Bug#607963: cdebconf-entropy: general FTBS, missing aclocal?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Package: cdebconf-entropy Severity: serious Version: 0.19 Tags: d-i Your package FTBFS on all architectures[0]. Here is a snippet from i386[1]: |dh build | dh_testdir | debian/rules override_dh_auto_configure |make[1]: Entering directory `/build/buildd-cdebconf-entropy_0.19-i386-bJbZ5I/cdebconf-entropy-0.19' |[ -e configure ] || ./autogen.sh |autoreconf: Entering directory `.' |autoreconf: configure.ac: not using Gettext |autoreconf: running: aclocal --output=aclocal.m4t |Can't exec "aclocal": No such file or directory at /usr/share/autoconf/Autom4te/FileUtils.pm line 326. |autoreconf: failed to run aclocal: No such file or directory |rm: cannot remove `autom4te.cache': No such file or directory |make[1]: *** [override_dh_auto_configure] Error 1 |make[1]: Leaving directory `/build/buildd-cdebconf-entropy_0.19-i386-bJbZ5I/cdebconf-entropy-0.19' |make: *** [build] Error 2 |dpkg-buildpackage: error: debian/rules build gave error exit status 2 Sebastian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk0Vx8QACgkQ5AmpQo7KVNspTgCfd95huKrPOWlMhdQJILkXUdN9 9xMAnAmTorOXlucTjkgAEJmCDTSIAXFC =7CEC -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101225103028.gy2...@kibibi
Bug#607967: cdebconf-terminal: FTBFS on all architectures (missing aclocal)
Package: src:cdebconf-terminal Version: 0.12 Tags: d-i Severity: serious Your package FTBFS on almost all architectures (it built fine on hppa)[0]. Here is a snippet from alpha[1]. |[ -e configure ] || ./autogen.sh |autoreconf: Entering directory `.' |autoreconf: configure.ac: not using Gettext |autoreconf: running: aclocal --output=aclocal.m4t |Can't exec "aclocal": No such file or directory at /usr/share/autoconf/Autom4te/FileUtils.pm line 326. |autoreconf: failed to run aclocal: No such file or directory |rm: cannot remove `autom4te.cache': No such file or directory |make[1]: *** [override_dh_auto_configure] Error 1 |make[1]: Leaving directory `/build/buildd-cdebconf-terminal_0.12-alpha-XVtGBM/cdebconf-terminal-0.12' |make: *** [build] Error 2 |dpkg-buildpackage: error: debian/rules build gave error exit status 2 [0] https://buildd.debian.org/status/package.php?p=cdebconf-terminal [1] https://buildd.debian.org/fetch.cgi?pkg=cdebconf-terminal&arch=alpha&ver=0.12&stamp=1293231940&file=log&as=raw Sebastian -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101225112032.ga29...@chamillionaire.breakpoint.cc
Bug#895074: debian-installer: Please replace 'c_rehash' with 'openssl rehash'
Source: debian-installer Version: 20171204 Severity: normal Tags: sid buster User: pkg-openssl-de...@lists.alioth.debian.org Usertags: c_rehash This package is using the c_rehash command which is part of the openssl package. The c_rehash script is considered by upstream as a fallback script and will disappear at some point. The recommended way is to use the "openssl rehash" command instead which appeared in 1.1.0. Please make sure that this package does not use the c_rehash command anymore. The "openssl rehash" command creates half that many symlinks (one per certificate instead of two) because it uses only the newer hash. There is also the -compat option which creates both symlinks (and behaves like c_rehash currently does). The hash changed from md5 to sha1 during the 0.9.8 to 1.0.0 transition so I doubt that the "compat" mode will be required. Should the c_rehash script be mentioned in the source code or script of this package but is not used during the build process or in the final package then feel free to close the bug saying so. Sebastian
Re: [Pkg-openssl-devel] Bug#827951: libssl udeb inclusion in Jessie
On 2016-06-24 10:35:43 [+0200], Yann Soubeyrand wrote: > Le jeudi 23 juin 2016 à 23:13 +0200, jcris...@debian.org a écrit : > > That doesn't sound suitable for a stable update, sorry. > OK, I understand. Closing with no change then. Sebastian
Re: Bug#854155: unblock: openssl/1.1.0d-2
