[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#784670: marked as done (jessie-pu: package pound/2.6-6+deb8u1)

Your message dated Thu, 7 May 2015 19:12:21 +0200
with message-id <976b00c450a04025f66e37803b44a4e7.squirrel@aphrodite.kinkhorst.nl>
and subject line Re: Bug#784670: jessie-pu: package pound/2.6-6+deb8u1
has caused the Debian Bug report #784670,
regarding jessie-pu: package pound/2.6-6+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
784670: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784670
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I'd like to update pound in jessie to fix the ability to disable ssl client
renegotiation (#765649). The same patch has been uploaded to sid a few days ago.
Wheezy and earlier are not affected by this specific issue.

After this patch is applied I can get an "A" score at SSLlabs with pound.


Cheers,
Thijs

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

diff -Nru pound-2.6/debian/changelog pound-2.6/debian/changelog
--- pound-2.6/debian/changelog	2014-10-19 23:49:01.000000000 +0000
+++ pound-2.6/debian/changelog	2015-05-07 16:30:55.000000000 +0000
@@ -1,3 +1,11 @@
+pound (2.6-6+deb8u1) jessie; urgency=medium
+
+  * Non-maintainer upload by the security team with maintainer approval.
+  * Add missing part of anti_beast patch to fix disabling of client
+    renegotiation. (Closes: #765649)
+
+ -- Thijs Kinkhorst <thijs@debian.org>  Tue, 05 May 2015 13:27:06 +0000
+
 pound (2.6-6) unstable; urgency=low
 
