Bug#723798: pu: package gajim/0.15.1-4

2013-09-24 Thread Adam D. Barratt 
Control: tags -1 + pending

On Mon, 2013-09-23 at 21:08 +0100, Adam D. Barratt wrote:
 On Fri, 2013-09-20 at 08:45 +0200, Tanguy Ortolo wrote:
  Julien Cristau, 2013-09-19 23:48+0200:
  The debdiff should be in this bug, please.
  
  Sorry, I thought I did it. Here it is.
 
 Thanks. In general we'd prefer 0.15.1-4+deb7u1 as a version number,
 but please go ahead.

It was uploaded, and I've flagged it for acceptance.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/1380062017.20484.14.ca...@jacala.jungle.funky-badger.org

Processed: Re: Bug#723798: pu: package gajim/0.15.1-4

2013-09-24 Thread Debian Bug Tracking System 
Processing control commands:

 tags -1 + pending
Bug #723798 [release.debian.org] pu: package gajim/0.15.1-4
Added tag(s) pending.

-- 
723798: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723798
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/handler.s.b723798.138006202819788.transcr...@bugs.debian.org

Bug#723798: pu: package gajim/0.15.1-4

2013-09-23 Thread Tanguy Ortolo 

package gajim
fixed 693282 0.15.4-1
thanks

Adam D. Barratt, 2013-09-19 23:08+0100:

If http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693282#50 is correct
and the bug is already fixed in unstable, please also add an appropriate
fixed version.


Indeed. I have just checked, the changes that fix it are included in 
upstream release 0.15.4.


--
 ,--.
: /` )   Tanguy Ortolo  xmpp:tan...@ortolo.eu
| `-'Debian Developer   irc://irc.oftc.net/Tanguy
 \_


signature.asc
Description: Digital signature

Bug#723798: pu: package gajim/0.15.1-4

2013-09-23 Thread Tanguy Ortolo 

Cyril Brulebois, 2013-09-23 05:14+0200:

Also, one can wonder why urgency is high for an upload prepared in
april, and not going through security channels.


I was not maintaining this package at that time, and I just took the 
proposed NMU, thinking that urgency was relevant. If it is not, I can 
change it, no problem.


Librement,

--
 ,--.
: /` )   Tanguy Ortolo  xmpp:tan...@ortolo.eu
| `-'Debian Developer   irc://irc.oftc.net/Tanguy
 \_


signature.asc
Description: Digital signature

Processed: Re: Bug#723798: pu: package gajim/0.15.1-4

2013-09-23 Thread Debian Bug Tracking System 
Processing control commands:

 tags -1 + confirmed
Bug #723798 [release.debian.org] pu: package gajim/0.15.1-4
Added tag(s) confirmed.

-- 
723798: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723798
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/handler.s.b723798.13799669173618.transcr...@bugs.debian.org

Bug#723798: pu: package gajim/0.15.1-4

2013-09-22 Thread Cyril Brulebois 
Adam D. Barratt a...@adam-barratt.org.uk (2013-09-19):
 If http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693282#50 is correct
 and the bug is already fixed in unstable, please also add an appropriate
 fixed version.

Ping?

Also, one can wonder why urgency is high for an upload prepared in
april, and not going through security channels.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Bug#723798: pu: package gajim/0.15.1-4

2013-09-20 Thread Tanguy Ortolo 

Julien Cristau, 2013-09-19 23:48+0200:

The debdiff should be in this bug, please.


Sorry, I thought I did it. Here it is.

--
  ,--.
: /` )   Tanguy Ortolo  xmpp:tan...@ortolo.eu
| `-'Debian Developer   irc://irc.oftc.net/Tanguy
  \_
diff -u gajim-0.15.1/debian/changelog gajim-0.15.1/debian/changelog
--- gajim-0.15.1/debian/changelog
+++ gajim-0.15.1/debian/changelog
@@ -1,3 +1,14 @@
+gajim (0.15.1-4.1) stable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * debian/patches:
+- 02_fix-cert-validation.diff added, fix certificate validation
+  (CVE-2012-5524)   closes: #693282
+- 03_correctly-get-SSL-certificate and 04_store-all-ssl-errors added,
+  improve SSL/TLS handling.
+
+ -- Yves-Alexis Perez cor...@debian.org  Wed, 17 Apr 2013 22:22:30 +0200
+
 gajim (0.15.1-4) unstable; urgency=low
 