On 2017-02-13 18:01:34 [+0100], Emilio Pozuelo Monfort wrote: > On 04/02/17 15:20, Sebastian Andrzej Siewior wrote: > > Package: release.debian.org > > User: release.debian@packages.debian.org > > Usertags: unblock > > Severity: normal > > > > Please unblock package openssl. It contains a redo of the rules file > > among other packaging related changes which did not migrate in time due > > to the new release of the d version which fixes 3 CVE bugs. The d-2 > > version fixes a regression discovered by perl and FTBFS of openssl > > itself if arch-any and arch-all were built in one go. > > > > unblock openssl/1.1.0d-2 > > That includes some changes we don't like during the freeze, but given those > were > done before the freeze and I wouldn't want them reverted this early in the > freeze, I would be happy to unblock this... but can you attach a binary > debdiff > (e.g. debdiff an old and new .changes file) to make sure things are still > looking good? sure. I've build c-2 and d-2 with _all an amd64 in todays sid to get the changes files and this the resulting debdiff: [The following lists of changes regard files as different if they have different names, permissions or owners.] Files in second .changes but not in first - -rw-r--r-- root/root /usr/lib/debug/.build-id/2b/578462762f19aca2fce5f18f02136a0e040ffa.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/54/06ecde81b1cb2ef22ddd54e5dfe2e17a6484ce.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/83/ab63854f485098aabd85de0468f307bc3223e9.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/8a/753d613f23da52c564ce14f8dc406baaf34a8f.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/cd/a94b3e615e2dd7c14de4c2d600e020c765a6d3.debug -rw-r--r-- root/root /usr/share/doc/openssl/NEWS.Debian.gz -rw-r--r-- root/root /usr/share/lintian/overrides/openssl -rw-r--r-- root/root /usr/share/man/man3/X509_digest.3ssl.gz lrwxrwxrwx root/root /usr/share/doc/libssl1.1-dbgsym -> libssl1.1 lrwxrwxrwx root/root /usr/share/man/man3/BIO_callback_fn.3ssl.gz -> BIO_set_callback.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/BIO_callback_fn_ex.3ssl.gz -> BIO_set_callback.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/BIO_get_callback_ex.3ssl.gz -> BIO_set_callback.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/BIO_set_callback_ex.3ssl.gz -> BIO_set_callback.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/CRYPTO_secure_used.3ssl.gz -> OPENSSL_secure_malloc.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/DH_check_params.3ssl.gz -> DH_generate_parameters.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/ERR_FATAL_ERROR.3ssl.gz -> ERR_GET_LIB.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/EVP_PKEY_gen_cb.3ssl.gz -> EVP_PKEY_keygen.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/EVP_blake2b512.3ssl.gz -> EVP_DigestInit.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/EVP_blake2s256.3ssl.gz -> EVP_DigestInit.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/EVP_chacha20.3ssl.gz -> EVP_EncryptInit.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/EVP_chacha20_poly1305.3ssl.gz -> EVP_EncryptInit.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/GEN_SESSION_CB.3ssl.gz -> SSL_CTX_set_generate_session_id.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/PKCS7_ISSUER_AND_SERIAL_digest.3ssl.gz -> X509_digest.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/SSL_COMP_get0_name.3ssl.gz -> SSL_COMP_add_compression_method.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/SSL_COMP_get_compression_methods.3ssl.gz -> SSL_COMP_add_compression_method.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/SSL_COMP_get_id.3ssl.gz -> SSL_COMP_add_compression_method.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/SSL_verify_cb.3ssl.gz -> SSL_CTX_set_verify.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/X509_CRL_digest.3ssl.gz -> X509_digest.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/X509_NAME_digest.3ssl.gz -> X509_digest.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/X509_REQ_digest.3ssl.gz -> X509_digest.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/X509_STORE_CTX_cert_crl_fn.3ssl.gz -> X509_STORE_set_verify_cb_func.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/X509_STORE_CTX_check_crl_fn.3ssl.gz -> X509_STORE_set_verify_cb_func.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/X509_STORE_CTX_check_issued_fn.3ssl.gz -> X509_STORE_set_verify_cb_func.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/X509_STORE_CTX_check_policy_fn.3ssl.gz -> X509_STORE_set_verify_cb_func.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/X509_STORE_CTX_check_revocation_fn.3ssl.gz -> X509_STORE_set_verify_cb_func.3ssl.gz lr
Re: buster-pu: package openssl/1.1.1g-1
