Bug#836910: jessie-pu: package kamailio/4.2.0-2+deb8u1
On Sun, Sep 11, 2016 at 20:48:07 +0200, Julien Cristau wrote: > > +diff --git a/modules/tls/tls_init.c b/modules/tls/tls_init.c > > +index a381be1..7bfc10f 100644 > > +--- a/modules/tls/tls_init.c > > b/modules/tls/tls_init.c > > +@@ -543,8 +543,10 @@ int init_tls_h(void) > > + #endif > > + ssl_version=SSLeay(); > > + /* check if version have the same major minor and fix level > > +- * (e.g. 0.9.8a & 0.9.8c are ok, but 0.9.8 and 0.9.9x are not) */ > > +- if ((ssl_version>>8)!=(OPENSSL_VERSION_NUMBER>>8)){ > > ++ * (e.g. 0.9.8a & 0.9.8c are ok, but 0.9.8 and 0.9.9x are not) > > ++ * - values is represented as 0xMMNNFFPPS: major minor fix patch status > > ++ * 0x00090705f == 0.9.7e release */ > > ++ if ((ssl_version>>12)!=(OPENSSL_VERSION_NUMBER>>12)){ > > + LOG(L_CRIT, "ERROR: tls: init_tls_h: installed openssl library " > > + "version is too different from the library the > > ser tls module " > > + "was compiled with: installed \"%s\" (0x%08lx), > > compiled " > > TBH, this seems just as wrong; libssl has a SONAME for a reason, no need > to reinvent broken checks in each user. > If I'm reading it right, the new check will still be unhappy with libssl1.0.0 1.0.2h-1~bpo8+2 from jessie-backports, whereas that should be ABI-compatible with libssl1.0.0 1.0.1t-1+deb8u2 from stable. Cheers, Julien
Bug#836910: jessie-pu: package kamailio/4.2.0-2+deb8u1
On Wed, Sep 7, 2016 at 11:48:46 +0200, Victor Seva wrote: > diff -Nru kamailio-4.2.0/debian/patches/fix_tls.patch > kamailio-4.2.0/debian/patches/fix_tls.patch > --- kamailio-4.2.0/debian/patches/fix_tls.patch 1970-01-01 > 01:00:00.0 +0100 > +++ kamailio-4.2.0/debian/patches/fix_tls.patch 2016-09-07 > 10:00:32.0 +0200 > @@ -0,0 +1,34 @@ > +From 0a5f99b28d01d79cf2675df6d2a6220167e2476e Mon Sep 17 00:00:00 2001 > +From: Daniel-Constantin Mierla> +Date: Tue, 7 Jun 2016 15:21:06 +0200 > +Subject: [PATCH] tls: proper check of libssl versions used for compilation > and > + available on system > + > +- shift out the last 12bits, being the patch version and status (see man > + SSLeay) > +- reported by Victor Seva, GH #662 > + > +(cherry picked from commit c38b4c7345a6806f48a0cdb07841e10bc962e1bf) > +(cherry picked from commit 253909bf673c0a59e7adf578bb5df73eb157d0f2) > +(cherry picked from commit 5632abc108bf8ed8157a77806ea80b962db3fa4f) > +--- > + modules/tls/tls_init.c | 6 -- > + 1 file changed, 4 insertions(+), 2 deletions(-) > + > +diff --git a/modules/tls/tls_init.c b/modules/tls/tls_init.c > +index a381be1..7bfc10f 100644 > +--- a/modules/tls/tls_init.c > b/modules/tls/tls_init.c > +@@ -543,8 +543,10 @@ int init_tls_h(void) > + #endif > + ssl_version=SSLeay(); > + /* check if version have the same major minor and fix level > +- * (e.g. 0.9.8a & 0.9.8c are ok, but 0.9.8 and 0.9.9x are not) */ > +-if ((ssl_version>>8)!=(OPENSSL_VERSION_NUMBER>>8)){ > ++ * (e.g. 0.9.8a & 0.9.8c are ok, but 0.9.8 and 0.9.9x are not) > ++ * - values is represented as 0xMMNNFFPPS: major minor fix patch status > ++ * 0x00090705f == 0.9.7e release */ > ++if ((ssl_version>>12)!=(OPENSSL_VERSION_NUMBER>>12)){ > + LOG(L_CRIT, "ERROR: tls: init_tls_h: installed openssl library " > + "version is too different from the library the > ser tls module " > + "was compiled with: installed \"%s\" (0x%08lx), > compiled " TBH, this seems just as wrong; libssl has a SONAME for a reason, no need to reinvent broken checks in each user. Cheers, Julien
