Your message dated Sun, 31 Jan 2016 16:49:06 +0000
with message-id <[email protected]>
and subject line Bug#813243: fixed in gnutls28 3.4.8-3
has caused the Debian Bug report #813243,
regarding gnutls-bin: Broken Key Usage flags in certificates created with 
certtool
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
813243: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813243
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gnutls-bin
Version: 3.4.8-2
Severity: normal
Tags: upstream patch

I found that certtool writes broken Key Usage extensions to generated
certificates. For example, when using the follwing template (from the
mod_gnutls test suite) to create a CA, neither of the requested flags
(certificate signing and CRL signing) is set.

cn="Testing Authority"
ca
cert_signing_key
crl_signing_key

The key usage extension ends up present but empty. This leads to all
certificates issued by the CA getting rejected because signing
certificates violates the certificate's constraints. I've reported the
bug upstream [1] and there is a simple patch [2]. Please apply it to the
version in Sid.

[1] http://lists.gnutls.org/pipermail/gnutls-devel/2016-January/007861.html
[2] 
https://gitlab.com/gnutls/gnutls/commit/7d3caedb8df9d04eee9513cb5b3b417ae29927f5

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.3.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnutls-bin depends on:
ii  libc6        2.21-7
ii  libgmp10     2:6.1.0+dfsg-2
ii  libgnutls30  3.4.8-2
ii  libhogweed4  3.1.1-4
ii  libidn11     1.32-3
ii  libnettle6   3.1.1-4
ii  libopts25    1:5.18.7-3
ii  libp11-kit0  0.23.2-3
ii  libtasn1-6   4.7-3
ii  zlib1g       1:1.2.8.dfsg-2+b1

gnutls-bin recommends no packages.

gnutls-bin suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message ---
Source: gnutls28
Source-Version: 3.4.8-3

We believe that the bug you reported is fixed in the latest version of
gnutls28, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Metzler <[email protected]> (supplier of updated gnutls28 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 31 Jan 2016 17:28:05 +0100
Source: gnutls28
Binary: libgnutls28-dev libgnutls30 gnutls-bin gnutls-doc guile-gnutls 
libgnutlsxx28 libgnutls-openssl27
Architecture: all source
Version: 3.4.8-3
Distribution: unstable
Urgency: medium
Maintainer: Debian GnuTLS Maintainers <[email protected]>
Changed-By: Andreas Metzler <[email protected]>
Closes: 813243
Description: 
 gnutls-bin - GNU TLS library - commandline utilities
 gnutls-doc - GNU TLS library - documentation and examples
 guile-gnutls - GNU TLS library - GNU Guile bindings
 libgnutls28-dev - GNU TLS library - development files
 libgnutls30 - GNU TLS library - main runtime library
 libgnutls-openssl27 - GNU TLS library - OpenSSL wrapper
 libgnutlsxx28 - GNU TLS library - C++ runtime library
Changes:
 gnutls28 (3.4.8-3) unstable; urgency=medium
 .
   * Pull 35_Revert-Fix-out-of-bounds-read-in-gnutls_x509_ext_exp.patch and
     36_Revert-tests-updated-to-account-for-cert-generation.patch
     from upstream GIT. Closes: #813243
Checksums-Sha1: 
 4aa74f17ad2402ff59e11d1732fc5efca6b8948e 2893 gnutls28_3.4.8-3.dsc
 f223bd2b75878342eb4aeaf48c682159c6373e2c 92280 gnutls28_3.4.8-3.debian.tar.xz
 563f1943f85d94766468b0349bc73927c3be526f 3925242 gnutls-doc_3.4.8-3_all.deb
Checksums-Sha256: 
 fbac294bfd9fa00671b64401153a29fdb794236ec33d9a4b4a05acd848acf524 2893 
gnutls28_3.4.8-3.dsc
 6d6eeaf7d41f909a49962f5984576fb0f7c309632785003bcce9327ed6caef03 92280 
gnutls28_3.4.8-3.debian.tar.xz
 0cb662d36fd8744272c8eb06d0ff39ef53b35b768a99d18c8a1da751c621c98b 3925242 
gnutls-doc_3.4.8-3_all.deb
Files: 
 94c62a3774f622abe6b1f4586a286f99 2893 libs optional gnutls28_3.4.8-3.dsc
 308e8de21d96f8bcab8e6cb1f50e66bf 92280 libs optional 
gnutls28_3.4.8-3.debian.tar.xz
 e31bd003098006b795c4041e8efb419d 3925242 doc optional 
gnutls-doc_3.4.8-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWrjknAAoJEKVPAYVDghSEeecP/iP5cxYlWwoa4HvFBk7NHpZA
Nd1o8HXw8UNX/zvPkwqmAOGq/UYTiJz0WY3lmghJ9rWIVZ52tyMA4Mrp3GBiHmbf
kWKxpg8ZdlS3TUrg7tqWUh/IFPncTP7qDcqwmcRPK+kGau2cDzVSfbaDDwifUGij
5iLu2iwZIHQQqokWvnZV3WEx2ubgQ5RfDH4VK//Rzs4ZiMCnqLOVIJ/LkWgxKVTT
BVPPDsB/KXPVy2MLyN4Ui2c357CNGMY12fX/rbpp+K55s73pBU7uGdO+TjESAu7i
urt+I/zxudrpmPGB6DU8ve7QZi4fjZotb/hRwYFyZg/uhrpowUjLmUjtlq6bwst8
Ykn9HFPOzFPf+GqC/Eff6De9ErM2wEifmhHZSblfVcr7ay+kckd/hKErtVK1Mjta
aPZIY7caIk6jRePsbROeOfTauPztbk/tXXr7PcCVwOAMO7LYbW5ByBgDxJMeEbc+
QJz6EZc9i2WgqSK/fW+oGbXpOwS+w4G0BQM/aEOTDzylFjb9Ocdm+jm6k/oWgkii
UkTI5MKfRF3fKWp3p5CUNEyUIMvZPEHw/ERQiqoj17fyWBLbjwT5BR0H7iNXCONU
J7zIZeCg6ArThP71kqGhBQ5LYVj9u9S/NHR9sVDlBumoQ09vxcHgpaxkX5e30qUX
G+rexslhqGEOOvxZi69p
=f4os
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to