On 2020-05-02 20:32:01 [+0100], Adam D. Barratt wrote: > On Sat, 2020-05-02 at 18:36 +0200, Sebastian Andrzej Siewior wrote: > > I'm fairly late, I know. > > Just a little. :-( Particularly as OpenSSL builds udebs. > > CCing KiBi and -boot so they're aware of the discussion, but this does > come quite late. Yes, I know. I'm won't cry if this skips this pu, I just couldn't get earlier to it. > Do we have any feeling for how widespread such certificates might be? > The fact that there have been two different upstream reports isn't > particularly comforting. This is correct. I don't know if there is tooling that is generating broken certificates or just some individuals. I updated my two OpenVPN instances and I saw clients connecting again. > Regards, > > Adam Sebastian
Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
On 2021-02-24 23:23:07 [+0100], To Kurt Roeckx wrote: > On 2021-02-10 21:52:46 [+0100], To Kurt Roeckx wrote: > > OpenSSL upstream announced [0] 1.1.1j for next Tuesday with a security > > fix classified as MODERATE [1]. So this happened. OpenSSL upstream announced [0] 1.1.1k for next Thursday (25th). I will prepare 1.1.1k for unstable, do buster-security based on 1.1.1d-0+deb10u5 and then come back with an updated pu :) [0] https://mta.openssl.org/pipermail/openssl-announce/2021-March/000196.html Sebastian
Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
Resending because I managed to accidently clear TO: On 2021-03-22 19:48:31 [+0100], Cc 959...@bugs.debian.org wrote: > On 2021-02-24 23:23:07 [+0100], To Kurt Roeckx wrote: > > On 2021-02-10 21:52:46 [+0100], To Kurt Roeckx wrote: > > > OpenSSL upstream announced [0] 1.1.1j for next Tuesday with a security > > > fix classified as MODERATE [1]. > > So this happened. OpenSSL upstream announced [0] 1.1.1k for next > Thursday (25th). > > I will prepare 1.1.1k for unstable, do buster-security based on > 1.1.1d-0+deb10u5 and then come back with an updated pu :) > > [0] https://mta.openssl.org/pipermail/openssl-announce/2021-March/000196.html > Sebastian
Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
rameters */
ret = check_curve(x);
-if (ret < 0)
+if (ret < 0) {
ctx->error = X509_V_ERR_UNSPECIFIED;
-else if (ret == 0)
+ret = 0;
+} else if (ret == 0) {
ctx->error = X509_V_ERR_EC_KEY_EXPLICIT_PARAMS;
}
-if ((x->ex_flags & EXFLAG_CA) == 0
+}
+if (ret > 0
+&& (x->ex_flags & EXFLAG_CA) == 0
&& x->ex_pathlen != -1
&& (ctx->param->flags & X509_V_FLAG_X509_STRICT)) {
ctx->error = X509_V_ERR_INVALID_EXTENSION;
diff --git a/debian/changelog b/debian/changelog
index 45bfdb99fe8d9..9d1b9d6590ab9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,16 @@
-openssl (1.1.1j-0+deb10u1) buster; urgency=medium
+openssl (1.1.1k-0+deb10u1) buster; urgency=medium
* New upstream version
+ - CVE-2021-3450 (CA certificate check bypass with X509_V_FLAG_X509_STRICT).
* Update symbol list.
- -- Sebastian Andrzej Siewior Tue, 23 Feb 2021 23:13:13 +0100
+ -- Sebastian Andrzej Siewior Fri, 26 Mar 2021 21:49:22 +0100
+
+openssl (1.1.1d-0+deb10u6) buster-security; urgency=medium
+
+ * CVE-2021-3449 (NULL pointer deref in signature_algorithms processing).
+
+ -- Sebastian Andrzej Siewior Tue, 23 Mar 2021 00:08:47 +0100
openssl (1.1.1d-0+deb10u5) buster-security; urgency=medium
diff --git a/debian/patches/c_rehash-compat.patch b/debian/patches/c_rehash-compat.patch
index 1ed5050f07d22..5606691bb9f9f 100644
--- a/debian/patches/c_rehash-compat.patch
+++ b/debian/patches/c_rehash-compat.patch
@@ -7,7 +7,7 @@ Subject: [PATCH] also create old hash for compatibility
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
-index 421fd892086f..5ad1ab1d655f 100644
+index fa7c6c9fef91..a7e538a72d7d 100644
--- a/tools/c_rehash.in
+++ b/tools/c_rehash.in
@@ -17,8 +17,6 @@ my $prefix = {- quotify1($config{prefix}) -};
@@ -46,7 +46,7 @@ index 421fd892086f..5ad1ab1d655f 100644
sub link_hash_cert {
my $fname = $_[0];
+ my $x509hash = $_[1] || '-subject_hash';
- $fname =~ s/'/'\\''/g;
+ $fname =~ s/\"/\\\"/g;
my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
chomp $hash;
@@ -198,10 +196,20 @@ sub link_hash_cert {
diff --git a/debian/patches/man-section.patch b/debian/patches/man-section.patch
index 982e16a14a2a2..002015b628ab1 100644
--- a/debian/patches/man-section.patch
+++ b/debian/patches/man-section.patch
@@ -8,7 +8,7 @@ Subject: man-section
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index 3a24d551359b..d0c90cb2546c 100644
+index 41648c952667..e013d464bd73 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -281,7 +281,8 @@ HTMLDIR=$(DOCDIR)/html
diff --git a/fuzz/x509.c b/fuzz/x509.c
index 1a20ca21db543..ceaec0797b438 100644
--- a/fuzz/x509.c
+++ b/fuzz/x509.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL licenses, (the "License");
* you may not use this file except in compliance with the License.
