Your message dated Fri, 13 Mar 2009 20:01:20 +0000
with message-id <[email protected]>
and subject line Bug#514807: fixed in gnutls13 1.4.4-3+etch4
has caused the Debian Bug report #514807,
regarding X.509v1 CA certs no longer trusted implicitly
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
514807: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514807
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libgnutls13
Version: 1.4.4-3+etch3
Severity: important
After the upgrade all embedded uses of LDAP fail with connection errors.
On investigations these seem to be caused by certificate validation
problems.
This was first noticed with nss_ldap. After enabling debugging, running
`getent group` produced error messages like:
TLS certificate verification: depth: 0, err: 130, subject: <snip DN/>
TLS certificate verification: Error, Unknown error
Similar problems occur for pam_ldap and apache mod_authnz_ldap.
Strangely, gnutls-cli verifies the server certificate with no problems.
The error was first seen in a STARTTLS only configuration. I have since
enabled ldaps to ease testing with gnutls-cli and confirmed it still
affects nss_ldap and apache switched to ldaps.
The root (trusted) certificate of our cert chain is an x509v1 cert, however I'd
expect gnutls-cli to complain if this were the issue.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-xen-amd64
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Versions of packages libgnutls13 depends on:
ii libc6 2.3.6.ds1-13etch8 GNU C Library: Shared libraries
ii libgcrypt11 1.2.3-2 LGPL Crypto library - runtime libr
ii libgpg-error0 1.4-1 library for common error values an
ii liblzo1 1.08-3 data compression library (old vers
ii libopencdk8 0.5.9-2 Open Crypto Development Kit (OpenC
ii libtasn1-3 0.3.6-2 Manage ASN.1 structures (runtime)
ii zlib1g 1:1.2.3-13 compression library - runtime
libgnutls13 recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: gnutls13
Source-Version: 1.4.4-3+etch4
We believe that the bug you reported is fixed in the latest version of
gnutls13, which is due to be installed in the Debian FTP archive:
gnutls-bin_1.4.4-3+etch4_amd64.deb
to pool/main/g/gnutls13/gnutls-bin_1.4.4-3+etch4_amd64.deb
gnutls-doc_1.4.4-3+etch4_all.deb
to pool/main/g/gnutls13/gnutls-doc_1.4.4-3+etch4_all.deb
gnutls13_1.4.4-3+etch4.diff.gz
to pool/main/g/gnutls13/gnutls13_1.4.4-3+etch4.diff.gz
gnutls13_1.4.4-3+etch4.dsc
to pool/main/g/gnutls13/gnutls13_1.4.4-3+etch4.dsc
libgnutls-dev_1.4.4-3+etch4_amd64.deb
to pool/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch4_amd64.deb
libgnutls13-dbg_1.4.4-3+etch4_amd64.deb
to pool/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch4_amd64.deb
libgnutls13_1.4.4-3+etch4_amd64.deb
to pool/main/g/gnutls13/libgnutls13_1.4.4-3+etch4_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Florian Weimer <[email protected]> (supplier of updated gnutls13 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 23 Feb 2009 21:45:41 +0100
Source: gnutls13
Binary: libgnutls-dev libgnutls13 gnutls-bin gnutls-doc libgnutls13-dbg
Architecture: source amd64 all
Version: 1.4.4-3+etch4
Distribution: oldstable-security
Urgency: high
Maintainer: Debian GnuTLS Maintainers <[email protected]>
Changed-By: Florian Weimer <[email protected]>
Description:
gnutls-bin - the GNU TLS library - commandline utilities
gnutls-doc - the GNU TLS library - documentation and examples
libgnutls-dev - the GNU TLS library - development files
libgnutls13 - the GNU TLS library - runtime library
libgnutls13-dbg - GNU TLS library - debugger symbols
Closes: 514735 514807
Changes:
gnutls13 (1.4.4-3+etch4) oldstable-security; urgency=high
.
* Add patch from Simon Josefsson to reenable X.509v1 support for root
CAs. Closes: #514807, #514735.
Files:
229287edc239349b5014f2d31890912a 1259 devel optional gnutls13_1.4.4-3+etch4.dsc
fd8b423c5f4a11af2c60eda979df9b00 21337 devel optional
gnutls13_1.4.4-3+etch4.diff.gz
4809b5a15fa8554dbf0cc7331ed0128a 2305134 doc optional
gnutls-doc_1.4.4-3+etch4_all.deb
c6aa74857be44068f4e0d1f1322e30af 389308 libdevel optional
libgnutls-dev_1.4.4-3+etch4_amd64.deb
9ea77f3b9e6fb21d899786f0f14d714c 314864 libs important
libgnutls13_1.4.4-3+etch4_amd64.deb
223f5f50236b96400405a7c2ea4af3b9 539598 devel extra
libgnutls13-dbg_1.4.4-3+etch4_amd64.deb
8e1dae14f9ea57b112fe260b1b0d4133 183034 net optional
gnutls-bin_1.4.4-3+etch4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJJow1dAAoJEL97/wQC1SS+lA0IAKVXDbwicFRiljle1NcCaMA2
q3QF0c7+EPsYHYSJIbh64HeyNybMZow+dgimuQlbU1UbGvzgDRMM1GdtD1SNz3Xo
EC6HJPv0ghtXNOAjHhCGChBddwtuQs2SVTy4QgvDsJ9w/jPO34Cj0iR4pJ4mVfG/
lcjUzBLDQQr8wjJAus1+yc7qKf2mfCH+zigY/V1Hwh/rjvuZ9rqJGQvqW+MakgXn
cww0Yptosnxq9q2XWZE6/RKJ8gmq0jwASgAcxzesStUot5mo1eSjFBMBJMf6hvI8
b7M7neci+3B530rP8icihp9eNNG3VGa5jZT7hmHjV8JuSkXicRo6J8LOR+bUi/0=
=gtGI
-----END PGP SIGNATURE-----
--- End Message ---
