Bug#1004895: marked as done (bullseye-pu: package e2guardian/5.3.4-1+deb11u1)

Debian Bug Tracking System Sat, 26 Mar 2022 05:08:43 -0700

Your message dated Sat, 26 Mar 2022 11:59:13 +0000
with message-id 
<c4d20274f6d76a43fb574d2177f6e3af4235e4be.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for updates in 11.3
has caused the Debian Bug report #1004895,
regarding bullseye-pu: package e2guardian/5.3.4-1+deb11u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1004895: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004895
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu

I just uploaded e2guardian 5.3.4-1+deb11u1 to bullseye including the fix
for CVE-2021-44273:

diff --git a/debian/changelog b/debian/changelog
index 8900938..488096b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+e2guardian (5.3.4-1+deb11u1) bullseye; urgency=medium
+
+  * debian/patches:
+    + CVE-2021-44273: Fix missing SSL certificate validation in the SSL MiTM
+      engine. Add 0001_CVE-2021-44273_fix-hostname-validation-in-
+      certificates.patch. (Closes: #1003125).
+
+ -- Mike Gabriel <sunwea...@debian.org>  Wed, 02 Feb 2022 21:06:57 +0100
+

[ Reason ]
Fix no-DSA security issue.

[ Impact ]
None to other packages, e2guardian is a leaf package.

[ Tests ]
Build success and runtime test on a production server succeeded, too.

[ Risks ]
None,

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
see above

[ Other info ]
Security team recommended uploading via bullseye-pu.

diff -Nru e2guardian-5.3.4/debian/changelog e2guardian-5.3.4/debian/changelog
--- e2guardian-5.3.4/debian/changelog   2020-02-15 10:43:10.000000000 +0100
+++ e2guardian-5.3.4/debian/changelog   2022-02-02 21:06:57.000000000 +0100
@@ -1,3 +1,12 @@
+e2guardian (5.3.4-1+deb11u1) bullseye-security; urgency=medium
+
+  * debian/patches:
+    + CVE-2021-44273: Fix missing SSL certificate validation in the SSL MiTM
+      engine. Add 0001_CVE-2021-44273_fix-hostname-validation-in-
+      certificates.patch. (Closes: #1003125).
+
+ -- Mike Gabriel <sunwea...@debian.org>  Wed, 02 Feb 2022 21:06:57 +0100
+
 e2guardian (5.3.4-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru 
e2guardian-5.3.4/debian/patches/0001_CVE-2021-44273_fix-hostname-validation-in-certificates.patch
 
e2guardian-5.3.4/debian/patches/0001_CVE-2021-44273_fix-hostname-validation-in-certificates.patch
--- 
e2guardian-5.3.4/debian/patches/0001_CVE-2021-44273_fix-hostname-validation-in-certificates.patch
   1970-01-01 01:00:00.000000000 +0100
+++ 
e2guardian-5.3.4/debian/patches/0001_CVE-2021-44273_fix-hostname-validation-in-certificates.patch
   2022-02-02 21:03:36.000000000 +0100
@@ -0,0 +1,25 @@
+From eae46a7e2a57103aadca903c4a24cca94dc502a2 Mon Sep 17 00:00:00 2001
+From: Philip Pearce <philip.pea...@e2bn.org>
+Date: Tue, 23 Nov 2021 09:52:38 +0000
+Subject: [PATCH] Fix bug #707 cert hostnames not being checked - only happened
+ when openssl v1.1 is used
+
+---
+ src/Socket.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/Socket.cpp b/src/Socket.cpp
+index 6ef9619c0..2b687ef5a 100644
+--- a/src/Socket.cpp
++++ b/src/Socket.cpp
+@@ -377,6 +377,10 @@ int Socket::startSslClient(const std::string 
&certificate_path, String hostname)
+     //fcntl(this->getFD() ,F_SETFL, O_NONBLOCK); // blocking mode used 
currently
+     SSL_set_fd(ssl, this->getFD());
+     SSL_set_tlsext_host_name(ssl, hostname.c_str());
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#else
++  X509_VERIFY_PARAM_set1_host(SSL_get0_param(ssl),hostname.c_str(),0);
++#endif
+ 
+     //make io non blocking as select wont tell us if we can do a read without 
blocking
+     //BIO_set_nbio(SSL_get_rbio(ssl),1l);  // blocking mode used currently
diff -Nru e2guardian-5.3.4/debian/patches/series 
e2guardian-5.3.4/debian/patches/series
--- e2guardian-5.3.4/debian/patches/series      2020-02-15 10:43:10.000000000 
+0100
+++ e2guardian-5.3.4/debian/patches/series      2022-02-02 21:06:33.000000000 
+0100
@@ -1,2 +1,3 @@
 2002_Debian-clamd-socket.patch
 1001_spelling-fixes.patch
+0001_CVE-2021-44273_fix-hostname-validation-in-certificates.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 11.3

Hi,

The updates referenced by these bugs were included in stable as part of
this morning's 11.3 point release.

Regards,

Adam

--- End Message ---

Bug#1004895: marked as done (bullseye-pu: package e2guardian/5.3.4-1+deb11u1)

Reply via email to