Bug#917880: stretch-pu: package kamailio/4.4.4-2+deb9u3

[Adam D. Barratt]

On Tue, 2019-08-20 at 23:09 +0100, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
> 
> On Mon, 2018-12-31 at 11:22 +0100, Victor Seva wrote:
> > version in stable can't be used with TLS enabled due to #902452
> > with
> > severity grave. If user enables TLS kamailio fails to start.
> > 
> 
> Apologies for the delay in getting back to you.
> 
> Is the result of the patch that kamaillo assumes that Kerberos is
> always OK with newer OpenSSL versions, or the reverse?
> 

Ping? We're starting to plan for the final point release for stretch.

Regards,

Adam

Bug#917880: stretch-pu: package kamailio/4.4.4-2+deb9u3

[Adam D. Barratt]

Control: tags -1 + moreinfo

On Mon, 2018-12-31 at 11:22 +0100, Victor Seva wrote:
> version in stable can't be used with TLS enabled due to #902452 with
> severity grave. If user enables TLS kamailio fails to start.
> 

Apologies for the delay in getting back to you.

Is the result of the patch that kamaillo assumes that Kerberos is
always OK with newer OpenSSL versions, or the reverse?

Regards,

Adam

Bug#917880: stretch-pu: package kamailio/4.4.4-2+deb9u3

[Victor Seva]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

version in stable can't be used with TLS enabled due to #902452 with
severity grave. If user enables TLS kamailio fails to start.

Upstream fix was included on 4.4.6 version[0]. Proposed update only include 
that fix.

[0] 
https://github.com/kamailio/kamailio/commit/406c02f7b76ada56d6e1f73e763fecb05c1f51c5

- -- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEjxnK3NQqQtRVY3MMUaCbGM9aUGgFAlwp7dUACgkQUaCbGM9a
UGj1SBAAmh+N9LaAj/MNe/X1R1bjFLnYQC8JNxn+zJ9q69MUpOUXqPuSVfqn7G7V
wsRhNW1498bVLu5rATfm4zxxzcaWF+TjsVzfjGye3NDBWQ1N3ukb/t8t0BtecYgw
m/rEMF+ekE8w1x0w/NlAqlsbIYr7elQomx31HaS6vCac0a2sxqJ5T5U6G2s1j5fR
zmeKOkjwlvrWdg7/Ad/MwJj7SkpZiqGzEEK7bwe/wBvxg5FE7mGbfYXe4QH9TA6c
ssVLWjQ26juJ5U7cCJhrA/bh/n0uiMns+w6So7NWJ/VttgfKBAa48CnNHe+pYTn3
WbwMfa0oq9GnAXlph+/8xqzkJBDscxT5EeCflzpjP/5ilsFKiLfTWKdivTNSxW4a
+qU28etGpAfF4amz34xe9KAhLhGcnwHEPSgNCgjzjWtgmk9Mf59Whzm15Rs7n/1y
x/oDJbv7KOqoMpfz4/dvCPDJE2NrQruC9Y+SIRRO6Xzm1cWyPgxmrTknu+OPC44l
4EwF8Zupl84LC/lVuQ3SvT11Q65xo7cZe8APYfdqeJjqji8W9ErsJOKX6RMRtHgh
pQr0aSktlyrRdxAjwUZMeQ+WasNGnB47DB+gKEWvc2eSfKPLMrttPuFIf+9Z/9vK
vDUzx3ZdZItC5xqGEisS5aai7PEPz+k8749ZN3GetPDn/53fNf8=
=u1vf
-END PGP SIGNATURE-
diff -Nru kamailio-4.4.4/debian/changelog kamailio-4.4.4/debian/changelog
--- kamailio-4.4.4/debian/changelog 2018-09-07 23:15:42.0 +0200
+++ kamailio-4.4.4/debian/changelog 2018-12-31 10:28:23.0 +0100
@@ -1,3 +1,10 @@
+kamailio (4.4.4-2+deb9u4) stretch; urgency=medium
+
+  * fix kerberos and zlib check (Closes: #902452)
+so TLS can be used again via kamailio-tls-modules
+
+ -- Victor Seva   Mon, 31 Dec 2018 10:28:23 +0100
+
 kamailio (4.4.4-2+deb9u3) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru kamailio-4.4.4/debian/patches/series 
kamailio-4.4.4/debian/patches/series
--- kamailio-4.4.4/debian/patches/series2018-09-07 23:15:42.0 
+0200
+++ kamailio-4.4.4/debian/patches/series2018-12-31 10:28:23.0 
+0100
@@ -3,6 +3,7 @@
 upstream/0001-tmx-allocate-space-to-store-ending-0-for-branch-valu.patch
 upstream/0002-core-improve-to-header-check-guards-str-consists-of-.patch
 upstream/0001-core-improve-header-safe-guards-for-Via-handling.patch
+upstream/0001-tls-do-kerberos-and-zlib-init-checks-only-for-libssl.patch
 #
 no_lib64_on_64_bits.patch
 no_INSTALL_file.patch
diff -Nru 
kamailio-4.4.4/debian/patches/upstream/0001-tls-do-kerberos-and-zlib-init-checks-only-for-libssl.patch
 
kamailio-4.4.4/debian/patches/upstream/0001-tls-do-kerberos-and-zlib-init-checks-only-for-libssl.patch
--- 
kamailio-4.4.4/debian/patches/upstream/0001-tls-do-kerberos-and-zlib-init-checks-only-for-libssl.patch
  1970-01-01 01:00:00.0 +0100
+++ 
kamailio-4.4.4/debian/patches/upstream/0001-tls-do-kerberos-and-zlib-init-checks-only-for-libssl.patch
  2018-12-31 10:28:23.0 +0100
@@ -0,0 +1,57 @@
+From 406c02f7b76ada56d6e1f73e763fecb05c1f51c5 Mon Sep 17 00:00:00 2001
+From: Daniel-Constantin Mierla 
+Date: Fri, 31 Mar 2017 12:56:52 +0200
+Subject: [PATCH] tls: do kerberos and zlib init checks only for libssl < 1.1.0
+
+- using string matching inside libssl compile flags is no longer
+  reliable
+- reported by GH #1050
+
+(cherry picked from commit e59fa823b7b9513d3d1adb958d5e8ec055082d83)
+(cherry picked from commit b12ac4ea9efae41b83a2664ea4f25b1d59bc2032)
+---
+ modules/tls/tls_init.c | 9 +
+ 1 file changed, 9 insertions(+)
+
+diff --git a/modules/tls/tls_init.c b/modules/tls/tls_init.c
+index af2d4c54e..133bc7fc8 100644
+--- a/modules/tls/tls_init.c
 b/modules/tls/tls_init.c
+@@ -563,11 +563,13 @@ int init_tls_h(void)
+ {
+   /*struct socket_info* si;*/
+   long ssl_version;
++#if OPENSSL_VERSION_NUMBER < 0x01010L
+   int lib_kerberos;
+   int lib_zlib;
+   int kerberos_support;
+   int comp_support;
+   const char* lib_cflags;
++#endif
+   int low_mem_threshold1;
+   int low_mem_threshold2;
+   str tls_grp;
+@@ -603,6 +605,10 @@ int init_tls_h(void)
+   else
+   return -1; /* safer to exit */
+   }
++
++/* check kerberos support using compile flags only for version < 1.1.0 */
++#if OPENSSL_VERSION_NUMBER < 0x01010L
++
+ #ifdef TLS_KERBEROS_SUPPORT
+   kerberos_support=1;
+ #else
+@@ -672,6 +678,9 @@ int init_tls_h(void)
+   " kerberos support will be