   * Add options to disable SSLv2 and SSLv3.
diff -Nru pound-2.6/debian/patches/0008-disable_client_initiated_renegotiation.patch pound-2.6/debian/patches/0008-disable_client_initiated_renegotiation.patch
--- pound-2.6/debian/patches/0008-disable_client_initiated_renegotiation.patch	1970-01-01 00:00:00.000000000 +0000
+++ pound-2.6/debian/patches/0008-disable_client_initiated_renegotiation.patch	2015-05-07 16:30:22.000000000 +0000
@@ -0,0 +1,120 @@
+Added the missing parts that makes the option SSLAllowClientRenegotiation
+work as advertised, allowing client initiated renegotiation to be turned off.
+This patch is a compliment to the changes introduced in the 0001-anti_beast.patch, 
+which was missing the changes to http.c as seen in the original patch from 
+Joe Gooch <mrwizard@k12system.com> at:
+http://goochfriend.org/pound_2.6f_ssl_renegotiation_and_ciphers.patch
+
+--- a/http.c
++++ b/http.c
+@@ -273,6 +273,11 @@
+ 
+ static int  err_to = -1;
+ 
++typedef struct {
++    int timeout;
++    RENEG_STATE *reneg_state;
++} BIO_ARG;
++
+ /*
+  * Time-out for client read/gets
+  * the SSL manual says not to do it, but it works well enough anyway...
+@@ -280,6 +285,7 @@
+ static long
+ bio_callback(BIO *const bio, const int cmd, const char *argp, int argi, long argl, long ret)
+ {
++    BIO_ARG *bio_arg;
+     struct pollfd   p;
+     int             to, p_res, p_err;
+ 
+@@ -287,11 +293,22 @@
+         return ret;
+ 
+     /* a time-out already occured */
+-    if((to = *((int *)BIO_get_callback_arg(bio)) * 1000) < 0) {
++    if((bio_arg = (BIO_ARG*)BIO_get_callback_arg(bio))==NULL) return ret;
++    if((to = bio_arg->timeout * 1000) < 0) {
+         errno = ETIMEDOUT;
+         return -1;
+     }
+ 
++    /* Renegotiations */
++    if (bio_arg->reneg_state != NULL && *bio_arg->reneg_state == RENEG_ABORT) {
++        logmsg(LOG_NOTICE, "REJECTING renegotiated session");
++        errno = ECONNABORTED;
++        return -1;
++    }
++
++    //logmsg(LOG_NOTICE, "TO %d", to);
++    if (to == 0) return ret;
++
+     for(;;) {
+         memset(&p, 0, sizeof(p));
+         BIO_get_fd(bio, &p.fd);
+@@ -326,7 +343,7 @@
+             return -1;
+         case 0:
+             /* timeout - mark the BIO as unusable for the future */
+-            BIO_set_callback_arg(bio, (char *)&err_to);
++            bio_arg->timeout = err_to;
+ #ifdef  EBUG
+             logmsg(LOG_WARNING, "(%lx) CALLBACK timeout poll after %d secs: %s",
+                 pthread_self(), to / 1000, strerror(p_err));
+@@ -531,6 +548,15 @@
+     struct linger       l;
+     double              start_req, end_req;
+ 
++    RENEG_STATE         reneg_state;
++    BIO_ARG             ba1, ba2;
++
++    reneg_state = RENEG_INIT;
++    ba1.reneg_state =  &reneg_state;
++    ba2.reneg_state = &reneg_state;
++    ba1.timeout = 0;
++    ba2.timeout = 0;
++
+     from_host = ((thr_arg *)arg)->from_host;
+     memcpy(&from_host_addr, from_host.ai_addr, from_host.ai_addrlen);
+     from_host.ai_addr = (struct sockaddr *)&from_host_addr;
+@@ -539,6 +565,8 @@
+     free(((thr_arg *)arg)->from_host.ai_addr);
+     free(arg);
+ 
++    if(lstn->allow_client_reneg) reneg_state = RENEG_ALLOW;
++
+     n = 1;
+     setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&n, sizeof(n));
+     l.l_onoff = 1;
+@@ -562,10 +590,10 @@
+         close(sock);
+         return;
+     }
+-    if(lstn->to > 0) {
+-        BIO_set_callback_arg(cl, (char *)&lstn->to);
+-        BIO_set_callback(cl, bio_callback);
+-    }
++
++    ba1.timeout = lstn->to;
++    BIO_set_callback_arg(cl, (char *)&ba1);
++    BIO_set_callback(cl, bio_callback);
+ 
+     if(lstn->ctx != NULL) {
+         if((ssl = SSL_new(lstn->ctx->ctx)) == NULL) {
+@@ -574,6 +602,7 @@
+             BIO_free_all(cl);
+             return;
+         }
++        SSL_set_app_data(ssl, &reneg_state);
+         SSL_set_bio(ssl, cl, cl);
+         if((bb = BIO_new(BIO_f_ssl())) == NULL) {
+             logmsg(LOG_WARNING, "(%lx) BIO_new(Bio_f_ssl()) failed", pthread_self());
+@@ -875,7 +904,8 @@
+             }
+             BIO_set_close(be, BIO_CLOSE);
+             if(backend->to > 0) {
+-                BIO_set_callback_arg(be, (char *)&backend->to);
++                ba2.timeout = backend->to;
++                BIO_set_callback_arg(be, (char *)&ba2);
+                 BIO_set_callback(be, bio_callback);
+             }
+             if(backend->ctx != NULL) {
diff -Nru pound-2.6/debian/patches/series pound-2.6/debian/patches/series
--- pound-2.6/debian/patches/series	2014-10-19 23:50:51.000000000 +0000
+++ pound-2.6/debian/patches/series	2015-05-07 16:30:22.000000000 +0000
@@ -5,3 +5,4 @@
 0005-wait_on_semaphore_fix.patch
 0006-add_mkcalendar_support.patch
 0007-anti_poodle.patch
+0008-disable_client_initiated_renegotiation.patch

--- End Message ---
--- Begin Message --- 
Hi,

On Thu, May 7, 2015 18:43, Thijs Kinkhorst wrote:
> I'd like to update pound in jessie to fix the ability to disable ssl
> client renegotiation (#765649).

Sorry, I'm retracting this. Since the issue does in fact affect wheezy,
contrary to what I thought, and a security update was required for other
issues in wheezy anyway, we can release this update simulaneously though
stable-security.


Cheers,
Thijs

--- End Message ---
Reply to: