Bug#723798: pu: package gajim/0.15.1-4
Control: tags -1 + pending On Mon, 2013-09-23 at 21:08 +0100, Adam D. Barratt wrote: On Fri, 2013-09-20 at 08:45 +0200, Tanguy Ortolo wrote: Julien Cristau, 2013-09-19 23:48+0200: The debdiff should be in this bug, please. Sorry, I thought I did it. Here it is. Thanks. In general we'd prefer 0.15.1-4+deb7u1 as a version number, but please go ahead. It was uploaded, and I've flagged it for acceptance. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1380062017.20484.14.ca...@jacala.jungle.funky-badger.org
Processed: Re: Bug#723798: pu: package gajim/0.15.1-4
Processing control commands: tags -1 + pending Bug #723798 [release.debian.org] pu: package gajim/0.15.1-4 Added tag(s) pending. -- 723798: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723798 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.b723798.138006202819788.transcr...@bugs.debian.org
Bug#723798: pu: package gajim/0.15.1-4
package gajim fixed 693282 0.15.4-1 thanks Adam D. Barratt, 2013-09-19 23:08+0100: If http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693282#50 is correct and the bug is already fixed in unstable, please also add an appropriate fixed version. Indeed. I have just checked, the changes that fix it are included in upstream release 0.15.4. -- ,--. : /` ) Tanguy Ortolo xmpp:tan...@ortolo.eu | `-'Debian Developer irc://irc.oftc.net/Tanguy \_ signature.asc Description: Digital signature
Bug#723798: pu: package gajim/0.15.1-4
Cyril Brulebois, 2013-09-23 05:14+0200: Also, one can wonder why urgency is high for an upload prepared in april, and not going through security channels. I was not maintaining this package at that time, and I just took the proposed NMU, thinking that urgency was relevant. If it is not, I can change it, no problem. Librement, -- ,--. : /` ) Tanguy Ortolo xmpp:tan...@ortolo.eu | `-'Debian Developer irc://irc.oftc.net/Tanguy \_ signature.asc Description: Digital signature
Processed: Re: Bug#723798: pu: package gajim/0.15.1-4
Processing control commands: tags -1 + confirmed Bug #723798 [release.debian.org] pu: package gajim/0.15.1-4 Added tag(s) confirmed. -- 723798: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723798 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.b723798.13799669173618.transcr...@bugs.debian.org
Bug#723798: pu: package gajim/0.15.1-4
Adam D. Barratt a...@adam-barratt.org.uk (2013-09-19): If http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693282#50 is correct and the bug is already fixed in unstable, please also add an appropriate fixed version. Ping? Also, one can wonder why urgency is high for an upload prepared in april, and not going through security channels. Mraw, KiBi. signature.asc Description: Digital signature
Bug#723798: pu: package gajim/0.15.1-4
Julien Cristau, 2013-09-19 23:48+0200: The debdiff should be in this bug, please. Sorry, I thought I did it. Here it is. -- ,--. : /` ) Tanguy Ortolo xmpp:tan...@ortolo.eu | `-'Debian Developer irc://irc.oftc.net/Tanguy \_ diff -u gajim-0.15.1/debian/changelog gajim-0.15.1/debian/changelog --- gajim-0.15.1/debian/changelog +++ gajim-0.15.1/debian/changelog @@ -1,3 +1,14 @@ +gajim (0.15.1-4.1) stable; urgency=high + + * Non-maintainer upload by the Security Team. + * debian/patches: +- 02_fix-cert-validation.diff added, fix certificate validation + (CVE-2012-5524) closes: #693282 +- 03_correctly-get-SSL-certificate and 04_store-all-ssl-errors added, + improve SSL/TLS handling. + + -- Yves-Alexis Perez cor...