Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hello, I would like to fix 784430 in jessie: * lynx-cur is using a buggy GnuTLS priority string. * After fixing GNUTLS-SA-2015-2 (a minor issue) GnuTLS is more strict when applying the priority string. Combining lynx-cur/jessie with a fixed GnuTLS therefore results in major SSL/TLS breakage. According to the security-tracker GNUTLS-SA-2015-2 will not be fixed by a dedicated DSA, however it is labeled as "Minor issue; Can be fixed along with a future DSA" Suggested patch attached. The respective changes was uploaded to sid in 2.8.9dev6-3 on May 16. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
diff -u lynx-cur-2.8.9dev1/debian/changelog lynx-cur-2.8.9dev1/debian/changelog --- lynx-cur-2.8.9dev1/debian/changelog +++ lynx-cur-2.8.9dev1/debian/changelog @@ -1,3 +1,13 @@ +lynx-cur (2.8.9dev1-2+deb8u1) jessie; urgency=medium + + * gnutls_set_default_priority.diff: Use gnutls_set_default_priority() + instead of a custom priority string. The fix for the GnuTLS issue + GNUTLS-SA-2015-2 combined with a buggy GnuTLS priority string in lynx + breaks lynx SSL support. Preemptively apply the fix to lynx before the + GnuTLS issue is fixed in stable. Closes: #784430 + + -- Andreas Metzler <ametz...@debian.org> Fri, 05 Jun 2015 13:30:14 +0200 + lynx-cur (2.8.9dev1-2) unstable; urgency=medium * Fixed B-D by adding libgcrypt20-dev. libgnutls-dev installs automatically diff -u lynx-cur-2.8.9dev1/debian/patches/series lynx-cur-2.8.9dev1/debian/patches/series --- lynx-cur-2.8.9dev1/debian/patches/series +++ lynx-cur-2.8.9dev1/debian/patches/series @@ -3,0 +4 @@ +gnutls_set_default_priority.diff only in patch2: unchanged: --- lynx-cur-2.8.9dev1.orig/debian/patches/gnutls_set_default_priority.diff +++ lynx-cur-2.8.9dev1/debian/patches/gnutls_set_default_priority.diff @@ -0,0 +1,36 @@ +Description: Use gnutls_set_default_priority() instead of a custom + priority string. + This is a minimal patch, leaving the now unused functions alone. +Author: Andreas Metzler <ametz...@debian.org> +Origin: vendor +Forwarded: http://mid.gmane.org/20150512175429.GB1321%40downhill.g.la +Last-Update: 2015-05-13 +Bug-Debian: http://bugs.debian.org/784430 + +diff --git a/src/tidy_tls.c b/src/tidy_tls.c +index f6dea81..df8efb4 100644 +--- a/src/tidy_tls.c ++++ b/src/tidy_tls.c +@@ -542,21 +542,7 @@ SSL *SSL_new(SSL_CTX * ctx) + ssl->ctx = ctx; + + gnutls_init(&ssl->gnutls_state, ctx->method->connend); +- +-#if USE_SET_DIRECT +- UpdatePriority(ssl); +-#else +- gnutls_protocol_set_priority(ssl->gnutls_state, +- ctx->method->priority.protocol); +- gnutls_cipher_set_priority(ssl->gnutls_state, +- ctx->method->priority.encrypts); +- gnutls_compression_set_priority(ssl->gnutls_state, +- ctx->method->priority.compress); +- gnutls_kx_set_priority(ssl->gnutls_state, +- ctx->method->priority.key_xchg); +- gnutls_mac_set_priority(ssl->gnutls_state, +- ctx->method->priority.msg_code); +-#endif ++ gnutls_set_default_priority(ssl->gnutls_state); + + gnutls_credentials_set(ssl->gnutls_state, GNUTLS_CRD_CERTIFICATE, + ssl->gnutls_cred);
