Processing of mknbi_1.4.4-9_i386.changes

2011-09-08 Thread Debian FTP Masters 
mknbi_1.4.4-9_i386.changes uploaded successfully to localhost
along with the files:
  mknbi_1.4.4-9.dsc
  mknbi_1.4.4-9.debian.tar.gz
  mknbi_1.4.4-9_i386.deb

Greetings,

Your Debian queue daemon (running on host franck.debian.org)


-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1r1z6c-dg...@franck.debian.org

mknbi_1.4.4-9_i386.changes REJECTED

2011-09-08 Thread Debian FTP Masters 



Reject Reasons:
mknbi source: lintian output: 'missing-build-dependency quilt', automatically 
rejected package.
mknbi source: If you have a good reason, you may override this lintian tag.



===

Please feel free to respond to this email if you don't understand why
your files were rejected, or if you upload new files which address our
concerns.


-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1r1zkp-0002qh...@franck.debian.org

Processing of gnomint_1.2.1-3_i386.changes

2011-09-08 Thread Debian FTP Masters 
gnomint_1.2.1-3_i386.changes uploaded successfully to localhost
along with the files:
  gnomint_1.2.1-3.dsc
  gnomint_1.2.1-3.debian.tar.gz
  gnomint_1.2.1-3_i386.deb

Greetings,

Your Debian queue daemon (running on host franck.debian.org)


-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1r1zsj-0008ed...@franck.debian.org

Processing of mknbi_1.4.4-9_i386.changes

2011-09-08 Thread Debian FTP Masters 
mknbi_1.4.4-9_i386.changes uploaded successfully to localhost
along with the files:
  mknbi_1.4.4-9.dsc
  mknbi_1.4.4-9.debian.tar.gz
  mknbi_1.4.4-9_i386.deb

Greetings,

Your Debian queue daemon (running on host franck.debian.org)


-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1r1zsj-0008eg...@franck.debian.org

Processing of unclutter_8-16_i386.changes

2011-09-08 Thread Debian FTP Masters 
unclutter_8-16_i386.changes uploaded successfully to localhost
along with the files:
  unclutter_8-16.dsc
  unclutter_8-16.debian.tar.gz
  unclutter_8-16_i386.deb

Greetings,

Your Debian queue daemon (running on host franck.debian.org)


-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1r1a2r-tm...@franck.debian.org

gnomint_1.2.1-3_i386.changes ACCEPTED into unstable

2011-09-08 Thread Debian FTP Masters 



Accepted:
gnomint_1.2.1-3.debian.tar.gz
  to main/g/gnomint/gnomint_1.2.1-3.debian.tar.gz
gnomint_1.2.1-3.dsc
  to main/g/gnomint/gnomint_1.2.1-3.dsc
gnomint_1.2.1-3_i386.deb
  to main/g/gnomint/gnomint_1.2.1-3_i386.deb


Override entries for your package:
gnomint_1.2.1-3.dsc - source gnome
gnomint_1.2.1-3_i386.deb - optional gnome

Announcing to debian-devel-chan...@lists.debian.org
Closing bugs: 634395 


Thank you for your contribution to Debian.


-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1r1agg-00071x...@franck.debian.org

mknbi_1.4.4-9_i386.changes ACCEPTED into unstable

2011-09-08 Thread Debian FTP Masters 



Accepted:
mknbi_1.4.4-9.debian.tar.gz
  to main/m/mknbi/mknbi_1.4.4-9.debian.tar.gz
mknbi_1.4.4-9.dsc
  to main/m/mknbi/mknbi_1.4.4-9.dsc
mknbi_1.4.4-9_i386.deb
  to main/m/mknbi/mknbi_1.4.4-9_i386.deb


Override entries for your package:
mknbi_1.4.4-9.dsc - source admin
mknbi_1.4.4-9_i386.deb - optional admin

Announcing to debian-devel-chan...@lists.debian.org


Thank you for your contribution to Debian.