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index cd5c23217a51b..0cd6b2f948585 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -39,8 +39,8 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x101010afL
-# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.1j 16 Feb 2021"
+# define OPENSSL_VERSION_NUMBER 0x101010bfL
+# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.1k 25 Mar 2021"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 4511b52c9afcb..b256a4b93503e 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -4629,6 +4629,7 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
OPENSSL
Re: Bug#1003484: bullseye-pu: package openssl/1.1.1m-0+deb11u1
On 2022-02-19 17:04:16 [+], Adam D. Barratt wrote: > Control: tags -1 + confirmed d-i … > Thanks. Assuming the above is still accurate, then this looks good to > me. > > As the package builds a udeb, it will need a d-i ack; tagging and CCing > accordingly. I'm confused. May I upload or do I wait for the d-i ack? > Regards, > > Adam Sebastian
Re: Bug#1003484: bullseye-pu: package openssl/1.1.1m-0+deb11u1
On 2022-02-19 17:57:25 [+], Adam D. Barratt wrote: > > Feel free to upload; we'll wait for the d-i ack before accepting the > package into p-u. Okay. The Bullseye package has been uploaded. > Regards, > > Adam Sebastian
Re: Bug#1003484: bullseye-pu: package openssl/1.1.1m-0+deb11u1
On 2022-02-19 17:57:25 [+], Adam D. Barratt wrote: > Feel free to upload; we'll wait for the d-i ack before accepting the > package into p-u. There will be the release of 1.1.1n on Tuesday 15th March 2022 including a security fix. Therefore I will: - prepare a security release against 1.1.1k-1+deb11u1 which will be released via d-security. - respond to this bug with a debdiff against 1.1.1m-0+deb11u1 - upload 1.1.1n-0+deb11u1. Please say if I should delay my upload until a request from the release team happens, prepare a debdiff against another release or if there is something else. > Regards, > > Adam Sebastian
Re: Bug#1003484: bullseye-pu: package openssl/1.1.1m-0+deb11u1
On 2022-03-18 09:21:50 [+], Adam D. Barratt wrote: > Apologies if the status here got confused - based on the above, I was > assuming that in the absence of a negative response you would proceed > with the 1.1.1n-0+deb11u1 plan. For complete clarity, please feel free > to do so, bearing in mind that the window for the 11.3 point release > closes over this weekend. No need to apologies. I did plan to do it on WED but got busy with other things, got sick on THU and couldn't anything so the plan is indeed today. I would also do the upload for Buster, would that work? I remember that the packages, that broken, were already uploaded a few cycles ago. Thank you! > Regards, > > Adam Sebastian
Re: Bug#1003484: bullseye-pu: package openssl/1.1.1m-0+deb11u1
On 2022-03-18 14:51:32 [+], Adam D. Barratt wrote: > Boo. Hope you're doing better. Thanks, yes. > > I would also do the upload for Buster, would that work? I remember > > that > > the packages, that broken, were already uploaded a few cycles ago. > > Also as 1.1.1n? Yes. > I assume there haven't been any regressions reported with l/m/n in the > meantime. Not that I am aware of. I'm adding Kurt explicit in To: in case has some secret knowledge. Just uploaded the Bullseye version. > Regards, > > Adm Sebastian
Re: Bug#1051884: bullseye-pu: package openssl/1.1.1w-0~deb11u1
On 2023-10-02 13:41:17 [+0200], Cyril Brulebois wrote: > Adam D. Barratt (2023-10-02): > > Unfortunately, the version format change from -0+deb11uX to -0~deb11uX > > has broken the installer. > > > > The udebs end up with dependencies of the form ">= 1.1.1w", which > > 1.1.1w-0~deb11u1 doesn't fulfil. Assuming I'm not missing anything, > > could we have an upload that uses the -0+ style of versioning ASAP, > > please? > > Trying to understand the reasons behind the versioning scheme switch, it > seems the debian/bullseye branch is still at 1.1.1v-0~deb11u1 (without a > tag). Sorry for that. Just uploaded 1.1.1w-0+deb11u1 which solves that. > Cheers, Sebastian
Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
control: retitle -1 buster-pu: package openssl/1.1.1h-1 On 2020-05-02 22:34:40 [+0100], Adam D. Barratt wrote: > > > Do we have any feeling for how widespread such certificates might > > > be? > > > The fact that there have been two different upstream reports isn't > > > particularly comforting. > > > > This is correct. I don't know if there is tooling that is generating > > broken certificates or just some individuals. I updated my two > > OpenVPN instances and I saw clients connecting again. > > Thanks for the information. look at that. I deployed it locally and forgot all about it. Now I was going to open a pu for 1.1.1h and noticed that I didn't finish this one. I hereby propose an update to 1.1.1h. There were no dramatic CVEs closed according to the news file, only | o Disallow explicit curve parameters in verifications chains when | X509_V_FLAG_X509_STRICT is used | o Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS | contexts | o Oracle Developer Studio will start reporting deprecation warnings is listed under "major changes" since the g release. We have h in unstable and testing. It took almost a month to migrate. It was first blocked by swi-prolog (#972862) which was cause by an "interesting" test suite. Test suite errors do not lead to build failures, only debci is/was affected. The fix included only an update to the testsuite. The same error is also present in the stable version of swi-prolog. However, this is not the only failure in the test suite (it also complains about too small keys) and there is no debci for stable which would cause a regression so I don't think that it is worth to address this in stable. The package builds fine from source. I'm attaching a debdiff against the proposed g release. > Regards, > > Adam Sebastian 1.1.1h.diff.xz Description: application/xz
Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
On 2020-11-20 17:24:30 [+], Adam D. Barratt wrote: > Predictably we're again quite close to a point release. :-( (One week > from freeze, specifically.) oh. > Looking at the upstream issues regarding certificate validation changes > between 1.1.1e and f/g, #11456 appears to have been addressed already, > but #11625 is still open and looks stalled. Have you seen any more > reports of that issue? Not that I am aware of. I don't want to rush anything. I have no problem to delay this until after the point release if you prefer to do so. > Regards, > > Adam Sebastian
Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
On 2020-11-24 20:18:15 [+], Adam D. Barratt wrote: > That would be preferable at this point, yes, sorry. We should try and > make sure it's sorted soon afterwards though, to avoid things getting > stuck again. I will set up an alarm on my side :) > At some point, could we please have a combined / single diff between > the current 1.1.1d-0+deb10u3 and the proposed 1.1.1h-0+deb10u1 (I > assume)? Sure. I will prepare one tomorrow. > Regards, > > Adam Sebastian
Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
On 2021-01-14 19:03:37 [+0100], Kurt Roeckx wrote: > > Do you have pointers to upstream issues? > > There are a whole bunch of other issues and pull requests related to > this. I hope this is the end of the regressions in the X509 code. Okay. Please ping once this gets sorted out and I will prepease unstalbe/stable uploads. The m2crypto issue got resolved in unstable \o/. > Kurt Sebastianc
Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
On 2021-01-16 19:14:53 [+0100], Kurt Roeckx wrote: > So I went over the open issues and pull requests, and currently > don't see a reason not to upload it to unstable with those 2 > patches. I don't know about any other regressions in 1.1.1. The openssl package migrated to testing. I would prepare the pu package for Buster. Should I post here the complete diff or an incremental containing only the new patches? Once the openssl pu is acked I would open a pu for m2crypto. Or should it be done now? (just asking). > Kurt Sebastian
Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
On 2021-01-22 16:38:28 [+], Adam D. Barratt wrote:
> Both would be good, please.
here is the with the two additional patches.
Sebastian
diff --git a/debian/changelog b/debian/changelog
index 088c914a3dd4a..56a950734f01d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,8 +4,9 @@ openssl (1.1.1i-0+deb10u1) buster; urgency=medium
- CVE-2019-1551 (Overflow in the x64_64 Montgomery squaring procedure),
(Closes: #947949).
* Update symbol list.
+ * Apply two patches from upstream to address x509 related regressions.
