b38c633a087 20298 devel optional
gnutls26_2.4.2-6+lenny1.diff.gz
9c920495e79d03f377d96ed94915a378 2751582 doc optional
gnutls-doc_2.4.2-6+lenny1_all.deb
c95ef6b6b2af28fc7a8bfebe60703092 586148 libdevel optional
libgnutls-dev_2.4.2-6+lenny1_amd64.deb
e560d1c33d60f9b8c9748d6f70a2ccbc 505908 libs important
libgnutls26_2.4.2-6+lenny1_amd64.deb
db82f80deb858958e98ff3fd1422dd2c 1136770 devel extra
libgnutls26-dbg_2.4.2-6+lenny1_amd64.deb
48f7e580aed0f99e92eeee384c97cc21 285624 net optional
gnutls-bin_2.4.2-6+lenny1_amd64.deb
2ed45e368aabeb938f90fee4b3cf4668 215802 libs optional
guile-gnutls_2.4.2-6+lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJJow/gAAoJEL97/wQC1SS+cCsH/2qdMKNtqSMfUHfPwZPtPDlv
7PeFbkqhUxXImZXGA28vlNzIlvLzuIg1GOKw3ksVUa/OFn2m/IUw5R4dC9qjBGta
FKXaXuVw3IM7wtGX3pfnl3rShCewDDGuRLXFcAtdYHly68nwQfN2Sg7xddx5jNw9
v8Egzov+0dI48t1LuERtVBSAMPUrqT3oBRQEscjLr5KdiqPKiFPpmvc6h/j8WvC2
xhXoKQQAtZGcS5wA0/nU2YSd5112daCqQtGyGk3mHEI3+qIlyJ4M+qdmroWt7r9z
G0NgMvaWQ01Py1fhDZ0wh9Ny0nhqdr7myySz0S8xs2UutkIxErPEw0CB6L9aHDI=
=JMKM
-----END PGP SIGNATURE-----
--- End Message ---
