Bug#917880: stretch-pu: package kamailio/4.4.4-2+deb9u3

Mon, 31 Dec 2018 02:25:01 -0800 

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

version in stable can't be used with TLS enabled due to #902452 with
severity grave. If user enables TLS kamailio fails to start.

Upstream fix was included on 4.4.6 version[0]. Proposed update only include 
that fix.

[0] 
https://github.com/kamailio/kamailio/commit/406c02f7b76ada56d6e1f73e763fecb05c1f51c5

- -- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEjxnK3NQqQtRVY3MMUaCbGM9aUGgFAlwp7dUACgkQUaCbGM9a
UGj1SBAAmh+N9LaAj/MNe/X1R1bjFLnYQC8JNxn+zJ9q69MUpOUXqPuSVfqn7G7V
wsRhNW1498bVLu5rATfm4zxxzcaWF+TjsVzfjGye3NDBWQ1N3ukb/t8t0BtecYgw
m/rEMF+ekE8w1x0w/NlAqlsbIYr7elQomx31HaS6vCac0a2sxqJ5T5U6G2s1j5fR
zmeKOkjwlvrWdg7/Ad/MwJj7SkpZiqGzEEK7bwe/wBvxg5FE7mGbfYXe4QH9TA6c
ssVLWjQ26juJ5U7cCJhrA/bh/n0uiMns+w6So7NWJ/VttgfKBAa48CnNHe+pYTn3
WbwMfa0oq9GnAXlph+/8xqzkJBDscxT5EeCflzpjP/5ilsFKiLfTWKdivTNSxW4a
+qU28etGpAfF4amz34xe9KAhLhGcnwHEPSgNCgjzjWtgmk9Mf59Whzm15Rs7n/1y
x/oDJbv7KOqoMpfz4/dvCPDJE2NrQruC9Y+SIRRO6Xzm1cWyPgxmrTknu+OPC44l
4EwF8Zupl84LC/lVuQ3SvT11Q65xo7cZe8APYfdqeJjqji8W9ErsJOKX6RMRtHgh
pQr0aSktlyrRdxAjwUZMeQ+WasNGnB47DB+gKEWvc2eSfKPLMrttPuFIf+9Z/9vK
vDUzx3ZdZItC5xqGEisS5aai7PEPz+k8749ZN3GetPDn/53fNf8=
=u1vf
-----END PGP SIGNATURE-----

diff -Nru kamailio-4.4.4/debian/changelog kamailio-4.4.4/debian/changelog
--- kamailio-4.4.4/debian/changelog     2018-09-07 23:15:42.000000000 +0200
+++ kamailio-4.4.4/debian/changelog     2018-12-31 10:28:23.000000000 +0100
@@ -1,3 +1,10 @@
+kamailio (4.4.4-2+deb9u4) stretch; urgency=medium
+
+  * fix kerberos and zlib check (Closes: #902452)
+    so TLS can be used again via kamailio-tls-modules
+
+ -- Victor Seva <vs...@debian.org>  Mon, 31 Dec 2018 10:28:23 +0100
+
 kamailio (4.4.4-2+deb9u3) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru kamailio-4.4.4/debian/patches/series 
kamailio-4.4.4/debian/patches/series
--- kamailio-4.4.4/debian/patches/series        2018-09-07 23:15:42.000000000 
+0200
+++ kamailio-4.4.4/debian/patches/series        2018-12-31 10:28:23.000000000 
+0100
@@ -3,6 +3,7 @@
 upstream/0001-tmx-allocate-space-to-store-ending-0-for-branch-valu.patch
 upstream/0002-core-improve-to-header-check-guards-str-consists-of-.patch
 upstream/0001-core-improve-header-safe-guards-for-Via-handling.patch
+upstream/0001-tls-do-kerberos-and-zlib-init-checks-only-for-libssl.patch
 #
 no_lib64_on_64_bits.patch
 no_INSTALL_file.patch
diff -Nru 
kamailio-4.4.4/debian/patches/upstream/0001-tls-do-kerberos-and-zlib-init-checks-only-for-libssl.patch
 
kamailio-4.4.4/debian/patches/upstream/0001-tls-do-kerberos-and-zlib-init-checks-only-for-libssl.patch
--- 
kamailio-4.4.4/debian/patches/upstream/0001-tls-do-kerberos-and-zlib-init-checks-only-for-libssl.patch
      1970-01-01 01:00:00.000000000 +0100
+++ 
kamailio-4.4.4/debian/patches/upstream/0001-tls-do-kerberos-and-zlib-init-checks-only-for-libssl.patch
      2018-12-31 10:28:23.000000000 +0100
@@ -0,0 +1,57 @@
+From 406c02f7b76ada56d6e1f73e763fecb05c1f51c5 Mon Sep 17 00:00:00 2001
+From: Daniel-Constantin Mierla <mico...@gmail.com>
+Date: Fri, 31 Mar 2017 12:56:52 +0200
+Subject: [PATCH] tls: do kerberos and zlib init checks only for libssl < 1.1.0
+
+- using string matching inside libssl compile flags is no longer
+  reliable
+- reported by GH #1050
+
+(cherry picked from commit e59fa823b7b9513d3d1adb958d5e8ec055082d83)
+(cherry picked from commit b12ac4ea9efae41b83a2664ea4f25b1d59bc2032)
+---
+ modules/tls/tls_init.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/modules/tls/tls_init.c b/modules/tls/tls_init.c
+index af2d4c54e..133bc7fc8 100644
+--- a/modules/tls/tls_init.c
++++ b/modules/tls/tls_init.c
+@@ -563,11 +563,13 @@ int init_tls_h(void)
+ {
+       /*struct socket_info* si;*/
+       long ssl_version;
++#if OPENSSL_VERSION_NUMBER < 0x010100000L
+       int lib_kerberos;
+       int lib_zlib;
+       int kerberos_support;
+       int comp_support;
+       const char* lib_cflags;
++#endif
+       int low_mem_threshold1;
+       int low_mem_threshold2;
+       str tls_grp;
+@@ -603,6 +605,10 @@ int init_tls_h(void)
+               else
+                       return -1; /* safer to exit */
+       }
++
++/* check kerberos support using compile flags only for version < 1.1.0 */
++#if OPENSSL_VERSION_NUMBER < 0x010100000L
++
+ #ifdef TLS_KERBEROS_SUPPORT
+       kerberos_support=1;
+ #else
+@@ -672,6 +678,9 @@ int init_tls_h(void)
+                       " kerberos support will be disabled...\n");
+       }
+       #endif
++
++#endif /* libssl version < 1.1.0 (OPENSSL_VERSION_NUMBER < 0x010100000L) */
++
+       /* set free memory threshold for openssl bug #1491 workaround */
+       low_mem_threshold1 = cfg_get(tls, tls_cfg, low_mem_threshold1);
+       low_mem_threshold2 = cfg_get(tls, tls_cfg, low_mem_threshold2);
+-- 
+2.19.2
+

Reply via email to