Bug#948653: stretch-pu: package mod-gnutls/0.8.2-3+deb9u1

Adrian Bunk Mon, 06 Jul 2020 15:04:07 -0700

Control: retitle -1 stretch-pu: package mod-gnutls/0.8.2-3+deb9u2
Control: tags -1 - pending


On Fri, Jul 03, 2020 at 06:57:55AM +0100, Adam D. Barratt wrote:
> Hi,

Hi Adam,

> On Fri, 2020-01-31 at 08:43 +0200, Adrian Bunk wrote:
> > Control: block -1 by 950300
> > 
> > On Tue, Jan 28, 2020 at 08:41:29AM +0000, Adam D. Barratt wrote:
> > > Control: tags -1 + confirmed
> > > 
> > > On 2020-01-11 10:34, Adrian Bunk wrote:
> > > >   * Avoid deprecated ciphersuites in test suite (Closes: #907008)
> > > > 
> > > > FTBFS, tests were broken by gnutls28 3.5.8-5+deb9u4.
> > > 
> > > Please go ahead.
> > 
> > The apache2 2.4.25-3+deb9u9 upgrade causes an unrelated FTBFS in 
> > mod-gnutls, which made 0.8.2-3+deb9u1 fail on the buildds.
> > 
> > Reported as #950300, this bug is present even in unstable.
> > 
> > Seems fixed in upstream 0.9.1.
> > 
> > I'll take care of this, but there is not enough time left to get
> > this fixed for the upcoming stretch point release - I won't do a 0-
> > day NMU  for a just reported FTBFS in unstable.
> 
> What's the status of this?

sorry for the delay, debdiff is attached.

> Regards,
> 
> Adam

cu
Adrian

diff -Nru mod-gnutls-0.8.2/debian/changelog mod-gnutls-0.8.2/debian/changelog
--- mod-gnutls-0.8.2/debian/changelog   2020-01-11 12:27:37.000000000 +0200
+++ mod-gnutls-0.8.2/debian/changelog   2020-07-07 00:29:59.000000000 +0300
@@ -1,3 +1,11 @@
+mod-gnutls (0.8.2-3+deb9u2) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Backported patches to fix test failures with the
+    apache CVE-2019-10092 fix. (Closes: #950300)
+
+ -- Adrian Bunk <b...@debian.org>  Tue, 07 Jul 2020 00:29:59 +0300
+
 mod-gnutls (0.8.2-3+deb9u1) stretch; urgency=medium
 
   * Non-maintainer upload.
diff -Nru 
mod-gnutls-0.8.2/debian/patches/0001-Test-suite-Remove-URLs-from-expected-error-responses.patch
 
