Debian Bug report logs - #700284
libghc-certificate-dev: incomplete basic constraint parsing breaks verisign certs

version graph

Package: libghc-certificate-dev; Maintainer for libghc-certificate-dev is Debian Haskell Group <pkg-haskell-maintainers@lists.alioth.debian.org>; Source for libghc-certificate-dev is src:haskell-certificate.

Reported by: Tomas Janousek <tomi@nomi.cz>

Date: Mon, 11 Feb 2013 01:00:03 UTC

Severity: important

Tags: patch

Found in version haskell-certificate/1.2.3-1

Fixed in versions 1.3.5-1, haskell-certificate/1.2.3-2

Done: Joachim Breitner <nomeata@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Haskell Group <pkg-haskell-maintainers@lists.alioth.debian.org>:
Bug#700284; Package libghc-certificate-dev. (Mon, 11 Feb 2013 01:00:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tomas Janousek <tomi@nomi.cz>:
New Bug report received and forwarded. Copy sent to Debian Haskell Group <pkg-haskell-maintainers@lists.alioth.debian.org>. (Mon, 11 Feb 2013 01:00:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Tomas Janousek <tomi@nomi.cz>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libghc-certificate-dev: incomplete basic constraint parsing breaks verisign certs
Date: Mon, 11 Feb 2013 01:35:20 +0100
Package: libghc-certificate-dev
Version: 1.2.3-1+b1
Severity: important
Tags: patch

Hello,

since libghc-tls-extra-dev 0.4.6.1-1, certificate extensions are checked
whether they are CA certs and cert signing is allowed. Verisign certs,
however, encode basic constraints in a format that libghc-certificate-dev
1.2.3-1+b1 fails to parse, and connection to (some) verisign-signed sites
fails.

An example of such site is https://secure.gooddata.com/.

This is likely fixed by
https://github.com/vincenthz/hs-certificate/commit/a156d857189fc880f7d0a2de3310e750994c766b



-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (980, 'testing'), (980, 'stable'), (500, 'unstable'), (500, 'stable'), (200, 'experimental')
Architecture: i386 (x86_64)

Kernel: Linux 3.3.8-lis64+ (SMP w/4 CPU cores)
Locale: LANG=cs_CZ.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libghc-certificate-dev depends on:
ii  ghc [libghc-time-dev-1.4-3e186]                              7.4.1-4
ii  libc6                                                        2.13-27
ii  libffi5                                                      3.0.10-3
ii  libghc-asn1-data-dev [libghc-asn1-data-dev-0.6.1.3-d0540]    0.6.1.3-2+b3
ii  libghc-base-dev-4.5.0.0-c8e71                                <none>
ii  libghc-bytestring-dev-0.9.2.1-4adca                          <none>
ii  libghc-crypto-pubkey-types-dev [libghc-crypto-pubkey-types-  0.1.1-1+b3
ii  libghc-directory-dev-1.1.0.2-89575                           <none>
ii  libghc-mtl-dev [libghc-mtl-dev-2.1.1-ae9b4]                  2.1.1-1
ii  libghc-pem-dev [libghc-pem-dev-0.1.1-84ae4]                  0.1.1-1+b3
ii  libghc-process-dev-1.1.0.1-91185                             <none>
ii  libgmp10                                                     2:5.0.4+dfsg-1

libghc-certificate-dev recommends no packages.

Versions of packages libghc-certificate-dev suggests:
ii  libghc-certificate-doc   1.2.3-1
ii  libghc-certificate-prof  1.2.3-1+b1

-- no debconf information

-- 
Tomáš Janoušek, a.k.a. Liskni_si, http://work.lisk.in/



Reply sent to Joachim Breitner <nomeata@debian.org>:
You have taken responsibility. (Mon, 11 Feb 2013 08:39:06 GMT) Full text and rfc822 format available.

Notification sent to Tomas Janousek <tomi@nomi.cz>:
Bug acknowledged by developer. (Mon, 11 Feb 2013 08:39:06 GMT) Full text and rfc822 format available.

Message #10 received at 700284-done@bugs.debian.org (full text, mbox):

From: Joachim Breitner <nomeata@debian.org>
To: Tomas Janousek <tomi@nomi.cz>, 700284-done@bugs.debian.org
Subject: Re:Bug#700284: libghc-certificate-dev: incomplete basic constraint parsing breaks verisign certs
Date: Mon, 11 Feb 2013 09:37:42 +0100
[Message part 1 (text/plain, inline)]
Version: 1.3.5-1

Dear Thomas,

thanks for the report.

Am Montag, den 11.02.2013, 01:35 +0100 schrieb Tomas Janousek:
> Package: libghc-certificate-dev
> Version: 1.2.3-1+b1
> Severity: important
> Tags: patch
> 
> Hello,
> 
> since libghc-tls-extra-dev 0.4.6.1-1, certificate extensions are checked
> whether they are CA certs and cert signing is allowed. Verisign certs,
> however, encode basic constraints in a format that libghc-certificate-dev
> 1.2.3-1+b1 fails to parse, and connection to (some) verisign-signed sites
> fails.
> 
> An example of such site is https://secure.gooddata.com/.
> 
> This is likely fixed by
> https://github.com/vincenthz/hs-certificate/commit/a156d857189fc880f7d0a2de3310e750994c766b

if that is the case, there is a fixed version waiting in experimental
and will migrate to unstable soon after the release.