   * apply patches using dpatch in debian/rules
diff -u gajim-0.15.1/debian/patches/00list gajim-0.15.1/debian/patches/00list
--- gajim-0.15.1/debian/patches/00list
+++ gajim-0.15.1/debian/patches/00list
@@ -2,0 +3,3 @@
+02_fix-cert-validation.diff
+03_correctly-get-SSL-certificate.diff
+04_store-all-ssl-errors.diff
only in patch2:
unchanged:
--- gajim-0.15.1.orig/debian/patches/04_store-all-ssl-errors.diff
+++ gajim-0.15.1/debian/patches/04_store-all-ssl-errors.diff
@@ -0,0 +1,64 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 04_store-all-ssl-errors.diff by aste...@lagaule.org
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: store all SSL errors
+#
+# Description: store all SSL errors
+# Author: Yann Leboulanger aste...@lagaule.org
+# Origin: upstream,https://trac.gajim.org/changeset/1d8caae49a31#file0
+# Last-Update: 2013-04-17
+# HG changeset patch
+# User Yann Leboulanger aste...@lagaule.org
+# Date 1360768361 -3600
+# Node ID d34a996f87b81afe6dc60d04d0141c39fa3d3595
+# Parent  385f8a1fad668fbcd1d9bee10f61531a8ca7d890
+
+@DPATCH@
+
+diff -r 385f8a1fad66 -r d34a996f87b8 src/common/xmpp/tls_nb.py
+--- a/src/common/xmpp/tls_nb.pyWed Feb 13 16:10:44 2013 +0100
 b/src/common/xmpp/tls_nb.pyWed Feb 13 16:12:41 2013 +0100
+@@ -393,7 +393,7 @@
+ flags |= 16384
+ tcpsock._sslContext.set_options(flags)
+ 
+-tcpsock.ssl_errnum = 0
++tcpsock.ssl_errnum = [0]
+ tcpsock._sslContext.set_verify(OpenSSL.SSL.VERIFY_PEER,
+ self._ssl_verify_callback)
+ try:
+@@ -449,11 +449,11 @@
+ def _ssl_verify_callback(self, sslconn, cert, errnum, depth, ok):
+ # Exceptions can't propagate up through this callback, so print them 
here.
+ try:
+-self._owner.ssl_fingerprint_sha1 = cert.digest('sha1')
+-self._owner.ssl_certificate = cert
+-self._owner.ssl_errnum = errnum
+-self._owner.ssl_cert_pem = OpenSSL.crypto.dump_certificate(
+-OpenSSL.crypto.FILETYPE_PEM, cert)
++self._owner.ssl_fingerprint_sha1.append(cert.digest('sha1'))
++self._owner.ssl_certificate.append(cert)
++self._owner.ssl_errnum.append(errnum)
++self._owner.ssl_cert_pem.append(OpenSSL.crypto.dump_certificate(
++OpenSSL.crypto.FILETYPE_PEM, cert))
+ return True
+ except:
+ log.error(Exception caught in _ssl_info_callback:, 
exc_info=True)
+diff -r 385f8a1fad66 -r d34a996f87b8 src/common/xmpp/transports_nb.py
+--- a/src/common/xmpp/transports_nb.py Wed Feb 13 16:10:44 2013 +0100
 b/src/common/xmpp/transports_nb.py Wed Feb 13 16:12:41 2013 +0100
+@@ -311,6 +311,12 @@
+ self.proxy_dict = proxy_dict
+ self.on_remote_disconnect = self.disconnect
+ 
++# ssl variables
++self.ssl_fingerprint_sha1 = []
++self.ssl_certificate = []
++self.ssl_errnum = []
++self.ssl_cert_pem = []
++
+ # FIXME: transport should not be aware xmpp
+ def start_disconnect(self):
+ NonBlockingTransport.start_disconnect(self)
+
only in patch2:
unchanged:
--- gajim-0.15.1.orig/debian/patches/02_fix-cert-validation.diff
+++ gajim-0.15.1/debian/patches/02_fix-cert-validation.diff
@@ -0,0 +1,84 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 02_fix-cert-validation.diff by aste...@lagaule.org
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix certificate validation
+#
+# Description: fix certificate validation
+# Author: Yann Leboulanger aste...@lagaule.org
+# Origin: upstream,https://trac.gajim.org/changeset/1d8caae49a31#file0
+# Last-Update: 2013-04-17
+
+@DPATCH@
+
+Index: gajim/src/common/connection.py
+===
+--- gajim/src/common/connection.py (revision 14377)
 gajim/src/common/connection.py (revision 14379)
+@@ -1312,19 +1312,22 @@
+ errnum = con.Connection.ssl_errnum
+ except AttributeError:
+-errnum = -1 # we

Bug#723798: pu: package gajim/0.15.1-4

2013-09-19 Thread Tanguy Ortolo 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hello,

The version of gajim currently in stable, 0.15.1-4, has a security bug,
CVE-2012-5524 / Debian #693282. corsac has prepared an NMU for that, and I was
suggested to upload it for a point release.