- -- Sebastian Andrzej Siewior Wed, 06 Jan 2021 21:04:15 +0100
+ -- Sebastian Andrzej Siewior Sun, 24 Jan 2021 11:22:16 +0100
openssl (1.1.1d-0+deb10u4) buster-security; urgency=medium
diff --git a/debian/patches/X509_cmp-Fix-comparison-in-case-x509v3_cache_extensions-f.patch b/debian/patches/X509_cmp-Fix-comparison-in-case-x509v3_cache_extensions-f.patch
new file mode 100644
index 0..4e6a391da269d
--- /dev/null
+++ b/debian/patches/X509_cmp-Fix-comparison-in-case-x509v3_cache_extensions-f.patch
@@ -0,0 +1,232 @@
+From: "Dr. David von Oheimb"
+Date: Wed, 30 Dec 2020 09:57:49 +0100
+Subject: X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed
+ to due to invalid cert
+
+This is the backport of #13755 to v1.1.1.
+Fixes #13698
+
+Reviewed-by: Tomas Mraz
+(Merged from https://github.com/openssl/openssl/pull/13756)
+---
+ crypto/x509/x509_cmp.c| 18 ++
+ crypto/x509/x_all.c | 2 +-
+ crypto/x509v3/v3_purp.c | 3 ++-
+ doc/man3/X509_get_extension_flags.pod | 9 +++--
+ include/openssl/x509v3.h | 5 +++--
+ test/certs/invalid-cert.pem | 19 +++
+ test/recipes/80-test_x509aux.t| 13 -
+ test/x509aux.c| 17 +++--
+ 8 files changed, 61 insertions(+), 25 deletions(-)
+ create mode 100644 test/certs/invalid-cert.pem
+
+diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
+index ad620af0aff4..c9d89336406f 100644
+--- a/crypto/x509/x509_cmp.c
b/crypto/x509/x509_cmp.c
+@@ -133,19 +133,21 @@ unsigned long X509_subject_name_hash_old(X509 *x)
+ */
+ int X509_cmp(const X509 *a, const X509 *b)
+ {
+-int rv;
++int rv = 0;
+
+ if (a == b) /* for efficiency */
+ return 0;
+-/* ensure hash is valid */
+-if (X509_check_purpose((X509 *)a, -1, 0) != 1)
+-return -2;
+-if (X509_check_purpose((X509 *)b, -1, 0) != 1)
+-return -2;
+
+-rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH);
+-if (rv)
++/* try to make sure hash is valid */
++(void)X509_check_purpose((X509 *)a, -1, 0);
++(void)X509_check_purpose((X509 *)b, -1, 0);
++
++if ((a->ex_flags & EXFLAG_NO_FINGERPRINT) == 0
++&& (b->ex_flags & EXFLAG_NO_FINGERPRINT) == 0)
++rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH);
++if (rv != 0)
+ return rv;
++
+ /* Check for match against stored encoding too */
+ if (!a->cert_info.enc.modified && !b->cert_info.enc.modified) {
+ if (a->cert_info.enc.len < b->cert_info.enc.len)
+diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
+index aa5ccba44899..bec850af5797 100644
+--- a/crypto/x509/x_all.c
b/crypto/x509/x_all.c
+@@ -363,7 +363,7 @@ int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
+ unsigned int *len)
+ {
+ if (type == EVP_sha1() && (data->ex_flags & EXFLAG_SET) != 0
+-&& (data->ex_flags & EXFLAG_INVALID) == 0) {
++&& (data->ex_flags & EXFLAG_NO_FINGERPRINT) == 0) {
+ /* Asking for SHA1 and we already computed it. */
+ if (len != NULL)
+ *len = sizeof(data->sha1_hash);
+diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
+index 2b06dba05398..93b5ca4d4283 100644
+--- a/crypto/x509v3/v3_purp.c
b/crypto/x509v3/v3_purp.c
+@@ -391,7 +391,8 @@ static void x509v3_cache_extensions(X509 *x)
+ }
+
+ if (!X509_digest(x, EVP_sha1(), x->sha1_hash, NULL))
+-x->ex_flags |= EXFLAG_INVALID;
++x->ex_flags |= (EXFLAG_NO_FINGERPRINT | EXFLAG_INVALID);
++
+ /* V1 should mean no extensions ... */
+ if (!X509_get_version(x))
+ x->ex_flags |= EXFLAG_V1;
+diff --git a/doc/man3/X509_get_extension_flags.pod b/doc/man3/X509_get_extension_flags.pod
+index 43c9c952c6b7..cca72c71fcab 100644
+--- a/doc/man3/X509_get_extension_flags.pod
b/doc/man3/X509_get_extension_flags.pod
+@@ -78,12 +78,17 @@ The certificate contains an unhandled critical extension.
