Bug#861121: version in jessie-backports still vulnerable

2017-05-01 Thread Eivind Uggedal 
Weechat version 1.5-1~bpo8+10 in jessie-backports is still vulnerable
to CVE-2017-8073.

The same for 1.0.1-1~bpo70+1 in weezy-backports.

Bug#769952: Fix for SNI support with OpenSSL 1.1.0

2016-12-20 Thread Eivind Uggedal 
Package: ssl-cert-check
Version: 3.29-1
Followup-For: Bug #769952

The 3.29-1 version does not handle SNI support with OpenSSL 1.1.0.
See the attached patch for a backwards compatible fix.

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
>From 69547df2e14718dd4ba3092af423ffcf7ad47508 Mon Sep 17 00:00:00 2001
From: Eivind Uggedal <eiv...@uggedal.com>
Date: Tue, 20 Dec 2016 14:03:31 +0100
Subject: [PATCH] support SNI for OpenSSL >= 1.1.0

OpenSSL 1.1.0 introduced option parsing cleanups. Previous
versions would list a full usage summary (including the
-servername flag for s_client). Never versions do not:

	openssl s_client -h
	s_client: Option unknown option -h
	s_client: Use -help for summary.
---
 ssl-cert-check | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssl-cert-check b/ssl-cert-check
index 079bcb81f240..ef927fd0b757 100644
--- a/ssl-cert-check
+++ b/ssl-cert-check
@@ -704,7 +704,7 @@ then
 fi
 
 # Send along the servername when TLS is used
-if ${OPENSSL} s_client -h 2>&1 | grep '-servername' > /dev/null
+if ${OPENSSL} s_client --help 2>&1 | grep '-servername' > /dev/null
 then
 TLSSERVERNAME="TRUE"
 else
-- 
2.11.0

Bug#749646: re: x11-xserver-utils depends on cpp

2016-05-03 Thread Eivind Uggedal 
On Tue, 21 Jul 2015 23:20:04 -0400 Michael Gilbert  wrote:
> Here is a trivial patch that makes it possible for the user to choose
> (as a non-default option) to exclude cpp packages from xorg using
> systems, at the cost of possibly breaking xrdb.

With a patch moving the dep to a recommends it would be useful if xrdb
was configured with something like:

--with-cpp=/usr/bin/cpp,/usr/bin/mcpp

so that mcpp could be used as a lightweight alternative. cpp-5
currently carries this giant unstripped library in stretch:

$ du -h /usr/lib/gcc/x86_64-linux-gnu/5/cc1
130M/usr/lib/gcc/x86_64-linux-gnu/5/cc1

Bug#718976: libio-socket-ssl-perl 1.95+ seems to be the offender

2013-08-12 Thread Eivind Uggedal 
See this bug and first comment on the Arch Linux bug tracker:
https://bugs.archlinux.org/index.php?do=detailstask_id=36506