Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: icin...@packages.debian.org Control: affects -1 + src:icinga2 User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] Fix certificate validation bypass for JSON-RPC and HTTP API connections. (CVE-2024-49369) [ Impact ] Cluster nodes can be impersonated. [ Tests ] Upstream test suite. [ Risks ] Low, same change deployed upstream. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The patch cherry-picks the upstream commit from the 2.13 branch. [ Other info ] N/A
diff -Nru icinga2-2.13.6/debian/changelog icinga2-2.13.6/debian/changelog --- icinga2-2.13.6/debian/changelog 2024-04-06 14:02:31.000000000 +0200 +++ icinga2-2.13.6/debian/changelog 2024-11-12 18:57:26.000000000 +0100 @@ -1,3 +1,11 @@ +icinga2 (2.13.6-2+deb12u2) bookworm; urgency=medium + + * Team upload. + * Add upstream patch to fix CVE-2024-49369. + (closes: #1087384) + + -- Bas Couwenberg <sebas...@debian.org> Tue, 12 Nov 2024 18:57:26 +0100 + icinga2 (2.13.6-2+deb12u1) bookworm; urgency=medium * Team upload. diff -Nru icinga2-2.13.6/debian/patches/CVE-2024-49369.patch icinga2-2.13.6/debian/patches/CVE-2024-49369.patch --- icinga2-2.13.6/debian/patches/CVE-2024-49369.patch 1970-01-01 01:00:00.000000000 +0100 +++ icinga2-2.13.6/debian/patches/CVE-2024-49369.patch 2024-11-12 18:57:11.000000000 +0100 @@ -0,0 +1,122 @@ +Description: Security: fix TLS certificate validation bypass + . + The previous validation in set_verify_callback() could be bypassed, tricking + Icinga 2 into treating invalid certificates as valid. To fix this, the + validation checks were moved into the IsVerifyOK() function. + . + This is tracked as CVE-2024-49369, more details will be published at a later time. +Author: Julian Brost <julian.br...@icinga.com> +Origin: https://github.com/Icinga/icinga2/commit/3504fc7ed688c10d86988e2029a65efc311393fe +Forwarded: not-needed + +--- a/lib/base/tlsstream.cpp ++++ b/lib/base/tlsstream.cpp +@@ -18,14 +18,48 @@ + + using namespace icinga; + +-bool UnbufferedAsioTlsStream::IsVerifyOK() const ++/** ++ * Checks whether the TLS handshake was completed with a valid peer certificate. ++ * ++ * @return true if the peer presented a valid certificate, false otherwise ++ */ ++bool UnbufferedAsioTlsStream::IsVerifyOK() + { +- return m_VerifyOK; ++ if (!SSL_is_init_finished(native_handle())) { ++ // handshake was not completed ++ return false; ++ } ++ ++ if (GetPeerCertificate() == nullptr) { ++ // no peer certificate was sent ++ return false; ++ } ++ ++ return SSL_get_verify_result(native_handle()) == X509_V_OK; + } + +-String UnbufferedAsioTlsStream::GetVerifyError() const ++/** ++ * Returns a human-readable error string for situations where IsVerifyOK() returns false. ++ * ++ * If the handshake was completed and a peer certificate was provided, ++ * the string additionally contains the OpenSSL verification error code. ++ * ++ * @return string containing the error message ++ */ ++String UnbufferedAsioTlsStream::GetVerifyError() + { +- return m_VerifyError; ++ if (!SSL_is_init_finished(native_handle())) { ++ return "handshake not completed"; ++ } ++ ++ if (GetPeerCertificate() == nullptr) { ++ return "no peer certificate provided"; ++ } ++ ++ std::ostringstream buf; ++ long err = SSL_get_verify_result(native_handle()); ++ buf << "code " << err << ": " << X509_verify_cert_error_string(err); ++ return buf.str(); + } + + std::shared_ptr<X509> UnbufferedAsioTlsStream::GetPeerCertificate() +@@ -43,17 +77,17 @@ void UnbufferedAsioTlsStream::BeforeHand + + set_verify_mode(ssl::verify_peer | ssl::verify_client_once); + +- set_verify_callback([this](bool preverified, ssl::verify_context& ctx) { +- if (!preverified) { +- m_VerifyOK = false; +- +- std::ostringstream msgbuf; +- int err = X509_STORE_CTX_get_error(ctx.native_handle()); +- +- msgbuf << "code " << err << ": " << X509_verify_cert_error_string(err); +- m_VerifyError = msgbuf.str(); +- } +- ++ set_verify_callback([](bool preverified, ssl::verify_context& ctx) { ++ (void) preverified; ++ (void) ctx; ++ ++ /* Continue the handshake even if an invalid peer certificate was presented. The verification result has to be ++ * checked using the IsVerifyOK() method. ++ * ++ * Such connections are used for the initial enrollment of nodes where they use a self-signed certificate to ++ * send a certificate request and receive their valid certificate after approval (manually by the administrator ++ * or using a certificate ticket). ++ */ + return true; + }); + +--- a/lib/base/tlsstream.hpp ++++ b/lib/base/tlsstream.hpp +@@ -70,12 +70,12 @@ class UnbufferedAsioTlsStream : public A + public: + inline + UnbufferedAsioTlsStream(UnbufferedAsioTlsStreamParams& init) +- : AsioTcpTlsStream(init.IoContext, init.SslContext), m_VerifyOK(true), m_Hostname(init.Hostname) ++ : AsioTcpTlsStream(init.IoContext, init.SslContext), m_Hostname(init.Hostname) + { + } + +- bool IsVerifyOK() const; +- String GetVerifyError() const; ++ bool IsVerifyOK(); ++ String GetVerifyError(); + std::shared_ptr<X509> GetPeerCertificate(); + + template<class... Args> +@@ -97,8 +97,6 @@ public: + } + + private: +- bool m_VerifyOK; +- String m_VerifyError; + String m_Hostname; + + void BeforeHandshake(handshake_type type); diff -Nru icinga2-2.13.6/debian/patches/series icinga2-2.13.6/debian/patches/series --- icinga2-2.13.6/debian/patches/series 2024-04-06 14:02:31.000000000 +0200 +++ icinga2-2.13.6/debian/patches/series 2024-11-12 18:55:21.000000000 +0100 @@ -1,2 +1,3 @@ 21_config_changes postgres-checkcommand.patch +CVE-2024-49369.patch