+
+ =item B
+
+-Some certificate extension values are invalid or inconsistent. The
+-certificate should be rejected.
++Some certificate extension values are invalid or inconsistent.
++The certificate should be rejected.
+ This bit may also
Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
On 2021-01-22 16:38:28 [+], Adam D. Barratt wrote: > Assuming that a patched m2crypto will also build fine against openssl > 1.1.1d, then there's no reason that the two shouldn't proceed in > parallel (i.e. feel free to file the m2crypto request already). Yes, it does. Bug filled. Thank you. > Regards, > > Adam Sebastian
Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
On 2021-01-25 19:57:18 [+0100], Cyril Brulebois wrote: > Not really *much* easier, to be honest. I can definitely build a package > locally given a source debdiff, or slightly better, given a source > package I can run dget against (since we're talking about new upstream > releases, by the looks of it), and do whatever testing with the > generated packages built into d-i and/or fetched from the network as > required (similarly to what's done for the various kernel udebs). > > IOW that can be tested before even having to make a decision regarding a > possible acceptance into p-u. in case it helps, I uploaded https://breakpoint.cc/openssl-pu.tar | $ sha512sum openssl-pu.tar | 1a3df2e37aa9312a378046691794bf7d7d72570ed9ade7ffbf50f87c8c8a7dd5e671a7f704fc4f1ebdbada1dda3007a5db24b426deefd33fff39b81e7be38aa3 openssl-pu.tar containing the source package and amd64 packages. > Cheers, Sebastian signature.asc Description: PGP signature
Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
On 2021-01-28 00:28:03 [+0100], Kurt Roeckx wrote: > On Thu, Jan 14, 2021 at 07:03:37PM +0100, Kurt Roeckx wrote: > > There are a whole bunch of other issues and pull requests related to > > this. I hope this is the end of the regressions in the X509 code. > > So there is something else now: > https://github.com/openssl/openssl/issues/13931 > https://github.com/openssl/openssl/pull/13982 So what is the plan here? Upload to unstable and prepare a pu once it migrate to testing or right away? > Kurt Sebastian
Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
On 2021-01-29 20:35:52 [+0100], To Kurt Roeckx wrote:
> On 2021-01-28 00:28:03 [+0100], Kurt Roeckx wrote:
> > On Thu, Jan 14, 2021 at 07:03:37PM +0100, Kurt Roeckx wrote:
> > > There are a whole bunch of other issues and pull requests related to
> > > this. I hope this is the end of the regressions in the X509 code.
> >
> > So there is something else now:
> > https://github.com/openssl/openssl/issues/13931
> > https://github.com/openssl/openssl/pull/13982
>
> So what is the plan here? Upload to unstable and prepare a pu once it
> migrate to testing or right away?
fed to unstable, migrated to testing. The small diff towards the
previous is attached. I uploaded the whole thing (source package +
amd64 binary) to
https://breakpoint.cc/openssl-pu.tar
in case someone wants to test.
I think the ship for this pu is sailing without me but I'm ready for the
next cruise :)
The complete diff vs the last package is comming soon.
> > Kurt
Sebastian
diff --git a/debian/changelog b/debian/changelog
index 56a950734f01d..89ce61e9d6be7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,8 +5,9 @@ openssl (1.1.1i-0+deb10u1) buster; urgency=medium
(Closes: #947949).
* Update symbol list.
* Apply two patches from upstream to address x509 related regressions.
+ * Cherry-pick a patch from upstream to address #13931.