@debian.org Wed, 17 Apr 2013 22:22:30 +0200 + gajim (0.15.1-4) unstable; urgency=low * apply patches using dpatch in debian/rules diff -u gajim-0.15.1/debian/patches/00list gajim-0.15.1/debian/patches/00list --- gajim-0.15.1/debian/patches/00list +++ gajim-0.15.1/debian/patches/00list @@ -2,0 +3,3 @@ +02_fix-cert-validation.diff +03_correctly-get-SSL-certificate.diff +04_store-all-ssl-errors.diff only in patch2: unchanged: --- gajim-0.15.1.orig/debian/patches/04_store-all-ssl-errors.diff +++ gajim-0.15.1/debian/patches/04_store-all-ssl-errors.diff @@ -0,0 +1,64 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 04_store-all-ssl-errors.diff by aste...@lagaule.org +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: store all SSL errors +# +# Description: store all SSL errors +# Author: Yann Leboulanger aste...@lagaule.org +# Origin: upstream,https://trac.gajim.org/changeset/1d8caae49a31#file0 +# Last-Update: 2013-04-17 +# HG changeset patch +# User Yann Leboulanger aste...@lagaule.org +# Date 1360768361 -3600 +# Node ID d34a996f87b81afe6dc60d04d0141c39fa3d3595 +# Parent 385f8a1fad668fbcd1d9bee10f61531a8ca7d890 + +@DPATCH@ + +diff -r 385f8a1fad66 -r d34a996f87b8 src/common/xmpp/tls_nb.py +--- a/src/common/xmpp/tls_nb.pyWed Feb 13 16:10:44 2013 +0100 b/src/common/xmpp/tls_nb.pyWed Feb 13 16:12:41 2013 +0100 +@@ -393,7 +393,7 @@ + flags |= 16384 + tcpsock._sslContext.set_options(flags) + +-tcpsock.ssl_errnum = 0 ++tcpsock.ssl_errnum = [0] + tcpsock._sslContext.set_verify(OpenSSL.SSL.VERIFY_PEER, + self._ssl_verify_callback) + try: +@@ -449,11 +449,11 @@ + def _ssl_verify_callback(self, sslconn, cert, errnum, depth, ok): + # Exceptions can't propagate up through this callback, so print them here. + try: +-self._owner.ssl_fingerprint_sha1 = cert.digest('sha1') +-self._owner.ssl_certificate = cert +-self._owner.ssl_errnum = errnum +-self._owner.ssl_cert_pem = OpenSSL.crypto.dump_certificate( +-OpenSSL.crypto.FILETYPE_PEM, cert) ++self._owner.ssl_fingerprint_sha1.append(cert.digest('sha1')) ++self._owner.ssl_certificate.append(cert) ++self._owner.ssl_errnum.append(errnum) ++self._owner.ssl_cert_pem.append(OpenSSL.crypto.dump_certificate( ++OpenSSL.crypto.FILETYPE_PEM, cert)) + return True + except: + log.error(Exception caught in _ssl_info_callback:, exc_info=True) +diff -r 385f8a1fad66 -r d34a996f87b8 src/common/xmpp/transports_nb.py +--- a/src/common/xmpp/transports_nb.py Wed Feb 13 16:10:44 2013 +0100 b/src/common/xmpp/transports_nb.py Wed Feb 13 16:12:41 2013 +0100 +@@ -311,6 +311,12 @@ + self.proxy_dict = proxy_dict + self.on_remote_disconnect = self.disconnect + ++# ssl variables ++self.ssl_fingerprint_sha1 = [] ++self.ssl_certificate = [] ++self.ssl_errnum = [] ++self.ssl_cert_pem = [] ++ + # FIXME: transport should not be aware xmpp + def start_disconnect(self): + NonBlockingTransport.start_disconnect(self) + only in patch2: unchanged: --- gajim-0.15.1.orig/debian/patches/02_fix-cert-validation.diff +++ gajim-0.15.1/debian/patches/02_fix-cert-validation.diff @@ -0,0 +1,84 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 02_fix-cert-validation.diff by aste...@lagaule.org +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: fix certificate validation +# +# Description: fix certificate validation +# Author: Yann Leboulanger aste...@lagaule.org +# Origin: upstream,https://trac.gajim.org/changeset/1d8caae49a31#file0 +# Last-Update: 2013-04-17 + +@DPATCH@ + +Index: gajim/src/common/connection.py +=== +--- gajim/src/common/connection.py (revision 14377) gajim/src/common/connection.py (revision 14379) +@@ -1312,19 +1312,22 @@ + errnum = con.Connection.ssl_errnum + except AttributeError: +-errnum = -1 # we
