Debian Bug report logs - #701593
reversion caused by security chain fix

version graph

Package: libghc-tls-extra-dev; Maintainer for libghc-tls-extra-dev is Debian Haskell Group <pkg-haskell-maintainers@lists.alioth.debian.org>; Source for libghc-tls-extra-dev is src:haskell-tls-extra.

Reported by: Joey Hess <joeyh@debian.org>

Date: Sun, 24 Feb 2013 20:21:02 UTC

Severity: serious

Found in version haskell-tls-extra/0.4.6.1-1

Fixed in version haskell-tls-extra/0.4.6.1-2

Done: Joachim Breitner <nomeata@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/vincenthz/hs-tls/issues/32

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Haskell Group <pkg-haskell-maintainers@lists.alioth.debian.org>:
Bug#701593; Package libghc-tls-extra-dev. (Sun, 24 Feb 2013 20:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Haskell Group <pkg-haskell-maintainers@lists.alioth.debian.org>. (Sun, 24 Feb 2013 20:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: reversion caused by security chain fix
Date: Sun, 24 Feb 2013 15:08:36 -0400
[Message part 1 (text/plain, inline)]
Package: libghc-tls-extra-dev
Version: 0.4.6.1-1
Severity: serious

The security fix in this release seems to have caused a reversion
which rejects certificates that everything else accepts are valid.

Amoung the certificates now rejected is www.box.com, which is a problem
for me with git-annex. Others may be more interested to see that it now
rejects www.google.com's certificate. :P

Upstream bug report: https://github.com/vincenthz/hs-tls/issues/32

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libghc-tls-extra-dev depends on:
ii  ghc [libghc-time-dev-1.4-3e186]                              7.4.1-4
ii  libc6                                                        2.13-38
ii  libffi5                                                      3.0.10-3
pn  libghc-base-dev-4.5.0.0-c8e71                                <none>
pn  libghc-bytestring-dev-0.9.2.1-4adca                          <none>
ii  libghc-certificate-dev [libghc-certificate-dev-1.2.3-97278]  1.2.3-1+b1
ii  libghc-crypto-api-dev [libghc-crypto-api-dev-0.10.2-4102c]   0.10.2-1+b2
ii  libghc-cryptocipher-dev [libghc-cryptocipher-dev-0.3.5-46e4  0.3.5-1+b1
ii  libghc-cryptohash-dev [libghc-cryptohash-dev-0.7.5-e9a2a]    0.7.5-1+b2
ii  libghc-mtl-dev [libghc-mtl-dev-2.1.1-ae9b4]                  2.1.1-1
ii  libghc-network-dev [libghc-network-dev-2.3.0.13-6b330]       2.3.0.13-1+b2
ii  libghc-pem-dev [libghc-pem-dev-0.1.1-84ae4]                  0.1.1-1+b3
ii  libghc-text-dev [libghc-text-dev-0.11.2.0-a625b]             0.11.2.0-1
ii  libghc-tls-dev [libghc-tls-dev-0.9.5-40f43]                  0.9.5-1+b2
ii  libghc-vector-dev [libghc-vector-dev-0.9.1-81be4]            0.9.1-2+b1
ii  libgmp10                                                     2:5.0.5+dfsg-2

libghc-tls-extra-dev recommends no packages.

Versions of packages libghc-tls-extra-dev suggests:
pn  libghc-tls-extra-doc   <none>
ii  libghc-tls-extra-prof  0.4.6.1-1

-- no debconf information

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Set Bug forwarded-to-address to 'https://github.com/vincenthz/hs-tls/issues/32'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 24 Feb 2013 21:12:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Haskell Group <pkg-haskell-maintainers@lists.alioth.debian.org>:
Bug#701593; Package libghc-tls-extra-dev. (Sun, 10 Mar 2013 19:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Haskell Group <pkg-haskell-maintainers@lists.alioth.debian.org>. (Sun, 10 Mar 2013 19:03:03 GMT) Full text and rfc822 format available.

Message #12 received at 701593@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Joachim Breitner <nomeata@debian.org>
Cc: debian-haskell@lists.debian.org, 702151@bugs.debian.org, 701593@bugs.debian.org
Subject: Re: Bug#702151: RM: haskell-tls-extra/0.4.6.1-1
Date: Sun, 10 Mar 2013 15:02:04 -0400
[Message part 1 (text/plain, inline)]
Attached are minimal patches that seem to work. The haskell-certificate
change is direct from upstream git rev a156d857189fc880f7d0a2de3310e750994c766b, 
like vincenthz suggested. The minor haskell-tls-extra change mirrors what's
currently in upstream too.