-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1r1agx-000754...@franck.debian.org

unclutter_8-16_i386.changes ACCEPTED into unstable

2011-09-08 Thread Debian FTP Masters 



Accepted:
unclutter_8-16.debian.tar.gz
  to main/u/unclutter/unclutter_8-16.debian.tar.gz
unclutter_8-16.dsc
  to main/u/unclutter/unclutter_8-16.dsc
unclutter_8-16_i386.deb
  to main/u/unclutter/unclutter_8-16_i386.deb


Override entries for your package:
unclutter_8-16.dsc - source x11
unclutter_8-16_i386.deb - optional x11

Announcing to debian-devel-chan...@lists.debian.org


Thank you for your contribution to Debian.


-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1r1ahp-0007ek...@franck.debian.org

Processed: Standarizing version numbering for for libenchant1c2a #640788

2011-09-08 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> notfound 640788 libenchant1c2a/1.6.0-3
Bug #640788 [libenchant1c2a] libenchant1c2a: Make enchant-ispell compatible 
with new ispell in sid
The source libenchant1c2a and version 1.6.0-3 do not appear to match any binary 
packages
Bug No longer marked as found in versions libenchant1c2a/1.6.0-3.
> found 640788 enchant/1.6.0-3
Bug #640788 [libenchant1c2a] libenchant1c2a: Make enchant-ispell compatible 
with new ispell in sid
Bug Marked as found in versions enchant/1.6.0-3.
>
End of message, stopping processing here.

Please contact me if you need assistance.
-- 
640788: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640788
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/handler.s.c.131547377226054.transcr...@bugs.debian.org

Bug#640938: tijmp: FTBFS: configure: error: Does JAVA_HOME point to the java SDK directory?

2011-09-08 Thread Aurelien Jarno 
Package: tijmp
Version: 0.8+dfsg-5
Severity: serious
Justification: fails to build from source (but built successfully in the past)

tijmp fails to build as it can't find the path to openjdk:

| checking dynamic linker characteristics... GNU/Linux ld.so
| checking how to hardcode library paths into programs... immediate
| checking whether stripping libraries is possible... yes
| checking if libtool supports shared libraries... yes
| checking whether to build shared libraries... yes
| checking whether to build static libraries... no
|
| checking /usr/lib/jvm/java-6-openjdk/include/linux/jni_md.h usability... no
| checking /usr/lib/jvm/java-6-openjdk/include/linux/jni_md.h presence... no
| checking for /usr/lib/jvm/java-6-openjdk/include/linux/jni_md.h... no
| checking /usr/lib/jvm/java-6-openjdk/include/jni_md.h usability... no
| checking /usr/lib/jvm/java-6-openjdk/include/jni_md.h presence... no
| checking for /usr/lib/jvm/java-6-openjdk/include/jni_md.h... no
| configure: error: Does JAVA_HOME point to the java SDK directory?
| make: *** [debian/stamp-autotools] Error 1

It sets JAVA_HOME to /usr/lib/jvm/java-6-openjdk, but this path has 
changed starting with openjdk-6 version 6b23~pre8-2.

Full build log is available (s390x, but also fails on other 
architectures):

 
http://buildd.debian-ports.org/status/fetch.php?pkg=tijmp&arch=s390x&ver=0.8%2Bdfsg-5&stamp=1314740547

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.39-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash



-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20110908161632.4306.17080.report...@volta.aurel32.net

Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

2011-09-08 Thread Raphael Geissert 
On Wednesday 07 September 2011 22:06:55 Raphael Geissert wrote:
> On Wednesday 07 September 2011 10:57:51 Raphael Geissert wrote:
> > On Monday 05 September 2011 14:55:50 Kurt Roeckx wrote:
> > > So you're basicly saying that X509_verify_cert() should give an
> > > error in case it finds DigiNotar somewhere in the chain?
> > > 
> > > I'm not opposed to such a change, but would like to see a better
> > > option in the future.
> > 
> > Yes. I will try to spend some time with a debugger later today to find
> > the right place to implement such check. Or do you have any hint? (the
> > cn validation functions didn't seem to be executed in one case I tried)
> 
> Attached is the first version of patch against the 1.0.0 series that does
> that. I implemented it in check_name_constraints, but given that 0.9.8
> doesn't have support for name constraints I might as well move it to a
> separate function. I've tested it on the rogue *.google.com cert  with
> verify(1) and a few others with different clients (tried the urls
> mentioned on the bug report, of which only ingcommercialbanking still uses
> a DigiNotar cert.)
> Attached are a bundle of the certs needed to verify(1) the rogue google
> cert, and the rogue cert itself. Perhaps they could be included in the
> test suite.

I somehow ended up adding an O instead of a 0 in the exported patch for 1.0.0. 
Attached are the fixed 1.0.0 patch (as v2, to avoid confusions) and the 
previous patch for 0.9.8.

> The patch for 0.9.8 is also attached, but I haven't tested it yet. It was
> made based on squeeze's openssl and it seems to apply fine to lenny's
> openssl (just a few lines of difference.)
> 
> Kurt, what do you think? would upstream be interested in the patch, or at
> least in reviewing it?

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Description: make X509_verify_cert indicate that any certificate whose
 name contains "DigiNotar" is revoked.
Origin: vendor
Forwarded: no
Last-Update: 2011-09-07
Bug: http://bugs.debian.org/639744

diff -urpN openssl-0.9.8o-4squeeze1.orig/crypto/x509/x509_vfy.c openssl-0.9.8o-4squeeze1/crypto/x509/x509_vfy.c
--- openssl-0.9.8o-4squeeze1.orig/crypto/x509/x509_vfy.c	2009-06-26 06:34:21.0 -0500
+++ openssl-0.9.8o-4squeeze1/crypto/x509/x509_vfy.c	2011-09-07 21:23:58.0 -0500
@@ -78,6 +78,7 @@ static int check_trust(X509_STORE_CTX *c
 static int check_revocation(X509_STORE_CTX *ctx);
 static int check_cert(X509_STORE_CTX *ctx);
 static int check_policy(X509_STORE_CTX *ctx);
+static int check_ca_blacklist(X509_STORE_CTX *ctx);
 static int internal_verify(X509_STORE_CTX *ctx);
 const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
 
@@ -312,6 +313,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx
 		ok=internal_verify(ctx);
 	if(!ok) goto end;
 
+	ok = check_ca_blacklist(ctx);
+	if(!ok) goto end;
+
 #ifndef OPENSSL_NO_RFC3779
 	/* RFC 3779 path validation, now that CRL check has been done */
 	ok = v3_asid_validate_path(ctx);
@@ -661,6 +665,29 @@ static int check_crl_time(X509_STORE_CTX
 	return 1;
 	}
 
+static int check_ca_blacklist(X509_STORE_CTX *ctx)
+	{
+	X509 *x;
+	int i;
+	/* Check all certificates against the blacklist */
+	for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
+		{
+		x = sk_X509_value(ctx->chain, i);
+		/* Mark DigiNotar certificates as revoked, no matter
+		 * where in the chain they are. 
+		 */
+		if (x->name && strstr(x->name, "DigiNotar"))
+			{
+			ctx->error = X509_V_ERR_CERT_REVOKED;
+			ctx->error_depth = i;
+			ctx->current_cert = x;
+			if (!ctx->verify_cb(0,ctx))
+return 0;
+			}
+		}
+	return 1;
+	}
+
 /* Lookup CRLs from the supplied list. Look for matching isser name
  * and validity. If we can't find a valid CRL return the last one
  * with matching name. This gives more meaningful error codes. Otherwise
Description: make X509_verify_cert indicate that any certificate whose
 name contains "DigiNotar" is revoked.
Origin: vendor
Forwarded: no
Last-Update: 2011-09-07
Bug: http://bugs.debian.org/639744