The resulting package version, 0.15.1-4.1, is available there, with a debdiff
and everything:
http://tanguy.ortolo.eu/deb/gajim/

Can I go ahead and upload it?

- -- System Information:
Debian Release: 7.1
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'unstable'), (500, 'testing'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.9-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJSO21PAAoJEOryzVHFAGgZtkUP/2u82vgKnVp6PyRXmzSc/FE5
BC8URbtlx1X6TjBSjc6Tdi1XSLPfEeg7qU0C64K+eg9K+iJvsb3pZfu5rQXs2Zye
Cfvmb0MhsoqRGAiR46QAfYM9hvPFE5LD+rW7XDeSidbWvbDeKK+v/Vj5lplIMYuQ
Vk9uL7uKabkfSlaiqk1n1FSQZKfXNOSPlH0Yjscl7JYH8YRzfEizReAI9O7F5ftu
RESofF9Kck/XOapvPB9Fu3OIk9m6F1aXEciko5LfiwVQmfQ7gx9Aw+3vZ2TNHbtp
bl8ihNMNT8cCWEj2B3x0822sZJpzUkdmlB67M7pRenAc4BEszll3zawGzpOFHwIp
Bwm3SWaZlq9kM/MYwS4mAvNp+DolDtUnJB3bAIDLaRe+A3Jl578o+k6Pm8qBNR68
WP/Hzq9+p7ww2lo1jbLV9d3wHmbzxKhNJLq8MG2VBdsF1Z8nWqyT2Q6UX8SRE5xJ
mZkV4BJjJds2tB51SKsvrD00AIorSehrjjKOFU9RSlErJZcGpg0Ocg4JVpWeZdBQ
Q58eXd6c5DJXPcTW+QO/nW8nVBvxs3sfQhNdy/2A3Pwcg+Izo+dhZBvKOTfGnZlZ
QRU/Qd3Nl4lwEBGmSUjD1Q/Q+d+lbXEonkyJYZ7cJ/LtYV9sLMWNOLWkY3q3MR6F
lFmg5COTw87vnjbRN1Sr
=mpEU
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20130919213203.24976.58521.report...@clarke.ortolo.eu

Bug#723798: pu: package gajim/0.15.1-4

2013-09-19 Thread Julien Cristau 
On Thu, Sep 19, 2013 at 23:32:03 +0200, Tanguy Ortolo wrote:

 Package: release.debian.org
 Severity: normal
 User: release.debian@packages.debian.org
 Usertags: pu
 
 Hello,
 
 The version of gajim currently in stable, 0.15.1-4, has a security bug,
 CVE-2012-5524 / Debian #693282. corsac has prepared an NMU for that, and I was
 suggested to upload it for a point release.
 
 The resulting package version, 0.15.1-4.1, is available there, with a debdiff
 and everything:
 http://tanguy.ortolo.eu/deb/gajim/
 
 Can I go ahead and upload it?
 
The debdiff should be in this bug, please.

Cheers,
Julien


signature.asc
Description: Digital signature

Bug#723798: pu: package gajim/0.15.1-4

2013-09-19 Thread Adam D. Barratt 
On Thu, 2013-09-19 at 23:48 +0200, Julien Cristau wrote:
 On Thu, Sep 19, 2013 at 23:32:03 +0200, Tanguy Ortolo wrote:
  The version of gajim currently in stable, 0.15.1-4, has a security bug,
  CVE-2012-5524 / Debian #693282. corsac has prepared an NMU for that, and I 
  was
  suggested to upload it for a point release.
  
  The resulting package version, 0.15.1-4.1, is available there, with a 
  debdiff
  and everything:
  http://tanguy.ortolo.eu/deb/gajim/
  
  Can I go ahead and upload it?
  
 The debdiff should be in this bug, please.

If http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693282#50 is correct
and the bug is already fixed in unstable, please also add an appropriate
fixed version.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/1379628519.5669.30.ca...@jacala.jungle.funky-badger.org