I've tested using tls-debug's tls-retrievecertificate --verify -c, and
it looks correct both for sites with a valid trust chain
(www.google.com, www.box.com), as well as failing properly for sites
with self-signed and non-valid CAs (dev.mutt.org, munin.varnish-software.com).

The only site it doesn't seem to like that I've found is db.debian.org,
which Chromium says has a valid chain, but this fails for:

joey@wren:~/tmp/tls-debug-0.1.1>dist/build/tls-retrievecertificate/tls-retrievecertificate -d db.debian.org --verify -c
connecting to db.debian.org on port 443 ...
###### Certificate 1 ######
serial:   98
issuer:   [([1,2,840,113549,1,9,1],(IA5,"debian-admin@debian.org")),([2,5,4,3],(Printable,"ca.debian.org")),([2,5,4,10],(Printable,"Debian"))]
subject:  [([1,2,840,113549,1,9,1],(IA5,"debian-admin@debian.org")),([2,5,4,3],(Printable,"db.debian.org")),([2,5,4,10],(Printable,"Debian"))]
validity: (2013-03-01,31765s,True) to (2014-03-01,31765s,True)
###### Certificate 2 ######
serial:   3
issuer:   [([1,2,840,113549,1,9,1],(IA5,"hostmaster@spi-inc.org")),([2,5,4,3],(Printable,"Certificate Authority")),([2,5,4,6],(Printable,"US")),([2,5,4,7],(Printable,"Indianapolis")),([2,5,4,8],(Printable,"Indiana")),([2,5,4,10],(Printable,"Software in the Public Interest")),([2,5,4,11],(Printable,"hostmaster"))]
subject:  [([1,2,840,113549,1,9,1],(IA5,"debian-admin@debian.org")),([2,5,4,3],(Printable,"ca.debian.org")),([2,5,4,10],(Printable,"Debian"))]
validity: (2008-05-13,33200s,True) to (2018-05-10,33200s,True)
###### Certificate 3 ######
serial:   16757532242060383272
issuer:   [([1,2,840,113549,1,9,1],(IA5,"hostmaster@spi-inc.org")),([2,5,4,3],(Printable,"Certificate Authority")),([2,5,4,6],(Printable,"US")),([2,5,4,7],(Printable,"Indianapolis")),([2,5,4,8],(Printable,"Indiana")),([2,5,4,10],(Printable,"Software in the Public Interest")),([2,5,4,11],(Printable,"hostmaster"))]
subject:  [([1,2,840,113549,1,9,1],(IA5,"hostmaster@spi-inc.org")),([2,5,4,3],(Printable,"Certificate Authority")),([2,5,4,6],(Printable,"US")),([2,5,4,7],(Printable,"Indianapolis")),([2,5,4,8],(Printable,"Indiana")),([2,5,4,10],(Printable,"Software in the Public Interest")),([2,5,4,11],(Printable,"hostmaster"))]
validity: (2008-05-13,29276s,True) to (2018-05-11,29276s,True)
### certificate chain trust
chain validity : rejected: CertificateRejectOther "certificate is not allowed to sign another certificate"
time validity : accepted

However, the most recent upstream versions of tls-* behave identically,
so if this is a bug, it's a separate one. I've let upstream know.

Can someone get the packages updated with these patches and the binnmus
scheduled?

-- 
see shy jo
[haskell-certificate.patch (text/x-diff, attachment)]
[haskell-tls-extra.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Haskell Group <pkg-haskell-maintainers@lists.alioth.debian.org>:
Bug#701593; Package libghc-tls-extra-dev. (Sun, 10 Mar 2013 21:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joachim Breitner <nomeata@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Haskell Group <pkg-haskell-maintainers@lists.alioth.debian.org>. (Sun, 10 Mar 2013 21:00:03 GMT) Full text and rfc822 format available.

Message #17 received at 701593@bugs.debian.org (full text, mbox):

From: Joachim Breitner <nomeata@debian.org>
To: 702151@bugs.debian.org
Cc: debian-haskell@lists.debian.org, 701593@bugs.debian.org
Subject: Re: Bug#702151: RM: haskell-tls-extra/0.4.6.1-1
Date: Sun, 10 Mar 2013 21:56:02 +0100
[Message part 1 (text/plain, inline)]
Hi release team,

Am Sonntag, den 10.03.2013, 15:02 -0400 schrieb Joey Hess:
> Can someone get the packages updated with these patches and the binnmus
> scheduled?

thanks to Joey for the patches, preparing packages right now.

