Bug#855432: unblock: openssl/1.1.0e-1

2017-02-28 Thread Cyril Brulebois 
Cyril Brulebois  (2017-02-21):
> I think that should work, yes. Please let me know when that's happened,
> and I'll do the testing as soon as possible.

This has happened, and building a netboot-gtk image with stretch udebs
and with p-u enabled got me a 1.18-4.1 version of the wget-udeb package,
with the following changes:

+libcrypto1.1-udeb
-libssl1.0.2-udeb
+libssl1.1-udeb

I've successfully tested a full installation over https, so I think it's
fine to accept wget from tpu.


KiBi.


signature.asc
Description: Digital signature

Bug#855432: unblock: openssl/1.1.0e-1

2017-02-20 Thread Cyril Brulebois 
Niels Thykier  (2017-02-20):
> I did and I agree on the testing part.  Would a "no-change rebuild" tpu
> upload of wget be a solution for you?  That should ensure we control
> when the wget change migrates to testing (which is somewhat more
> difficult with binNMUs).

I think that should work, yes. Please let me know when that's happened,
and I'll do the testing as soon as possible.


KiBi.


signature.asc
Description: Digital signature

Bug#855432: unblock: openssl/1.1.0e-1

2017-02-19 Thread Niels Thykier 
Cyril Brulebois:
> Niels Thykier  (2017-02-19):
>> [...]
> 
> Hrm. You mentioned on IRC you were pondering possibly rebuilding wget
> against 1.1 for stretch; if that happens, this needs d-i testing…
> 
> 
> KiBi.
> 

I did and I agree on the testing part.  Would a "no-change rebuild" tpu
upload of wget be a solution for you?  That should ensure we control
when the wget change migrates to testing (which is somewhat more
difficult with binNMUs).

Thanks,
~Niels

Bug#855432: unblock: openssl/1.1.0e-1

2017-02-19 Thread Cyril Brulebois 
Niels Thykier  (2017-02-19):
> Cyril Brulebois:
> > We have this right now:
> > 
> > wget-udeb  | 1.18-4| testing  → built against 1.0.2
> > wget-udeb  | 1.19.1-1  | unstable → built against 1.1
> > 
> > If we're not getting a newer wget for stretch (at least I didn't find
> > anything wget-related relevant for stretch in my debian-release folder),
> > I can't think of another libssl user for d-i, which seems confirmed by
> > looking at libssl*-udeb rdepends in sid.
> > 
> > Unless I'm missing something obvious: no objections.
> 
> Unblocked, thanks.

Hrm. You mentioned on IRC you were pondering possibly rebuilding wget
against 1.1 for stretch; if that happens, this needs d-i testing…


KiBi.


signature.asc
Description: Digital signature

Bug#855432: unblock: openssl/1.1.0e-1

2017-02-19 Thread Kurt Roeckx 
On Sun, Feb 19, 2017 at 07:33:20AM +0100, Cyril Brulebois wrote:
> Kurt Roeckx  (2017-02-18):
> > On Sat, Feb 18, 2017 at 06:16:28PM +0100, Cyril Brulebois wrote:
> > > How soon do you want to see this package in testing? Given I've just
> > > fixed a few things related to https support in d-i, it would be nice if
> > > I were able to perform a full test with https here, making sure we don't
> > > hit a regression there. If a reply this sunday is sufficient, I can do
> > > that.
> 
> We have this right now:
> 
> wget-udeb  | 1.18-4| testing  → built against 1.0.2
> wget-udeb  | 1.19.1-1  | unstable → built against 1.1
> 
> If we're not getting a newer wget for stretch (at least I didn't find
> anything wget-related relevant for stretch in my debian-release folder),
> I can't think of another libssl user for d-i, which seems confirmed by
> looking at libssl*-udeb rdepends in sid.
> 
> Unless I'm missing something obvious: no objections.

Can someone please also change the age to 2 days?


Kurt

Bug#855432: unblock: openssl/1.1.0e-1

2017-02-18 Thread Cyril Brulebois 
Kurt Roeckx  (2017-02-18):
> On Sat, Feb 18, 2017 at 06:16:28PM +0100, Cyril Brulebois wrote:
> > How soon do you want to see this package in testing? Given I've just
> > fixed a few things related to https support in d-i, it would be nice if
> > I were able to perform a full test with https here, making sure we don't
> > hit a regression there. If a reply this sunday is sufficient, I can do
> > that.

We have this right now:

wget-udeb  | 1.18-4| testing  → built against 1.0.2
wget-udeb  | 1.19.1-1  | unstable → built against 1.1

If we're not getting a newer wget for stretch (at least I didn't find
anything wget-related relevant for stretch in my debian-release folder),
I can't think of another libssl user for d-i, which seems confirmed by
looking at libssl*-udeb rdepends in sid.

Unless I'm missing something obvious: no objections.