mod-gnutls-0.8.2/debian/patches/0001-Test-suite-Remove-URLs-from-expected-error-responses.patch
--- 
mod-gnutls-0.8.2/debian/patches/0001-Test-suite-Remove-URLs-from-expected-error-responses.patch
     1970-01-01 02:00:00.000000000 +0200
+++ 
mod-gnutls-0.8.2/debian/patches/0001-Test-suite-Remove-URLs-from-expected-error-responses.patch
     2020-07-07 00:29:44.000000000 +0300
@@ -0,0 +1,94 @@
+From a55742a9e3ea3d5ab8151f0c54e196187b203b7b Mon Sep 17 00:00:00 2001
+From: Fiona Klute <fiona.kl...@gmx.de>
+Date: Fri, 1 Nov 2019 19:17:57 +0100
+Subject: Test suite: Remove URLs from expected error responses
+
+Apache HTTPD removed request URLs from canned error messages to
+prevent misleading text/links being displayed via crafted links
+(CVE-2019-10092). Adjust the expected error responses in our tests so
+they can pass again.
+---
+ test/tests/18_client_verification_wrong_cert/output         | 6 +++---
+ test/tests/21_TLS_reverse_proxy_wrong_cert/output           | 5 ++---
+ test/tests/22_TLS_reverse_proxy_crl_revoke/output           | 5 ++---
+ .../tests/23_TLS_reverse_proxy_mismatched_priorities/output | 5 ++---
+ 4 files changed, 9 insertions(+), 12 deletions(-)
+
+diff --git a/test/tests/18_client_verification_wrong_cert/output 
b/test/tests/18_client_verification_wrong_cert/output
+index 766e7b6..2a89afe 100644
+--- a/test/tests/18_client_verification_wrong_cert/output
++++ b/test/tests/18_client_verification_wrong_cert/output
+@@ -1,7 +1,7 @@
++<html><head>
++<title>403 Forbidden</title>
+ </head><body>
+ <h1>Forbidden</h1>
+-<p>You don't have permission to access /test.txt
+-on this server.<br />
+-</p>
++<p>You don't have permission to access this resource.</p>
+ </body></html>
+ - Peer has closed the GnuTLS connection
+diff --git a/test/tests/21_TLS_reverse_proxy_wrong_cert/output 
b/test/tests/21_TLS_reverse_proxy_wrong_cert/output
+index f60e6f6..1c9cc06 100644
+--- a/test/tests/21_TLS_reverse_proxy_wrong_cert/output
++++ b/test/tests/21_TLS_reverse_proxy_wrong_cert/output
+@@ -1,5 +1,5 @@
+ HTTP/1.1 502 Proxy Error
+-Content-Length: 407
++Content-Length: 341
+ Connection: close
+ Content-Type: text/html; charset=iso-8859-1
+ 
+@@ -10,7 +10,6 @@ Content-Type: text/html; charset=iso-8859-1
+ <h1>Proxy Error</h1>
+ <p>The proxy server received an invalid
+ response from an upstream server.<br />
+-The proxy server could not handle the request <em><a 
href="/proxy/test.txt">GET&nbsp;/proxy/test.txt</a></em>.<p>
+-Reason: <strong>Error reading from remote server</strong></p></p>
++The proxy server could not handle the request<p>Reason: <strong>Error reading 
from remote server</strong></p></p>
+ </body></html>
+ - Peer has closed the GnuTLS connection
+diff --git a/test/tests/22_TLS_reverse_proxy_crl_revoke/output 
b/test/tests/22_TLS_reverse_proxy_crl_revoke/output
+index f60e6f6..1c9cc06 100644
+--- a/test/tests/22_TLS_reverse_proxy_crl_revoke/output
++++ b/test/tests/22_TLS_reverse_proxy_crl_revoke/output
+@@ -1,5 +1,5 @@
+ HTTP/1.1 502 Proxy Error
+-Content-Length: 407
++Content-Length: 341
+ Connection: close
+ Content-Type: text/html; charset=iso-8859-1
+ 
+@@ -10,7 +10,6 @@ Content-Type: text/html; charset=iso-8859-1
+ <h1>Proxy Error</h1>
+ <p>The proxy server received an invalid
+ response from an upstream server.<br />
+-The proxy server could not handle the request <em><a 
href="/proxy/test.txt">GET&nbsp;/proxy/test.txt</a></em>.<p>
+-Reason: <strong>Error reading from remote server</strong></p></p>
++The proxy server could not handle the request<p>Reason: <strong>Error reading 
from remote server</strong></p></p>
+ </body></html>
+ - Peer has closed the GnuTLS connection
+diff --git a/test/tests/23_TLS_reverse_proxy_mismatched_priorities/output 
b/test/tests/23_TLS_reverse_proxy_mismatched_priorities/output
+index f60e6f6..1c9cc06 100644
+--- a/test/tests/23_TLS_reverse_proxy_mismatched_priorities/output
++++ b/test/tests/23_TLS_reverse_proxy_mismatched_priorities/output
+@@ -1,5 +1,5 @@
+ HTTP/1.1 502 Proxy Error
+-Content-Length: 407
++Content-Length: 341
+ Connection: close
+ Content-Type: text/html; charset=iso-8859-1
+ 
+@@ -10,7 +10,6 @@ Content-Type: text/html; charset=iso-8859-1
+ <h1>Proxy Error</h1>
+ <p>The proxy server received an invalid
+ response from an upstream server.<br />
+-The proxy server could not handle the request <em><a 
href="/proxy/test.txt">GET&nbsp;/proxy/test.txt</a></em>.<p>
+-Reason: <strong>Error reading from remote server</strong></p></p>
++The proxy server could not handle the request<p>Reason: <strong>Error reading 
from remote server</strong></p></p>
+ </body></html>
+ - Peer has closed the GnuTLS connection
+-- 
+2.20.1
+
diff -Nru mod-gnutls-0.8.2/debian/patches/series 
mod-gnutls-0.8.2/debian/patches/series
--- mod-gnutls-0.8.2/debian/patches/series      2020-01-11 12:26:12.000000000 
+0200
+++ mod-gnutls-0.8.2/debian/patches/series      2020-07-07 00:29:59.000000000 
+0300
@@ -7,3 +7,4 @@
 0007-Do-not-treat-warnings-about-deprecated-declarations-.patch
 0008-Wait-for-OCSP-server-to-become-available.patch
 0001-Fix-test-16-view-status-by-changing-priority-string.patch
+0001-Test-suite-Remove-URLs-from-expected-error-responses.patch

Bug#948653: stretch-pu: package mod-gnutls/0.8.2-3+deb9u1

Reply via email to