Control: tags 1009096 + patch Control: tags 1009096 + pending Dear maintainer,
I've prepared an NMU for mosquitto (versioned as 2.0.11-1.1) and uploaded it to DELAYED/1. Please feel free to tell me if I should delay it longer. Cheers -- Sebastian Ramacher
diff -Nru mosquitto-2.0.11/debian/changelog mosquitto-2.0.11/debian/changelog --- mosquitto-2.0.11/debian/changelog 2021-06-09 14:54:36.000000000 +0200 +++ mosquitto-2.0.11/debian/changelog 2022-04-16 17:17:54.000000000 +0200 @@ -1,3 +1,13 @@ +mosquitto (2.0.11-1.1) unstable; urgency=medium + + * Non-maintainer upload + + [ Olivier Gayot ] + * Fix autopkgtest failure when running against Python 3.10 (Closes: + #1009096) (LP: #1960214) + + -- Sebastian Ramacher <sramac...@debian.org> Sat, 16 Apr 2022 17:17:54 +0200 + mosquitto (2.0.11-1) unstable; urgency=medium * SECURITY UPDATE: In Eclipse Mosquitto 1.6 to 2.0.10, if an authenticated diff -Nru mosquitto-2.0.11/debian/patches/series mosquitto-2.0.11/debian/patches/series --- mosquitto-2.0.11/debian/patches/series 2021-06-09 14:54:36.000000000 +0200 +++ mosquitto-2.0.11/debian/patches/series 2022-04-16 17:17:09.000000000 +0200 @@ -2,3 +2,4 @@ 1571.patch deb-test.patch missing-test.patch +ssl-sslcontext-wrap_socket.patch diff -Nru mosquitto-2.0.11/debian/patches/ssl-sslcontext-wrap_socket.patch mosquitto-2.0.11/debian/patches/ssl-sslcontext-wrap_socket.patch --- mosquitto-2.0.11/debian/patches/ssl-sslcontext-wrap_socket.patch 1970-01-01 01:00:00.000000000 +0100 +++ mosquitto-2.0.11/debian/patches/ssl-sslcontext-wrap_socket.patch 2022-04-16 17:17:09.000000000 +0200 @@ -0,0 +1,217 @@ +Description: Replace uses of ssl.wrap_socket by ssl.SSLContext.wrap_socket + The function ssl.wrap_socket() is deprecated starting Python 3.7 because it + does not support hostname matching (which is considered insecure). In Python + 3.10, the function now throws warnings at runtime, which makes autopkgtest + fail. + + The function ssl.SSLContext.wrap_socket comes in as the replacement and + has support for SNI and hostname matching. + + Replaced all uses of ssl.wrap_socket() by equivalent using + ssl.SSLContext.wrap_socket(). + +Author: Olivier Gayot <olivier.ga...@canonical.com> +Bug-Ubuntu: https://launchpad.net/bugs/1960214 +Forwarded: https://github.com/eclipse/mosquitto/pull/2451 +Last-Update: 2022-02-07 + +--- mosquitto-2.0.11.orig/test/broker/08-ssl-bridge.py ++++ mosquitto-2.0.11/test/broker/08-ssl-bridge.py +@@ -34,7 +34,9 @@ publish_packet = mosq_test.gen_publish(" + + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) +-ssock = ssl.wrap_socket(sock, ca_certs="../ssl/all-ca.crt", keyfile="../ssl/server.key", certfile="../ssl/server.crt", server_side=True) ++context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile="../ssl/all-ca.crt") ++context.load_cert_chain(certfile="../ssl/server.crt", keyfile="../ssl/server.key") ++ssock = context.wrap_socket(sock, server_side=True) + ssock.settimeout(20) + ssock.bind(('', port1)) + ssock.listen(5) +--- mosquitto-2.0.11.orig/test/broker/08-ssl-connect-cert-auth-crl.py ++++ mosquitto-2.0.11/test/broker/08-ssl-connect-cert-auth-crl.py +@@ -31,7 +31,9 @@ broker = mosq_test.start_broker(filename + + try: + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +- ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", certfile="../ssl/client.crt", keyfile="../ssl/client.key", cert_reqs=ssl.CERT_REQUIRED) ++ context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt") ++ context.load_cert_chain(certfile="../ssl/client.crt", keyfile="../ssl/client.key") ++ ssock = context.wrap_socket(sock, server_hostname="localhost") + ssock.settimeout(20) + ssock.connect(("localhost", port1)) + +--- mosquitto-2.0.11.orig/test/broker/08-ssl-connect-cert-auth-expired.py ++++ mosquitto-2.0.11/test/broker/08-ssl-connect-cert-auth-expired.py +@@ -31,7 +31,9 @@ broker = mosq_test.start_broker(filename + + try: + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +- ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", certfile="../ssl/client-expired.crt", keyfile="../ssl/client-expired.key", cert_reqs=ssl.CERT_REQUIRED) ++ context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt") ++ context.load_cert_chain(certfile="../ssl/client-expired.crt", keyfile="../ssl/client-expired.key") ++ ssock = context.wrap_socket(sock, server_hostname="localhost") + ssock.settimeout(20) + try: + ssock.connect(("localhost", port1)) +--- mosquitto-2.0.11.orig/test/broker/08-ssl-connect-cert-auth-revoked.py ++++ mosquitto-2.0.11/test/broker/08-ssl-connect-cert-auth-revoked.py +@@ -30,7 +30,9 @@ broker = mosq_test.start_broker(filename + + try: + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +- ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", certfile="../ssl/client-revoked.crt", keyfile="../ssl/client-revoked.key", cert_reqs=ssl.CERT_REQUIRED) ++ context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt") ++ context.load_cert_chain(certfile="../ssl/client-revoked.crt", keyfile="../ssl/client-revoked.key") ++ ssock = context.wrap_socket(sock, server_hostname="localhost") + ssock.settimeout(20) + try: + ssock.connect(("localhost", port1)) +--- mosquitto-2.0.11.orig/test/broker/08-ssl-connect-cert-auth-without.py ++++ mosquitto-2.0.11/test/broker/08-ssl-connect-cert-auth-without.py +@@ -28,7 +28,8 @@ connect_packet = mosq_test.gen_connect(" + broker = mosq_test.start_broker(filename=os.path.basename(__file__), port=port2, use_conf=True) + + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +-ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", cert_reqs=ssl.CERT_REQUIRED) ++context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH) ++ssock = context.wrap_socket(sock, server_hostname="localhost") + ssock.settimeout(20) + try: + ssock.connect(("localhost", port1)) +--- mosquitto-2.0.11.orig/test/broker/08-ssl-connect-cert-auth.py ++++ mosquitto-2.0.11/test/broker/08-ssl-connect-cert-auth.py +@@ -32,7 +32,9 @@ broker = mosq_test.start_broker(filename + + try: + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +- ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", certfile="../ssl/client.crt", keyfile="../ssl/client.key", cert_reqs=ssl.CERT_REQUIRED) ++ context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt") ++ context.load_cert_chain(certfile="../ssl/client.crt", keyfile="../ssl/client.key") ++ ssock = context.wrap_socket(sock, server_hostname="localhost") + ssock.settimeout(20) + ssock.connect(("localhost", port1)) + +--- mosquitto-2.0.11.orig/test/broker/08-ssl-connect-identity.py ++++ mosquitto-2.0.11/test/broker/08-ssl-connect-identity.py +@@ -33,7 +33,9 @@ broker = mosq_test.start_broker(filename + + try: + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +- ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", certfile="../ssl/client.crt", keyfile="../ssl/client.key", cert_reqs=ssl.CERT_REQUIRED) ++ context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt") ++ context.load_cert_chain(certfile="../ssl/client.crt", keyfile="../ssl/client.key") ++ ssock = context.wrap_socket(sock, server_hostname="localhost") + ssock.settimeout(20) + ssock.connect(("localhost", port1)) + +--- mosquitto-2.0.11.orig/test/broker/08-ssl-connect-no-auth-wrong-ca.py ++++ mosquitto-2.0.11/test/broker/08-ssl-connect-no-auth-wrong-ca.py +@@ -29,7 +29,8 @@ connack_packet = mosq_test.gen_connack(r + broker = mosq_test.start_broker(filename=os.path.basename(__file__), port=port2, use_conf=True) + + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +-ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-alt-ca.crt", cert_reqs=ssl.CERT_REQUIRED) ++context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-alt-ca.crt") ++ssock = context.wrap_socket(sock, server_hostname="localhost") + ssock.settimeout(20) + try: + ssock.connect(("localhost", port1)) +--- mosquitto-2.0.11.orig/test/broker/08-ssl-connect-no-auth.py ++++ mosquitto-2.0.11/test/broker/08-ssl-connect-no-auth.py +@@ -32,7 +32,8 @@ broker = mosq_test.start_broker(filename + + try: + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +- ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", cert_reqs=ssl.CERT_REQUIRED) ++ context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt") ++ ssock = context.wrap_socket(sock, server_hostname="localhost") + ssock.settimeout(20) + ssock.connect(("localhost", port1)) + +--- mosquitto-2.0.11.orig/test/broker/08-ssl-connect-no-identity.py ++++ mosquitto-2.0.11/test/broker/08-ssl-connect-no-identity.py +@@ -32,7 +32,8 @@ broker = mosq_test.start_broker(filename + + try: + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +- ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", cert_reqs=ssl.CERT_REQUIRED) ++ context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt") ++ ssock = context.wrap_socket(sock, server_hostname="localhost") + ssock.settimeout(20) + ssock.connect(("localhost", port1)) + +--- mosquitto-2.0.11.orig/test/broker/08-ssl-hup-disconnect.py ++++ mosquitto-2.0.11/test/broker/08-ssl-hup-disconnect.py +@@ -43,7 +43,9 @@ def do_test(option): + + try: + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +- ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", certfile="../ssl/client.crt", keyfile="../ssl/client.key", cert_reqs=ssl.CERT_REQUIRED) ++ context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt") ++ context.load_cert_chain(certfile="../ssl/client.crt", keyfile="../ssl/client.key") ++ ssock = context.wrap_socket(sock, server_hostname="localhost") + ssock.settimeout(20) + ssock.connect(("localhost", port)) + mosq_test.do_send_receive(ssock, connect_packet, connack_packet, "connack") +--- mosquitto-2.0.11.orig/test/lib/08-ssl-connect-cert-auth-enc.py ++++ mosquitto-2.0.11/test/lib/08-ssl-connect-cert-auth-enc.py +@@ -26,9 +26,10 @@ disconnect_packet = mosq_test.gen_discon + + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) +-ssock = ssl.wrap_socket(sock, ca_certs="../ssl/all-ca.crt", +- keyfile="../ssl/server.key", certfile="../ssl/server.crt", +- server_side=True, cert_reqs=ssl.CERT_REQUIRED) ++context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile="../ssl/all-ca.crt") ++context.load_cert_chain(certfile="../ssl/server.crt", keyfile="../ssl/server.key") ++context.verify_mode = ssl.CERT_REQUIRED ++ssock = context.wrap_socket(sock, server_side=True) + ssock.settimeout(10) + ssock.bind(('', port)) + ssock.listen(5) +--- mosquitto-2.0.11.orig/test/lib/08-ssl-connect-cert-auth.py ++++ mosquitto-2.0.11/test/lib/08-ssl-connect-cert-auth.py +@@ -26,9 +26,10 @@ disconnect_packet = mosq_test.gen_discon + + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) +-ssock = ssl.wrap_socket(sock, ca_certs="../ssl/all-ca.crt", +- keyfile="../ssl/server.key", certfile="../ssl/server.crt", +- server_side=True, cert_reqs=ssl.CERT_REQUIRED) ++context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile="../ssl/all-ca.crt") ++context.load_cert_chain(certfile="../ssl/server.crt", keyfile="../ssl/server.key") ++context.verify_mode = ssl.CERT_REQUIRED ++ssock = context.wrap_socket(sock, server_side=True) + ssock.settimeout(10) + ssock.bind(('', port)) + ssock.listen(5) +--- mosquitto-2.0.11.orig/test/lib/08-ssl-connect-no-auth.py ++++ mosquitto-2.0.11/test/lib/08-ssl-connect-no-auth.py +@@ -25,7 +25,9 @@ disconnect_packet = mosq_test.gen_discon + + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) +-ssock = ssl.wrap_socket(sock, ca_certs="../ssl/all-ca.crt", keyfile="../ssl/server.key", certfile="../ssl/server.crt", server_side=True) ++context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile="../ssl/all-ca.crt") ++context.load_cert_chain(certfile="../ssl/server.crt", keyfile="../ssl/server.key") ++ssock = context.wrap_socket(sock, server_side=True) + ssock.settimeout(10) + ssock.bind(('', port)) + ssock.listen(5) +--- mosquitto-2.0.11.orig/test/lib/08-ssl-fake-cacert.py ++++ mosquitto-2.0.11/test/lib/08-ssl-fake-cacert.py +@@ -10,9 +10,10 @@ if sys.version < '2.7': + + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) +-ssock = ssl.wrap_socket(sock, ca_certs="../ssl/all-ca.crt", +- keyfile="../ssl/server.key", certfile="../ssl/server.crt", +- server_side=True, cert_reqs=ssl.CERT_REQUIRED) ++context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile="../ssl/all-ca.crt") ++context.load_cert_chain(certfile="../ssl/server.crt", keyfile="../ssl/server.key") ++context.verfiy_mode = ssl.CERT_REQUIRED) ++ssock = context.wrap_socket(sock, server_side=True) + ssock.settimeout(10) + ssock.bind(('', port)) + ssock.listen(5)