KiBi.


signature.asc
Description: Digital signature

Bug#855432: unblock: openssl/1.1.0e-1

2017-02-18 Thread Kurt Roeckx 
On Sat, Feb 18, 2017 at 06:16:28PM +0100, Cyril Brulebois wrote:
> Hi,
> 
> Niels Thykier  (2017-02-18):
> > Kurt Roeckx:
> > > Package: release.debian.org
> > > User: release.debian@packages.debian.org
> > > Usertags: unblock
> > > Severity: normal
> > > 
> > > Hi,
> > > 
> > > There was a new upstream release fixing a high severity security
> > > issue.
> > > 
> > > The changelog entry is:
> > > openssl (1.1.0e-1) unstable; urgency=high
> > > 
> > >   * New upstream version
> > > - Fixes CVE-2017-3733
> > > - Remove patches that are applied upstream.
> > > 
> > >  -- Kurt Roeckx   Thu, 16 Feb 2017 18:57:58 +0100
> > > 
> > > I've attached the full debdiff between the version in testing and
> > > unstable.
> > 
> > OK from here; KiBi, I need a d-i ack from you, please. :)
> 
> How soon do you want to see this package in testing? Given I've just
> fixed a few things related to https support in d-i, it would be nice if
> I were able to perform a full test with https here, making sure we don't
> hit a regression there. If a reply this sunday is sufficient, I can do
> that.

Sunday / Monday is fine for me.


Kurt

Bug#855432: unblock: openssl/1.1.0e-1

2017-02-18 Thread Cyril Brulebois 
Hi,

Niels Thykier  (2017-02-18):
> Kurt Roeckx:
> > Package: release.debian.org
> > User: release.debian@packages.debian.org
> > Usertags: unblock
> > Severity: normal
> > 
> > Hi,
> > 
> > There was a new upstream release fixing a high severity security
> > issue.
> > 
> > The changelog entry is:
> > openssl (1.1.0e-1) unstable; urgency=high
> > 
> >   * New upstream version
> > - Fixes CVE-2017-3733
> > - Remove patches that are applied upstream.
> > 
> >  -- Kurt Roeckx   Thu, 16 Feb 2017 18:57:58 +0100
> > 
> > I've attached the full debdiff between the version in testing and
> > unstable.
> 
> OK from here; KiBi, I need a d-i ack from you, please. :)

How soon do you want to see this package in testing? Given I've just
fixed a few things related to https support in d-i, it would be nice if
I were able to perform a full test with https here, making sure we don't
hit a regression there. If a reply this sunday is sufficient, I can do
that.


KiBi.


signature.asc
Description: Digital signature

Bug#855432: unblock: openssl/1.1.0e-1

2017-02-18 Thread Niels Thykier 
Kurt Roeckx:
> Package: release.debian.org
> User: release.debian@packages.debian.org
> Usertags: unblock
> Severity: normal
> 
> Hi,
> 
> There was a new upstream release fixing a high severity security
> issue.
> 
> The changelog entry is:
> openssl (1.1.0e-1) unstable; urgency=high
> 
>   * New upstream version
> - Fixes CVE-2017-3733
> - Remove patches that are applied upstream.
> 
>  -- Kurt Roeckx   Thu, 16 Feb 2017 18:57:58 +0100
> 
> I've attached the full debdiff between the version in testing and
> unstable.
> 
> 
> Kurt
> 

OK from here; KiBi, I need a d-i ack from you, please. :)

Thanks,
~Niels

Bug#855432: unblock: openssl/1.1.0e-1

2017-02-17 Thread Kurt Roeckx 
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Hi,

There was a new upstream release fixing a high severity security
issue.

The changelog entry is:
openssl (1.1.0e-1) unstable; urgency=high

  * New upstream version
- Fixes CVE-2017-3733
- Remove patches that are applied upstream.

 -- Kurt Roeckx   Thu, 16 Feb 2017 18:57:58 +0100

I've attached the full debdiff between the version in testing and
unstable.


Kurt

diff -Nru openssl-1.1.0d/apps/openssl.c openssl-1.1.0e/apps/openssl.c
--- openssl-1.1.0d/apps/openssl.c	2017-01-26 14:10:21.0 +0100
+++ openssl-1.1.0e/apps/openssl.c	2017-02-16 12:58:20.0 +0100
@@ -58,7 +58,6 @@
 static void list_disabled(void);
 char *default_config_file = NULL;
 