Bug#836910: jessie-pu: package kamailio/4.2.0-2+deb8u1
Control: tags -1 + pending On Fri, 2016-09-09 at 01:52 +0100, Adam D. Barratt wrote: > Control: tags -1 -moreinfo +confirmed > > On Wed, 2016-09-07 at 11:48 +0200, Victor Seva wrote: > > 2016-09-07 9:30 GMT+02:00 Adam D. Barratt: > > > Thanks for caring about fixing this in jessie. > > > > > > In order to okay an upload, however, we'd need to see a source debdiff for > > > the proposed package, built and tested on a jessie system. > > > > Sure. > > Thanks; please go ahead. Uploaded and flagged for acceptance. Regards, Adam
Bug#836910: jessie-pu: package kamailio/4.2.0-2+deb8u1
Control: tags -1 -moreinfo +confirmed On Wed, 2016-09-07 at 11:48 +0200, Victor Seva wrote: > 2016-09-07 9:30 GMT+02:00 Adam D. Barratt: > > Thanks for caring about fixing this in jessie. > > > > In order to okay an upload, however, we'd need to see a source debdiff for > > the proposed package, built and tested on a jessie system. > > Sure. Thanks; please go ahead. Regards, Adam
Bug#836910: jessie-pu: package kamailio/4.2.0-2+deb8u1
2016-09-07 9:30 GMT+02:00 Adam D. Barratt: > Thanks for caring about fixing this in jessie. > > In order to okay an upload, however, we'd need to see a source debdiff for > the proposed package, built and tested on a jessie system. Sure. Before: dpkg -l | grep kamailio ii kamailio 4.2.0-2+deb8u1 amd64 very fast and configurable SIP proxy ii kamailio-tls-modules:amd64 4.2.0-2+deb8u1 amd64 contains the TLS kamailio transport module root@debian-jessie-plain:/etc/kamailio# systemctl status kamailio -l ● kamailio.service - LSB: Start the Kamailio SIP proxy server Loaded: loaded (/etc/init.d/kamailio) Active: active (exited) since Wed 2016-09-07 11:36:47 CEST; 44s ago Process: 16399 ExecStop=/etc/init.d/kamailio stop (code=exited, status=0/SUCCESS) Process: 16410 ExecStart=/etc/init.d/kamailio start (code=exited, status=0/SUCCESS) Sep 07 11:36:47 debian-jessie-plain kamailio[16410]: udp: localhost:5060 Sep 07 11:36:47 debian-jessie-plain /usr/sbin/kamailio[16426]: INFO: rr [../outbound/api.h:54]: ob_load_api(): Failed to import bind_ob Sep 07 11:36:47 debian-jessie-plain /usr/sbin/kamailio[16426]: INFO: rr [rr_mod.c:160]: mod_init(): outbound module not available Sep 07 11:36:47 debian-jessie-plain /usr/sbin/kamailio[16426]: INFO: usrloc [hslot.c:53]: ul_init_locks(): locks array size 1024 Sep 07 11:36:47 debian-jessie-plain /usr/sbin/kamailio[16426]: INFO: tls [tls_mod.c:346]: mod_init(): With ECDH-Support! Sep 07 11:36:47 debian-jessie-plain /usr/sbin/kamailio[16426]: INFO: tls [tls_mod.c:349]: mod_init(): With Diffie Hellman Sep 07 11:36:47 debian-jessie-plain /usr/sbin/kamailio[16426]: : tls [tls_init.c:515]: init_tls_h(): ERROR: tls: init_tls_h: installed openssl library version is too different from the library the ser tls module was compiled with: installed "OpenSSL 1.0.1t 3 May 2016" (0x1000114f), compiled "OpenSSL 1.0.1k 8 Jan 2015" (0x100010bf). Please make sure a compatible version is used (tls_force_run in ser.cfg will override this check) Sep 07 11:36:47 debian-jessie-plain /usr/sbin/kamailio[16426]: CRITICAL: [main.c:2521]: main(): could not initialize tls, exiting... Sep 07 11:36:47 debian-jessie-plain kamailio[16410]: already running ... failed! Sep 07 11:36:47 debian-jessie-plain kamailio[16410]: . $ dpkg -l | grep openssl ii libgnutls-openssl27:amd64 3.3.8-6+deb8u3 amd64 GNU TLS library - OpenSSL wrapper ii openssl1.0.1k-3+deb8u5 amd64 Secure Sockets Layer toolkit - cryptographic utility After: $ dpkg -l | grep kamailio ii kamailio 4.2.0-2+deb8u2 amd64 very fast and configurable SIP proxy ii kamailio-tls-modules:amd64 4.2.0-2+deb8u2 amd64 contains the TLS kamailio transport module $ systemctl status kamailio -l ● kamailio.service - LSB: Start the Kamailio SIP proxy server Loaded: loaded (/etc/init.d/kamailio) Active: active (running) since Wed 2016-09-07 11:45:11 CEST; 7s ago CGroup: /system.slice/kamailio.service Installing previous openssl version has no effect, so fix works properly diff -Nru kamailio-4.2.0/debian/changelog kamailio-4.2.0/debian/changelog --- kamailio-4.2.0/debian/changelog 2016-03-21 00:24:40.0 +0100 +++ kamailio-4.2.0/debian/changelog 2016-09-07 10:00:32.0 +0200 @@ -1,3 +1,12 @@ +kamailio (4.2.0-2+deb8u2) stable-proposed-updates; urgency=medium + + * use my DD account \o/ + * add upstream fix for: +proper check of libssl versions used for compilation +and available on system (Closes: #833973) + + -- Victor Seva Wed, 07 Sep 2016 10:00:32 +0200 + kamailio (4.2.0-2+deb8u1) jessie-security; urgency=medium * CVE-2016-2385 diff -Nru kamailio-4.2.0/debian/control kamailio-4.2.0/debian/control --- kamailio-4.2.0/debian/control 2015-01-28 20:48:03.0 +0100 +++ kamailio-4.2.0/debian/control 2016-09-07 10:00:32.0 +0200 @@ -2,7 +2,7 @@ Section: net Priority: optional Maintainer: Debian VoIP Team -Uploaders: Victor Seva , +Uploaders: Victor Seva , Tzafrir Cohen Build-Depends: bison, debhelper (>= 9), diff -Nru kamailio-4.2.0/debian/patches/fix_tls.patch kamailio-4.2.0/debian/patches/fix_tls.patch --- kamailio-4.2.0/debian/patches/fix_tls.patch 1970-01-01 01:00:00.0 +0100 +++ kamailio-4.2.0/debian/patches/fix_tls.patch 2016-09-07 10:00:32.0 +0200 @@ -0,0 +1,34 @@ +From 0a5f99b28d01d79cf2675df6d2a6220167e2476e Mon Sep 17 00:00:00 2001 +From: Daniel-Constantin Mierla +Date: Tue, 7 Jun 2016 15:21:06 +0200 +Subject: [PATCH] tls: proper check of libssl versions used for compilation and + available on system
Bug#836910: jessie-pu: package kamailio/4.2.0-2+deb8u1
Control: tags -1 + moreinfo On 2016-09-07 8:14, Victor Seva wrote: kamailio in jessie has a bug described at #833973 that makes impossible to use TLS with kamailio without downgrading openssl. The issue was reported by me [0] to upstream and a fix was merged [1] I would like to push this fix to jessie Thanks for caring about fixing this in jessie. In order to okay an upload, however, we'd need to see a source debdiff for the proposed package, built and tested on a jessie system. Regards, Adam
Bug#836910: jessie-pu: package kamailio/4.2.0-2+deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu kamailio in jessie has a bug described at #833973 that makes impossible to use TLS with kamailio without downgrading openssl. The issue was reported by me [0] to upstream and a fix was merged [1] I would like to push this fix to jessie Victor [0] https://github.com/kamailio/kamailio/issues/662 [1] https://github.com/kamailio/kamailio/commit/0a5f99b28d01d79cf2675df6d2a6220167e2476e -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (650, 'testing'), (600, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)