diff --git a/crypto/x509/x509_vfy.c.orig b/crypto/x509/x509_vfy.c
index bd6695d..1aaf5d3 100644
--- a/crypto/x509/x509_vfy.c.orig
+++ b/crypto/x509/x509_vfy.c
@@ -617,6 +617,17 @@ static int check_name_constraints(X509_STORE_CTX *ctx)
 	for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
 		{
 		x = sk_X509_value(ctx->chain, i);
+		/* Mark DigiNotar certificates as revoked, no matter
+		 * where in the chain they are.
+		 */
+		if (x->name && strstr(x->name, "DigiNotar"))
+			{
+			ctx->error = X509_V_ERR_CERT_REVOKED;
+			ctx->error_depth = i;
+			ctx->current_cert = x;
+			if (!ctx->verify_cb(0,ctx))
+return 0;
+			}
 		/* Ignore self issued certs unless last in chain */
 		if (i && (x->ex_flags & EXFLAG_SI))
 			continue;

Bug#640788: ibritish: pidgin says: Illegal format hash table /usr/lib/ispell/british.hash

2011-09-08 Thread Robert Luberda 
Russell Coker writes:
> 
> Illegal format hash table /usr/lib/ispell/british.hash - expected magic2 
> 0x9602, got 0x0

Could you please send me the output of the following commands:

xxd -l 64 /usr/lib/ispell/british.hash
ls -l  /usr/lib/ispell/british.hash
ls -Ll /usr/lib/ispell/british.hash
cat /var/lib/ispell/british.compat


Thanks,
robert



-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4e69128f.2080...@debian.org

Processing of avifile_0.7.48~20090503.ds-7_amd64.changes

2011-09-08 Thread Debian FTP Masters 
avifile_0.7.48~20090503.ds-7_amd64.changes uploaded successfully to localhost
along with the files:
  avifile_0.7.48~20090503.ds-7.dsc
  avifile_0.7.48~20090503.ds-7.debian.tar.gz
  libavifile-0.7c2_0.7.48~20090503.ds-7_amd64.deb
  libavifile-0.7-dev_0.7.48~20090503.ds-7_amd64.deb

Greetings,

Your Debian queue daemon (running on host franck.debian.org)


-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1r1kwu-0006r9...@franck.debian.org

Re: News about unixcw?

2011-09-08 Thread Kamil Ignacak 

Hi Kamal,

Thank you for your reply.
Hereby I'm taking over this project. I will create a new project on one 
of websites hosting FLOSS projects (probably sf.net) within a week, and 
then decide about further steps. I will also check what exactly "sponsor 
a Debian upload of a new upstream package" means :)


I will start with original source tree (2.3-13), without your patches, 
as I hope to solve Debian bugs #567392 and #567394 by slightly changing 
the way the libcw generates tones. The next step would be adding ALSA 
support, and perhaps solve this problem:

http://lists.debian.org/debian-qa-packages/2010/11/msg00101.html

Best regards,
Kamil



On 07.09.2011 02:00, Kamal Mostafa wrote:

Hi Kamil and Simon-

On Tue, 2011-09-06 at 21:31 +0200, Kamil Ignacak wrote:

Hi Simon,

Thank you very much for the answer. In that case I will try to look
further and see if anyone else is currently the main developer of the
package already.

Kamal: could you please let me know if you consider yourself the owner
of the package? If not then I would like to step in and take over this
project. Please do let me know.


No, I don't consider myself the owner of the package.  Given Simon's
blessing there, I think you can feel free to start bringing it back to
life again.  Please note that its "orphaned" status in Debian, and the
large number of outstanding bug reports:
http://packages.qa.debian.org/u/unixcw.html

I am a Debian Developer and a member of the Debian Hams group, and I
would quite willing to adopt and sponsor a Debian upload of a new
upstream package of unixcw if you do improve upon it (and I could help
with packaging issues as well, but I'm afraid I'm too swamped to take on
a more active role in development for it).

Thanks in advance for your efforts!