Greetings,
Joachim

-- 
Joachim "nomeata" Breitner
Debian Developer
  nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: nomeata@joachim-breitner.de | http://people.debian.org/~nomeata

[signature.asc (application/pgp-signature, inline)]

Reply sent to Joachim Breitner <nomeata@debian.org>:
You have taken responsibility. (Sun, 10 Mar 2013 21:21:06 GMT) Full text and rfc822 format available.

Notification sent to Tomas Janousek <tomi@nomi.cz>:
Bug acknowledged by developer. (Sun, 10 Mar 2013 21:21:06 GMT) Full text and rfc822 format available.

Message #15 received at 700284-close@bugs.debian.org (full text, mbox):

From: Joachim Breitner <nomeata@debian.org>
To: 700284-close@bugs.debian.org
Subject: Bug#700284: fixed in haskell-certificate 1.2.3-2
Date: Sun, 10 Mar 2013 21:17:37 +0000
Source: haskell-certificate
Source-Version: 1.2.3-2

We believe that the bug you reported is fixed in the latest version of
haskell-certificate, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700284@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joachim Breitner <nomeata@debian.org> (supplier of updated haskell-certificate package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 10 Mar 2013 21:42:03 +0100
Source: haskell-certificate
Binary: libghc-certificate-dev libghc-certificate-prof libghc-certificate-doc
Architecture: source all amd64
Version: 1.2.3-2
Distribution: unstable
Urgency: low
Maintainer: Debian Haskell Group <pkg-haskell-maintainers@lists.alioth.debian.org>
Changed-By: Joachim Breitner <nomeata@debian.org>
Description: 
 libghc-certificate-dev - certificate and key Reader/Writer
 libghc-certificate-doc - certificate and key Reader/Writer; documentation
 libghc-certificate-prof - certificate and key Reader/Writer; profiling libraries
Closes: 700284
Changes: 
 haskell-certificate (1.2.3-2) unstable; urgency=low
 .
   * Apply upstream patch towards fixing bug #701593, prepared and tested by
     Joey Hess, Closes: #700284
Checksums-Sha1: 
 996373807f918de6e0a25516cd2e4c0fa7f241c2 2019 haskell-certificate_1.2.3-2.dsc
 c565b547d1d8f70c0fa24334f94d9403cc81bf69 3217 haskell-certificate_1.2.3-2.debian.tar.gz
 96f631200d895d107784dc7edfa4acc09b2acd4f 60194 libghc-certificate-doc_1.2.3-2_all.deb
 f2557916421875e1c7f1f422e6a37f1baca1bd3a 262638 libghc-certificate-dev_1.2.3-2_amd64.deb
 fea17e030395549dec4a2062279f43916acf137e 242530 libghc-certificate-prof_1.2.3-2_amd64.deb
Checksums-Sha256: 
 01e456a9f7adf3ca64e7ac9ba99b878f03ce2167c89c28690b76b0c570322a16 2019 haskell-certificate_1.2.3-2.dsc
 7b33b64edf351a9d389c3e1abf16cfa05c4cd588e0888518747cf98734625ae0 3217 haskell-certificate_1.2.3-2.debian.tar.gz
 14a342e9c4a48ec2678707292a0b869a597db3e589aefcd0e959d0ee39a58348 60194 libghc-certificate-doc_1.2.3-2_all.deb
 a246042d8ab7e7076ae839a8abc98c87de2ab0f69dab10edba23d52743c9495e 262638 libghc-certificate-dev_1.2.3-2_amd64.deb
 b82ed351ed8f2e83128d9e464e2a0e0b812fda401b149c67590f081d12ce6d65 242530 libghc-certificate-prof_1.2.3-2_amd64.deb
Files: 
 b5f03d1d3b29a7b291e3bb52ad409f11 2019 haskell extra haskell-certificate_1.2.3-2.dsc
 d6dbb626ef576c38821f2318a31a896b 3217 haskell extra haskell-certificate_1.2.3-2.debian.tar.gz
 68c939db772b6f15700bbba5461b345f 60194 doc extra libghc-certificate-doc_1.2.3-2_all.deb
 d85518e8f30a70ec5cd9d74c4d874af2 262638 haskell extra libghc-certificate-dev_1.2.3-2_amd64.deb
 63058ca0457445b75f7bacdafa5a5b8a 242530 haskell extra libghc-certificate-prof_1.2.3-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlE89VkACgkQ9ijrk0dDIGxbhQCgvS5Jlcb2YlBjb0WlFD7+R/gN
e8sAn3iN0dEvkTPYzWKbv7Sibr2sERjI
=z6nG
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 27 Apr 2013 07:27:53 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 06:45:13 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.