- -- Sebastian Andrzej Siewior Sun, 24 Jan 2021 11:22:16 +0100
+ -- Sebastian Andrzej Siewior Mon, 01 Feb 2021 23:23:03 +0100
openssl (1.1.1d-0+deb10u4) buster-security; urgency=medium
diff --git a/debian/patches/check_sig_alg_match-weaken-sig-nid-comparison-to-base-alg.patch b/debian/patches/check_sig_alg_match-weaken-sig-nid-comparison-to-base-alg.patch
new file mode 100644
index 0..2b2dfd420cb28
--- /dev/null
+++ b/debian/patches/check_sig_alg_match-weaken-sig-nid-comparison-to-base-alg.patch
@@ -0,0 +1,244 @@
+From: "Dr. David von Oheimb"
+Date: Tue, 26 Jan 2021 11:53:15 +0100
+Subject: check_sig_alg_match(): weaken sig nid comparison to base alg
+
+This (re-)allows RSA-PSS signers
+
+Fixes #13931
+
+Reviewed-by: Tomas Mraz
+(Merged from https://github.com/openssl/openssl/pull/13982)
+---
+ crypto/x509v3/v3_purp.c | 9 ++---
+ test/certs/ca-pss-cert.pem| 21 +
+ test/certs/ca-pss-key.pem | 28
+ test/certs/ee-pss-cert.pem| 21 +
+ test/certs/mkcert.sh | 22 +-
+ test/certs/setup.sh | 13 +
+ test/recipes/25-test_verify.t | 5 -
+ 7 files changed, 106 insertions(+), 13 deletions(-)
+ create mode 100644 test/certs/ca-pss-cert.pem
+ create mode 100644 test/certs/ca-pss-key.pem
+ create mode 100644 test/certs/ee-pss-cert.pem
+
+diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
+index 93b5ca4d4283..3f5ce5c91c5d 100644
+--- a/crypto/x509v3/v3_purp.c
b/crypto/x509v3/v3_purp.c
+@@ -348,14 +348,17 @@ static int setup_crldp(X509 *x)
+ /* Check that issuer public key algorithm matches subject signature algorithm */
+ static int check_sig_alg_match(const EVP_PKEY *pkey, const X509 *subject)
+ {
+-int pkey_nid;
++int pkey_sig_nid, subj_sig_nid;
+
+ if (pkey == NULL)
+ return X509_V_ERR_NO_ISSUER_PUBLIC_KEY;
++if (OBJ_find_sigid_algs(EVP_PKEY_base_id(pkey),
++NULL, &pkey_sig_nid) == 0)
++pkey_sig_nid = EVP_PKEY_base_id(pkey);
+ if (OBJ_find_sigid_algs(OBJ_obj2nid(subject->cert_info.signature.algorithm),
+-NULL, &pkey_nid) == 0)
++NULL, &subj_sig_nid) == 0)
+ return X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM;
+-if (EVP_PKEY_type(pkey_nid) != EVP_PKEY_base_id(pkey))
++if (pkey_sig_nid != EVP_PKEY_type(subj_sig_nid))
+ return X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH;
+ return X509_V_OK;
+ }
+diff --git a/test/certs/ca-pss-cert.pem b/test/certs/ca-pss-cert.pem
+new file mode 100644
+index ..566b63a800f7
+--- /dev/null
b/test/certs/ca-pss-cert.pem
+@@ -0,0 +1,21 @@
++-BEGIN CERTIFICATE-
++MIIDXjCCAhagAwIBAgIBAjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEa
++MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIDASMRAwDgYDVQQDDAdSb290
++IENBMCAXDTIxMDEyNjEwMDUwOFoYDzIxMjEwMTI3MTAwNTA4WjARMQ8wDQYDVQQD
++DAZDQS1QU1MwggEgMAsGCSqGSIb3DQEBCgOCAQ8AMIIBCgKCAQEAtclsFtJOQgAC
++ZxTPn2T2ksmibRNVAnEfVCgfJxsPN3aEERgqqhWbC4LmGHRIIjQ9DpobarydJivw
++epDaiu11rgwXgenIobIVvVr2+L3ngalYdkwmmPVImNN8Ef575ybE/kVgTu9X37DJ
++t+8psfVGeFg4RKykOi7SfPCSKHKSeZUXPj9AYwZDw4HX2rhstRopXAmUzz2/uAaR
++fmU7tYOG5qhfMUpP+Ce0ZBlLE9JjasY+d20/mDFuvFEc5qjfzNqv/7okyBjaWB4h
++gwnjXASrqKlqHKVU1UyrJc76yAniimy+IoXKAELetIJGSN15GYaWJcAIs0Eybjyk
++gyAu7Zlf/wIDAQABo2AwXjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAd
++BgNVHQ4EFgQUGfmhA/VcxWkh7VUBHxUdHHQLgrAwHwYDVR0jBBgwFoAUjvUlrx6b
++a4Q9fICayVOcTXL3o1IwPQYJKoZIhvcNAQE
Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
On 2021-02-01 23:50:03 [+0100], To Kurt Roeckx wrote: > in case someone wants to test. > I think the ship for this pu is sailing without me but I'm ready for the > next cruise :) OpenSSL upstream announced [0] 1.1.1j for next Tuesday with a security fix classified as MODERATE [1]. [0] https://mta.openssl.org/pipermail/openssl-announce/2021-February/000191.html [1] https://www.openssl.org/policies/secpolicy.html#moderate Sebastian