  -Kamal




Best regards,
Kamil



On 06.09.2011 10:31, Simon Baldwin wrote:

Hi Kamil,

Thanks for the email, and your interest in Unixcw.

I haven't updated the package for a while now, and don't really expect
to do anything to it in the way of improvement in the foreseeable
future. I know that Kamal has created a few patches for it to help to
keep it up to date with current Linux releases, and I'm very grateful to
him for doing this. I guess the program is sort-of looking for a new
owner at present, and if somebody wanted to take it over I'd be fine
with that.

Best regards,

--S



*From:* Kamil Ignacak
*To:* simon_bald...@yahoo.com
*Cc:* ka...@whence.com; packa...@qa.debian.org
*Sent:* Tuesday, 30 August 2011, 19:05
*Subject:* News about unixcw?

Hi Simon,

Recently I've started using cwcp program from unixcw package to learn
Morse code. I find it very useful, but I have also noticed that the
program has some problems. Some of them have been addressed by patches
created by Kamal Mostafa
(https://launchpad.net/~kamalmostafa/+archive/unixcw-fixes
). I have
implemented some changes in my local copy of cwlib myself as well.

I would like to ask you whether you still actively maintain this
package, and if you accept any patches or other kind of help with the
package.

I'm adding in CC some people who may be interested in any news about the
package.

Have a nice day!

Best regards,
Kamil Ignacak









--
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4e6925c0.2060...@wp.pl

avifile_0.7.48~20090503.ds-7_amd64.changes ACCEPTED into unstable

2011-09-08 Thread Debian FTP Masters 



Accepted:
avifile_0.7.48~20090503.ds-7.debian.tar.gz
  to main/a/avifile/avifile_0.7.48~20090503.ds-7.debian.tar.gz
avifile_0.7.48~20090503.ds-7.dsc
  to main/a/avifile/avifile_0.7.48~20090503.ds-7.dsc
libavifile-0.7-dev_0.7.48~20090503.ds-7_amd64.deb
  to main/a/avifile/libavifile-0.7-dev_0.7.48~20090503.ds-7_amd64.deb
libavifile-0.7c2_0.7.48~20090503.ds-7_amd64.deb
  to main/a/avifile/libavifile-0.7c2_0.7.48~20090503.ds-7_amd64.deb


Override entries for your package:
avifile_0.7.48~20090503.ds-7.dsc - source libs
libavifile-0.7-dev_0.7.48~20090503.ds-7_amd64.deb - optional libdevel
libavifile-0.7c2_0.7.48~20090503.ds-7_amd64.deb - optional libs

Announcing to debian-devel-chan...@lists.debian.org


Thank you for your contribution to Debian.


-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1r1lvg-0008ii...@franck.debian.org

Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

2011-09-08 Thread Kurt Roeckx 
On Wed, Sep 07, 2011 at 10:06:55PM -0500, Raphael Geissert wrote:
> On Wednesday 07 September 2011 10:57:51 Raphael Geissert wrote:
> > On Monday 05 September 2011 14:55:50 Kurt Roeckx wrote:
> > > So you're basicly saying that X509_verify_cert() should give an
> > > error in case it finds DigiNotar somewhere in the chain?
> > > 
> > > I'm not opposed to such a change, but would like to see a better
> > > option in the future.
> > 
> > Yes. I will try to spend some time with a debugger later today to find the
> > right place to implement such check. Or do you have any hint? (the cn
> > validation functions didn't seem to be executed in one case I tried)
> 
> Attached is the first version of patch against the 1.0.0 series that does 
> that. 
> I implemented it in check_name_constraints, but given that 0.9.8 doesn't have 
> support for name constraints I might as well move it to a separate function.
> I've tested it on the rogue *.google.com cert  with verify(1) and a few 
> others 
> with different clients (tried the urls mentioned on the bug report, of which 
> only ingcommercialbanking still uses a DigiNotar cert.)
> Attached are a bundle of the certs needed to verify(1) the rogue google cert, 
> and the rogue cert itself. Perhaps they could be included in the test suite.
> 
> The patch for 0.9.8 is also attached, but I haven't tested it yet. It was 
> made 
> based on squeeze's openssl and it seems to apply fine to lenny's openssl 
> (just 
> a few lines of difference.)