Bug#723798: pu: package gajim/0.15.1-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello, The version of gajim currently in stable, 0.15.1-4, has a security bug, CVE-2012-5524 / Debian #693282. corsac has prepared an NMU for that, and I was suggested to upload it for a point release. The resulting package version, 0.15.1-4.1, is available there, with a debdiff and everything: http://tanguy.ortolo.eu/deb/gajim/ Can I go ahead and upload it? - -- System Information: Debian Release: 7.1 APT prefers stable APT policy: (990, 'stable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.9-1-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJSO21PAAoJEOryzVHFAGgZtkUP/2u82vgKnVp6PyRXmzSc/FE5 BC8URbtlx1X6TjBSjc6Tdi1XSLPfEeg7qU0C64K+eg9K+iJvsb3pZfu5rQXs2Zye Cfvmb0MhsoqRGAiR46QAfYM9hvPFE5LD+rW7XDeSidbWvbDeKK+v/Vj5lplIMYuQ Vk9uL7uKabkfSlaiqk1n1FSQZKfXNOSPlH0Yjscl7JYH8YRzfEizReAI9O7F5ftu RESofF9Kck/XOapvPB9Fu3OIk9m6F1aXEciko5LfiwVQmfQ7gx9Aw+3vZ2TNHbtp bl8ihNMNT8cCWEj2B3x0822sZJpzUkdmlB67M7pRenAc4BEszll3zawGzpOFHwIp Bwm3SWaZlq9kM/MYwS4mAvNp+DolDtUnJB3bAIDLaRe+A3Jl578o+k6Pm8qBNR68 WP/Hzq9+p7ww2lo1jbLV9d3wHmbzxKhNJLq8MG2VBdsF1Z8nWqyT2Q6UX8SRE5xJ mZkV4BJjJds2tB51SKsvrD00AIorSehrjjKOFU9RSlErJZcGpg0Ocg4JVpWeZdBQ Q58eXd6c5DJXPcTW+QO/nW8nVBvxs3sfQhNdy/2A3Pwcg+Izo+dhZBvKOTfGnZlZ QRU/Qd3Nl4lwEBGmSUjD1Q/Q+d+lbXEonkyJYZ7cJ/LtYV9sLMWNOLWkY3q3MR6F lFmg5COTw87vnjbRN1Sr =mpEU -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130919213203.24976.58521.report...@clarke.ortolo.eu
Bug#723798: pu: package gajim/0.15.1-4
On Thu, Sep 19, 2013 at 23:32:03 +0200, Tanguy Ortolo wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu Hello, The version of gajim currently in stable, 0.15.1-4, has a security bug, CVE-2012-5524 / Debian #693282. corsac has prepared an NMU for that, and I was suggested to upload it for a point release. The resulting package version, 0.15.1-4.1, is available there, with a debdiff and everything: http://tanguy.ortolo.eu/deb/gajim/ Can I go ahead and upload it? The debdiff should be in this bug, please. Cheers, Julien signature.asc Description: Digital signature
Bug#723798: pu: package gajim/0.15.1-4
On Thu, 2013-09-19 at 23:48 +0200, Julien Cristau wrote: On Thu, Sep 19, 2013 at 23:32:03 +0200, Tanguy Ortolo wrote: The version of gajim currently in stable, 0.15.1-4, has a security bug, CVE-2012-5524 / Debian #693282. corsac has prepared an NMU for that, and I was suggested to upload it for a point release. The resulting package version, 0.15.1-4.1, is available there, with a debdiff and everything: http://tanguy.ortolo.eu/deb/gajim/ Can I go ahead and upload it? The debdiff should be in this bug, please. If http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693282#50 is correct and the bug is already fixed in unstable, please also add an appropriate fixed version. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1379628519.5669.30.ca...@jacala.jungle.funky-badger.org