-static CONF *config = NULL;
 BIO *bio_in = NULL;
 BIO *bio_out = NULL;
 BIO *bio_err = NULL;
@@ -248,8 +247,6 @@
  end:
 OPENSSL_free(copied_argv);
 OPENSSL_free(default_config_file);
-NCONF_free(config);
-config = NULL;
 lh_FUNCTION_free(prog);
 OPENSSL_free(arg.argv);
 
diff -Nru openssl-1.1.0d/apps/req.c openssl-1.1.0e/apps/req.c
--- openssl-1.1.0d/apps/req.c	2017-01-26 14:10:21.0 +0100
+++ openssl-1.1.0e/apps/req.c	2017-02-16 12:58:20.0 +0100
@@ -121,7 +121,7 @@
 {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
  "Enable support for multivalued RDNs"},
 {"days", OPT_DAYS, 'p', "Number of days cert is valid for"},
-{"set_serial", OPT_SET_SERIAL, 'p', "Serial number to use"},
+{"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
 {"extensions", OPT_EXTENSIONS, 's',
  "Cert extension section (override value in config file)"},
 {"reqexts", OPT_REQEXTS, 's',
diff -Nru openssl-1.1.0d/apps/s_cb.c openssl-1.1.0e/apps/s_cb.c
--- openssl-1.1.0d/apps/s_cb.c	2017-01-26 14:10:21.0 +0100
+++ openssl-1.1.0e/apps/s_cb.c	2017-02-16 12:58:20.0 +0100
@@ -922,6 +922,7 @@
 BIO_printf(bio_err, "%s: Error adding xcert\n", opt_getprog());
 goto err;
 }
+*pexc = exc;
 exc->certfile = opt_arg();
 break;
 case OPT_X_KEY:
diff -Nru openssl-1.1.0d/apps/ts.c openssl-1.1.0e/apps/ts.c
--- openssl-1.1.0d/apps/ts.c	2017-01-26 14:10:21.0 +0100
+++ openssl-1.1.0e/apps/ts.c	2017-02-16 12:58:20.0 +0100
@@ -890,9 +890,15 @@
 goto err;
 f = TS_VFY_VERSION | TS_VFY_SIGNER;
 if (data != NULL) {
+BIO *out = NULL;
+
 f |= TS_VFY_DATA;
-if (TS_VERIFY_CTX_set_data(ctx, BIO_new_file(data, "rb")) == NULL)
+if ((out = BIO_new_file(data, "rb")) == NULL)
 goto err;
+if (TS_VERIFY_CTX_set_data(ctx, out) == NULL) {
+BIO_free_all(out);
+goto err;
+}
 } else if (digest != NULL) {
 long imprint_len;
 unsigned char *hexstr = OPENSSL_hexstr2buf(digest, _len);
diff -Nru openssl-1.1.0d/CHANGES openssl-1.1.0e/CHANGES
--- openssl-1.1.0d/CHANGES	2017-01-26 14:10:21.0 +0100
+++ openssl-1.1.0e/CHANGES	2017-02-16 12:58:20.0 +0100
@@ -2,6 +2,19 @@
  OpenSSL CHANGES
  ___
 
+ Changes between 1.1.0d and 1.1.0e [16 Feb 2017]
+
+  *) Encrypt-Then-Mac renegotiation crash
+
+ During a renegotiation handshake if the Encrypt-Then-Mac extension is
+ negotiated where it was not in the original handshake (or vice-versa) then
+ this can cause OpenSSL to crash (dependant on ciphersuite). Both clients
+ and servers are affected.
+
+ This issue was reported to OpenSSL by Joe Orton (Red Hat).
+ (CVE-2017-3733)
+ [Matt Caswell]
+
  Changes between 1.1.0c and 1.1.0d [26 Jan 2017]
 
   *) Truncated packet could crash via OOB read
diff -Nru openssl-1.1.0d/Configurations/unix-Makefile.tmpl openssl-1.1.0e/Configurations/unix-Makefile.tmpl
--- openssl-1.1.0d/Configurations/unix-Makefile.tmpl	2017-01-26 14:10:21.0 +0100
+++ openssl-1.1.0e/Configurations/unix-Makefile.tmpl	2017-02-16 12:58:20.0 +0100
@@ -285,6 +285,7 @@
 	-$(RM) `find . -name '*{- $objext -}' -a \! -path "./.git/*"`
 	$(RM) core
 	$(RM) tags TAGS
+	$(RM) test/.rnd
 	$(RM) openssl.pc libcrypto.pc libssl.pc
 	-$(RM) `find . -type l -a \! -path "./.git/*"`
 	$(RM) $(TARFILE)
diff -Nru openssl-1.1.0d/crypto/aes/asm/aesv8-armx.pl openssl-1.1.0e/crypto/aes/asm/aesv8-armx.pl
--- openssl-1.1.0d/crypto/aes/asm/aesv8-armx.pl	2017-01-26 14:10:21.0 +0100
+++ openssl-1.1.0e/crypto/aes/asm/aesv8-armx.pl	2017-02-16 12:58:20.0 +0100
@@ -59,9 +59,12 @@
 .text
 ___
 $code.=".arch	armv8-a+crypto\n"			if ($flavour =~ /64/);
-$code.=".arch	armv7-a\n.fpu	neon\n.code	32\n"	if ($flavour !~ /64/);
-		#^^ this is done to simplify adoption by not depending
-		#	on latest binutils.
+$code.=<<___		if ($flavour !~ /64/);
+.arch	armv7-a	// don't confuse not-so-latest binutils with argv8 :-)
+.fpu	neon
+.code	32
+#undef	__thumb2__