Bug#1050299: [Pkg-rust-maintainers] Bug#1050299: rust-webpki: RUSTSEC-2023-0052
On Sat, 9 Sep 2023 09:16:55 +0300 Michael Tokarev wrote: > 09.09.2023 03:07, Peter Green: > > > async-tls has not switched upstream. On the other hand I don't > > see any packages in Debian using it yet. ccing mjt to see what > > the reason for packaging it was. > > async-tls isn't my baby, count_omega (=werdahias, Cc'd) asked to sponsor it > on Jun-28 and I uploaded it, that's all. > > Thanks, > > /mjt > > A pull request was opened upstream:https://github.com/async-rs/async-tls/pull/54 I packaged async-tls as it's a dependecy of magic-wormhole-rs (which is needed for warp which I ITP'd). best, -- Matthias Geiger (werdahias) Debian Maintainer OpenPGP_0x18BD106B3B6C5475.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Bug#1050299: [Pkg-rust-maintainers] Bug#1050299: rust-webpki: RUSTSEC-2023-0052
09.09.2023 03:07, Peter Green: async-tls has not switched upstream. On the other hand I don't see any packages in Debian using it yet. ccing mjt to see what the reason for packaging it was. async-tls isn't my baby, count_omega (=werdahias, Cc'd) asked to sponsor it on Jun-28 and I uploaded it, that's all. Thanks, /mjt
Bug#1050299: [Pkg-rust-maintainers] Bug#1050299: rust-webpki: RUSTSEC-2023-0052
I think this indicates that it can indeed be safely removed from Debian? I'm CC'ing developers that have made uploads to this packages in the past for additiponal opinions as I suspect the issue is more subtle than that. dak rm does not take account of virtual packages. So for rust packages it is generally useless. In terms of reverse dependencies, a number have already moved to the fork rustls-webpki. However there are still a few left. Specifically rust-async-tls, rust-trust-dns-proto and rust-trust-dns-client. async-tls has not switched upstream. On the other hand I don't see any packages in Debian using it yet. ccing mjt to see what the reason for packaging it was. trust-dns-proto and trust-dns-server have switched upstream, however updating the trust-dns-packages has proved a bit more involved than I would have liked. I pushed my current efforts to the branch trust-dns-0.23 in the debcargo-conf repo. The main thing left to deal with regarding the trust-dns is aardvark-dns, the code changes needed were beyond my skills, so I reported an issue upstream. Upstream has come up with a patch but has not merged it yet. https://github.com/containers/aardvark-dns/pull/381
Bug#1050299: rust-webpki: RUSTSEC-2023-0052
Hi Salvatore, thanks for filing this bug. > Please see https://rustsec.org/advisories/RUSTSEC-2023-0052.html . This page is giving a very general description of the problem: >> When this crate is given a pathological certificate chain to validate, it >> will spend CPU time exponential with the number of candidate certificates at >> each step of path building. >>Both TLS clients and TLS servers that accept client certificate are affected. The page is also indicating that the issue was fixed in version 0.22.1, hence, I've packaged that version and closed this bug. While this might not address all concerns, (at least https://github.com/briansmith/webpki/issues/69 indicates that there is more work to do), https://github.com/briansmith/webpki/issues/69#issuecomment-1699894848 indicates: >> There is a webpki 0.22.1 release that implements the signature count >> mitigation. Additional, you are asking: > Should rust-webpki be removed from Debian testing and unstable? ``` siretart@coccia:~$ dak rm -nR rust-webpki Will remove the following packages from unstable: librust-webpki-dev | 0.22.0-2 | amd64, arm64, armel, armhf, i386 rust-webpki | 0.22.0-2 | source Maintainer: Debian Rust Maintainers --- Reason --- -- Checking reverse dependencies... No dependency problem found. ``` I think this indicates that it can indeed be safely removed from Debian? I'm CC'ing developers that have made uploads to this packages in the past for additiponal opinions as I suspect the issue is more subtle than that. -rt
Bug#1050299: rust-webpki: RUSTSEC-2023-0052
Source: rust-webpki Version: 0.22.0-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi Please see https://rustsec.org/advisories/RUSTSEC-2023-0052.html . FWIW, there is a fix in the rustls-webpki is a fork, which is actively maintained. Should rust-webpki be removed from Debian testing and unstable? Regards, Salvatore