Bug#911767: stable-pu: package lastpass-cli/1.0.0-1.2+deb9u1

[Chris Lamb]

Package: release.debian.org
Severity: normal
Tags: stable
User: release.debian....@packages.debian.org
Usertags: pu

Dear stable release managers,

Please consider lastpass-cli (1.0.0-1.2+deb9u1) for stable:
  
  lastpass-cli (1.0.0-1.2+deb9u1) stable; urgency=medium
  
    * Backport hardcoded certificate pins from lastpass-cli 1.3.1 to reflect
      changes in hosted Lastpass.com service. (Closes: #898940)
    * Add missing ca-certificates to Depends.


The full diff is attached.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      la...@debian.org / chris-lamb.co.uk
       `-

diff --git a/debian/changelog b/debian/changelog
index a49b342..3283985 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+lastpass-cli (1.0.0-1.2+deb9u1) stable; urgency=medium
+
+  * Backport hardcoded certificate pins from lastpass-cli 1.3.1 to reflect
+    changes in hosted Lastpass.com service. (Closes: #898940)
+  * Add missing ca-certificates to Depends.
+
+ -- Chris Lamb <la...@debian.org>  Wed, 24 Oct 2018 10:40:01 -0400
+
 lastpass-cli (1.0.0-1.2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff --git a/debian/control b/debian/control
index 5d13597..64c4ed5 100644
--- a/debian/control
+++ b/debian/control
@@ -7,7 +7,7 @@ Standards-Version: 3.9.8.0
 
 Package: lastpass-cli
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, binutils
+Depends: ${shlibs:Depends}, ${misc:Depends}, binutils, ca-certificates
 Description: command line interface to LastPass.com
  This application is a command line interface to the LastPass.com services. It
  brings both better security and convenience by allowing you to access, add,
diff --git 
a/debian/patches/0004-backport-hardcoded-certificate-pins-from-1.3.1.patch 
b/debian/patches/0004-backport-hardcoded-certificate-pins-from-1.3.1.patch
new file mode 100644
index 0000000..60cab8d
--- /dev/null
+++ b/debian/patches/0004-backport-hardcoded-certificate-pins-from-1.3.1.patch
@@ -0,0 +1,26 @@
+From: Chris Lamb <la...@debian.org>
+Date: Wed, 24 Oct 2018 10:33:53 -0400
+Subject: Backport hardcoded certificate pins from lastpass 1.3.1 to reflect
+ changes in the hosted LastPass.com service. (Closes: #898940)
+
+---
+ pins.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/pins.h b/pins.h
+index e629b6f..7455574 100644
+--- a/pins.h
++++ b/pins.h
+@@ -5,8 +5,12 @@ const char *PK_PINS[] = {
+       "HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY=",
+       /* current lastpass.eu primary (AddTrust) */
+       "lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=",
++      /* future lastpass root CA (GlobalSign R1) */
++      "K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q=",
+       /* future lastpass root CA (GlobalSign R2) */
+       "iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0=",
++      /* future lastpass root CA (GlobalSign R3) */
++      "cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A=",
+       /* future lastpass.com primary (leaf) */
+       "0hkr5YW/WE6Nq5hNTcApxpuaiwlwy5HUFiOt3Qd9VBc=",
+       /* future lastpass.com backup (leaf) */
diff --git a/debian/patches/series b/debian/patches/series
index 45a126b..1e88d92 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
 0001-cipher-support-opaque-EVP_CIPHER_CTX.patch
 0002-cipher-drop-p8inf-broken-flag-check.patch
 0003-pbkdf2-support-openssl-1.1.patch
+0004-backport-hardcoded-certificate-pins-from-1.3.1.patch