Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Dear SRMs, I would like to update ganeti in Stretch to resolve #895599, whereby ganeti fails to "export" (aka dump) VMs because of an SSL verification error. The bug is fixed by cherry-picking an upstream commit, already included in 2.16 which is in unstable. Full source debdiff attached. Regards, Apollon
diff -Nru ganeti-2.15.2/debian/changelog ganeti-2.15.2/debian/changelog --- ganeti-2.15.2/debian/changelog 2017-10-03 17:31:05.000000000 +0300 +++ ganeti-2.15.2/debian/changelog 2018-06-11 17:42:10.000000000 +0300 @@ -1,3 +1,9 @@ +ganeti (2.15.2-7+deb9u2) stretch; urgency=medium + + * Properly verify SSL certificates during VM export (Closes: #895599) + + -- Apollon Oikonomopoulos <apoi...@debian.org> Mon, 11 Jun 2018 17:42:10 +0300 + ganeti (2.15.2-7+deb9u1) stretch; urgency=medium * Depend on lsb-base (>= 3.0.6) for init-functions. diff -Nru ganeti-2.15.2/debian/patches/impexpd-fix-certificate-verification-with-new-socat.patch ganeti-2.15.2/debian/patches/impexpd-fix-certificate-verification-with-new-socat.patch --- ganeti-2.15.2/debian/patches/impexpd-fix-certificate-verification-with-new-socat.patch 1970-01-01 02:00:00.000000000 +0200 +++ ganeti-2.15.2/debian/patches/impexpd-fix-certificate-verification-with-new-socat.patch 2018-06-11 17:42:10.000000000 +0300 @@ -0,0 +1,55 @@ +From 7bb03511f6b13f83cc7cbc5fe6a30bd46105b0bd Mon Sep 17 00:00:00 2001 +From: Apollon Oikonomopoulos <apoi...@debian.org> +Date: Wed, 20 Dec 2017 12:57:12 +0200 +Subject: [PATCH] impexpd: fix certificate verification with new socat versions + +Socat versions after 1.7.3 verify the server certificate's subject +against either the hostname, or the openssl-commonname option. Since +ganeti uses 'ganeti.example.com' for all self-signed certs, certificate +verification will fail, as socat will be told to connect to the node +using its proper name. + +Fix this by passing the openssl-commonname option. Since this option is +only available on newer socat versions and older socat versions will +break when passed the unknown option, we need to parse `socat -V` output +to check if we need to specify the option or not. + +This fixes #1226. + +Signed-off-by: Apollon Oikonomopoulos <apoi...@debian.org> +--- + lib/impexpd/__init__.py | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/lib/impexpd/__init__.py b/lib/impexpd/__init__.py +index 97a9716cc..850bdb987 100644 +--- a/lib/impexpd/__init__.py ++++ b/lib/impexpd/__init__.py +@@ -197,6 +197,24 @@ class CommandBuilder(object): + "intervall=1", + ] + common_addr_opts + ++ # For socat versions >= 1.7.3, we need to also specify ++ # openssl-commonname, otherwise server certificate verification will ++ # fail. ++ socat = utils.RunCmd([SOCAT_PATH, "-V"]) ++ # No need to check for errors here. If -V is not there, socat is really ++ # old. Any other failure will be handled when running the actual socat ++ # command. ++ for line in socat.output.splitlines(): ++ match = re.match(r"socat version ((\d+\.)*(\d+))", line) ++ if match: ++ try: ++ version = tuple(int(x) for x in m.group(1).split('.')) ++ if version >= (1, 7, 3): ++ addr2 += ["openssl-commonname=%s" % constants.X509_CERT_CN] ++ except TypeError: ++ pass ++ break ++ + else: + raise errors.GenericError("Invalid mode '%s'" % self._mode) + +-- +2.17.1 + diff -Nru ganeti-2.15.2/debian/patches/series ganeti-2.15.2/debian/patches/series --- ganeti-2.15.2/debian/patches/series 2017-10-03 14:09:55.000000000 +0300 +++ ganeti-2.15.2/debian/patches/series 2018-06-11 17:42:10.000000000 +0300 @@ -16,3 +16,4 @@ use-hv-class-to-check-for-migration.patch do-not-specify-socat-ssl-method.patch fix-failover-from-dead-node.patch +impexpd-fix-certificate-verification-with-new-socat.patch