Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
Hi RMs,
There are two SSL related bugs in fetchmail that affect Buster. The
first cause is that otherwise working SSL connections fail sometimes
[1]. The fix is in 6.4.0~rc1 and in Bullseye since Aug, 2019.
The second is removing a forced OpenSSL version check that breaks
fetchmail. Fixed for Bullseye since November, 2020 [2].
Proposed patch is attached.
Thanks for consideration,
Laszlo/GCS
[1]
https://gitlab.com/fetchmail/fetchmail/-/commit/080d4632298636a9a1b21c3419c059b95fb3cd37.patch
[2] https://packages.qa.debian.org/f/fetchmail/news/20201119T192017Z.html
diff -Nru fetchmail-6.4.0~beta4/debian/changelog fetchmail-6.4.0~beta4/debian/changelog
--- fetchmail-6.4.0~beta4/debian/changelog 2019-02-06 17:33:00.000000000 +0100
+++ fetchmail-6.4.0~beta4/debian/changelog 2021-01-31 11:13:50.000000000 +0100
@@ -1,3 +1,11 @@
+fetchmail (6.4.0~beta4-3+deb10u1) buster; urgency=medium
+
+ * Backport fix to no longer reports System error during SSL_connect():
+ Success (closes: #928916).
+ * Remove forced OpenSSL version check (closes: #980766).
+
+ -- Laszlo Boszormenyi (GCS) <g...@debian.org> Sun, 31 Jan 2021 11:13:50 +0100
+
fetchmail (6.4.0~beta4-3) unstable; urgency=medium
* Backport fix potential SIGSEGV in pop3_delete (closes: #921450).
diff -Nru fetchmail-6.4.0~beta4/debian/patches/07_fix_System_error_during_SSL_connect_Success.patch fetchmail-6.4.0~beta4/debian/patches/07_fix_System_error_during_SSL_connect_Success.patch
--- fetchmail-6.4.0~beta4/debian/patches/07_fix_System_error_during_SSL_connect_Success.patch 1970-01-01 01:00:00.000000000 +0100
+++ fetchmail-6.4.0~beta4/debian/patches/07_fix_System_error_during_SSL_connect_Success.patch 2021-01-31 11:13:50.000000000 +0100
@@ -0,0 +1,55 @@
+From 080d4632298636a9a1b21c3419c059b95fb3cd37 Mon Sep 17 00:00:00 2001
+From: Matthias Andree <matthias.and...@gmx.de>
+Date: Mon, 5 Aug 2019 23:11:43 +0200
+Subject: [PATCH] fetchmail no longer reports System error during
+ SSL_connect(): Success.
+
+Fixes Debian Bug#928916, reported by Paul Kimoto.
+---
+ NEWS | 2 +
+ driver.c | 2 +-
+ po/de.po | 231 ++++++++++++++++++++++++++++---------------------------
+ socket.c | 9 ++-
+ 4 files changed, 127 insertions(+), 117 deletions(-)
+
+diff --git a/driver.c b/driver.c
+index 74e1b28a..3e382d3a 100644
+--- a/driver.c
++++ b/driver.c
+@@ -1107,7 +1107,7 @@ static int do_session(
+ &ctl->remotename) == -1)
+ {
+ set_timeout(0);
+- report(stderr, GT_("SSL connection failed.\n"));
++ report(stderr, "%s: %s", ctl->sslcommonname ? ctl->sslcommonname : realhost, GT_("SSL connection failed.\n"));
+ err = PS_SOCKET;
+ goto cleanUp;
+ }
+diff --git a/socket.c b/socket.c
+index b3eaaecc..cb93b60e 100644
+--- a/socket.c
++++ b/socket.c
+@@ -1225,14 +1225,17 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
+ if (SSL_set_fd(_ssl_context[sock], sock) == 0
+ || (ssle_connect = SSL_connect(_ssl_context[sock])) < 1) {
+ int e = errno;
+- unsigned long ssle_err_from_queue = ERR_peek_error();
+ unsigned long ssle_err_from_get_error = SSL_get_error(_ssl_context[sock], ssle_connect);
++ unsigned long ssle_err_from_queue = ERR_peek_error();
+ ERR_print_errors_fp(stderr);
+ if (SSL_ERROR_SYSCALL == ssle_err_from_get_error && 0 == ssle_err_from_queue) {
+ if (0 == ssle_connect) {
+- report(stderr, GT_("Server shut down connection prematurely during SSL_connect().\n"));
++ /* FIXME: the next line was hacked in 6.4.0-rc1 so the translation strings don't change.
++ * The %s could be merged to the inside of GT_(). */
++ report(stderr, "%s: %s", servercname, GT_("Server shut down connection prematurely during SSL_connect().\n"));
+ } else if (ssle_connect < 0) {
+- report(stderr, GT_("System error during SSL_connect(): %s\n"), strerror(e));
++ report(stderr, "%s: ", servercname);
++ report(stderr, GT_("System error during SSL_connect(): %s\n"), e ? strerror(e) : GT_("handshake failed at protocol or connection level."));
+ }
+ }
+ SSL_free( _ssl_context[sock] );
+--
+GitLab
+
diff -Nru fetchmail-6.4.0~beta4/debian/patches/08_remove_forced_OpenSSL_check.patch fetchmail-6.4.0~beta4/debian/patches/08_remove_forced_OpenSSL_check.patch
--- fetchmail-6.4.0~beta4/debian/patches/08_remove_forced_OpenSSL_check.patch 1970-01-01 01:00:00.000000000 +0100
+++ fetchmail-6.4.0~beta4/debian/patches/08_remove_forced_OpenSSL_check.patch 2021-01-31 11:13:50.000000000 +0100
@@ -0,0 +1,26 @@
+Description: Remove forced OpenSSL version check
+ Not needed, linker should take care of proper library loading.
+Author: Laszlo Boszormenyi (GCS) <g...@debian.org>
+Bug-Debian: https://bugs.debian.org/973472
+Forwarded: no
+Last-Update: 2020-11-19
+
+---
+
+--- fetchmail-6.4.13.orig/socket.c
++++ fetchmail-6.4.13/socket.c
+@@ -1065,12 +1065,12 @@ int SSLOpen(int sock, char *mycert, char
+ #else
+ ver = OpenSSL_version_num();
+ #endif
+-
++/*
+ if (ver < OPENSSL_VERSION_NUMBER) {
+ report(stderr, GT_("Loaded OpenSSL library %#lx older than headers %#lx, refusing to work.\n"), (long)ver, (long)(OPENSSL_VERSION_NUMBER));
+ return -1;
+ }
+-
++*/
+ if (ver > OPENSSL_VERSION_NUMBER && outlevel >= O_VERBOSE) {
+ report(stdout, GT_("Loaded OpenSSL library %#lx newer than headers %#lx, trying to continue.\n"), (long)ver, (long)(OPENSSL_VERSION_NUMBER));
+ }
diff -Nru fetchmail-6.4.0~beta4/debian/patches/series fetchmail-6.4.0~beta4/debian/patches/series
--- fetchmail-6.4.0~beta4/debian/patches/series 2019-02-06 17:33:00.000000000 +0100
+++ fetchmail-6.4.0~beta4/debian/patches/series 2021-01-31 11:13:50.000000000 +0100
@@ -4,3 +4,5 @@
04_invoke-rc.d.diff
05_Fix_potential_SIGSEGV_in_pop3_delete.patch
06_Enable_OpenSSL_native_name_verification.patch
+07_fix_System_error_during_SSL_connect_Success.patch
+08_remove_forced_OpenSSL_check.patch