I wonder why you don't use the same patch for both.  I think the
check_name_constraints() actually tries to test something else,
like that it's a well-formed name or something.  So the new function
makes more sense to me.

Looking at the patch, it seems to make sense to me.

> Kurt, what do you think? would upstream be interested in the patch, or at 
> least in reviewing it?

I can always try and ask them.


Kurt




-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110908215755.ga14...@roeckx.be

Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

2011-09-08 Thread Raphael Geissert 
On Thursday 08 September 2011 16:57:56 Kurt Roeckx wrote:
> On Wed, Sep 07, 2011 at 10:06:55PM -0500, Raphael Geissert wrote:
> > The patch for 0.9.8 is also attached, but I haven't tested it yet. It was
> > made based on squeeze's openssl and it seems to apply fine to lenny's
> > openssl (just a few lines of difference.)
> 
> I wonder why you don't use the same patch for both.  I think the
> check_name_constraints() actually tries to test something else,
> like that it's a well-formed name or something.  So the new function
> makes more sense to me.

Yes, I rewrote the patch for 1.0.0 after my last message but it was pending a 
rebuild and re-test. I've attached it now.

I had the chance of testing the 098.v1 patch on squeeze and it passed all my 
tests. I haven't tested it on lenny yet, since the build system seems to be 
tricky and keeps modifying files even on debian/rules clean.

> > Kurt, what do you think? would upstream be interested in the patch, or at
> > least in reviewing it?
> 
> I can always try and ask them.

It'd be great if you handled that part.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Description: make X509_verify_cert indicate that any certificate whose
 name contains "DigiNotar" is revoked.
Origin: vendor
Forwarded: no
Last-Update: 2011-09-08
Bug: http://bugs.debian.org/639744

Index: openssl-1.0.0d/crypto/x509/x509_vfy.c
===
--- openssl-1.0.0d.orig/crypto/x509/x509_vfy.c
+++ openssl-1.0.0d/crypto/x509/x509_vfy.c
@@ -117,6 +117,7 @@ static int check_trust(X509_STORE_CTX *c
 static int check_revocation(X509_STORE_CTX *ctx);
 static int check_cert(X509_STORE_CTX *ctx);
 static int check_policy(X509_STORE_CTX *ctx);
+static int check_ca_blacklist(X509_STORE_CTX *ctx);
 
 static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
 			unsigned int *preasons,
@@ -374,6 +375,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx
 		ok=internal_verify(ctx);
 	if(!ok) goto end;
 
+	ok = check_ca_blacklist(ctx);
+	if(!ok) goto end;
+
 #ifndef OPENSSL_NO_RFC3779
 	/* RFC 3779 path validation, now that CRL check has been done */
 	ok = v3_asid_validate_path(ctx);
@@ -820,6 +824,29 @@ static int check_crl_time(X509_STORE_CTX
 	return 1;
 	}
 
+static int check_ca_blacklist(X509_STORE_CTX *ctx)
+	{
+	X509 *x;
+	int i;
+	/* Check all certificates against the blacklist */
+	for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
+		{
+		x = sk_X509_value(ctx->chain, i);
+		/* Mark DigiNotar certificates as revoked, no matter
+		 * where in the chain they are.
+		 */
+		if (x->name && strstr(x->name, "DigiNotar"))
+			{
+			ctx->error = X509_V_ERR_CERT_REVOKED;
+			ctx->error_depth = i;
+			ctx->current_cert = x;
+			if (!ctx->verify_cb(0,ctx))
+return 0;
+			}
+		}
+	return 1;
+	}
+
 static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
 			X509 **pissuer, int *pscore, unsigned int *preasons,
 			STACK_OF(X509_CRL) *crls)