This will require binNMUing the reverse dependencies of
libghc-certificate-dev, and possibly some of their reverse dependencies:

$ zcat unstable-main-binary-amd64-Packages.gz| grep-dctrl -F Depends libghc-certificate-dev-1.2.3-c4555 -s Package
Package: libghc-http-conduit-dev
Package: libghc-tls-dev
Package: libghc-tls-extra-dev
Package: libghc-warp-tls-dev

Theoretically, binNMUs would be sufficient. In practice, there is a
problem, and I’d like to hear from the release team what to do:
haskell-http-conduit is currently not buildable in unstable because it
depends on
        libghc-blaze-builder-conduit-dev (>> 0.4),
        libghc-blaze-builder-conduit-dev (<< 0.5)
but unstable has 0.5.0.1.is.really.0.4.0.2-1, which is identical to the
version 0.4.0.2-1 in testing and was uploaded after 0.5.0.1 accidentally
went to unstable.

So I see two approaches:
     A. Upload haskell-certifiate and haskell-tls-extra with the fix for
        701593 to unstable. Upload a new revision of
        haskell-http-conduit that allows the 0.5.0.1.is.really.0.4.0.2-1
        version number, in order to get it buildable. Migrate  (at
        least) haskell-certifiate, haskell-tls-extra,
        haskell-blaze-builder-conduit and haskell-http-conduit to
        testing, in addition to the required binNMUs.
     B. Upload haskell-certifiate and haskell-tls-extra with the fix for
        701593 to testing-proposed-updates. Do binNMUs there or in
        testing (I don’t know which of these is possible, if any). Have
        less source packages change in testing.

I’ll do the uploads to unstable in any case, but please let me know how
you want to get the fixes to testing.

Thanks,
Joachim

-- 
Joachim "nomeata" Breitner
Debian Developer
  nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: nomeata@joachim-breitner.de | http://people.debian.org/~nomeata

[signature.asc (application/pgp-signature, inline)]

Reply sent to Joachim Breitner <nomeata@debian.org>:
You have taken responsibility. (Sun, 10 Mar 2013 21:21:08 GMT) Full text and rfc822 format available.

Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. (Sun, 10 Mar 2013 21:21:08 GMT) Full text and rfc822 format available.

Message #22 received at 701593-close@bugs.debian.org (full text, mbox):

From: Joachim Breitner <nomeata@debian.org>
To: 701593-close@bugs.debian.org
Subject: Bug#701593: fixed in haskell-tls-extra 0.4.6.1-2
Date: Sun, 10 Mar 2013 21:17:50 +0000
Source: haskell-tls-extra
Source-Version: 0.4.6.1-2

We believe that the bug you reported is fixed in the latest version of
haskell-tls-extra, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 701593@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joachim Breitner <nomeata@debian.org> (supplier of updated haskell-tls-extra package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 10 Mar 2013 22:04:56 +0100
Source: haskell-tls-extra
Binary: libghc-tls-extra-dev libghc-tls-extra-prof libghc-tls-extra-doc
Architecture: source all amd64
Version: 0.4.6.1-2
Distribution: unstable
Urgency: low
Maintainer: Debian Haskell Group <pkg-haskell-maintainers@lists.alioth.debian.org>
Changed-By: Joachim Breitner <nomeata@debian.org>
Description: 
 libghc-tls-extra-dev - TLS extra default values and helpers
 libghc-tls-extra-doc - TLS extra default values and helpers; documentation
 libghc-tls-extra-prof - TLS extra default values and helpers; profiling libraries
Closes: 701593 702151
Changes: 
 haskell-tls-extra (0.4.6.1-2) unstable; urgency=low
 .
   * Fix regression introduced with the last commit, by adding compatibility
     with a corresponding change in haskell-certificate (Bug #700284), patch
     provided by Joey Hess. Closes: #701593.
     Also Closes: #702151, as the removal should no longer be necessary.
   * Stop pretending this has a different version, as we need to rebuild stuff
     anyways.
Checksums-Sha1: 
 99e0d75aa2e247942a107459728fe92c23770971 2427 haskell-tls-extra_0.4.6.1-2.dsc
 3a6a98e1f8be1dcb9962a422b2f579cd794dae3c 3288 haskell-tls-extra_0.4.6.1-2.debian.tar.gz
 0e7bd39dd9a3487a8f104359ed434e0919bf59d9 47330 libghc-tls-extra-doc_0.4.6.1-2_all.deb
 2242f758ca1654e95954589a8bd76a561b99e8e0 74324 libghc-tls-extra-dev_0.4.6.1-2_amd64.deb
 d7701b5601b2ff7cdab3a82121fa36a32c3a1d15 65934 libghc-tls-extra-prof_0.4.6.1-2_amd64.deb
Checksums-Sha256: 
 757b08a062717b64959f22673dddb06fda743f33101e298db6f6f1cf62e387b2 2427 haskell-tls-extra_0.4.6.1-2.dsc
 bb56794816fc2558273df2704aa67d009d50d920471099323640ba3427ffaa32 3288 haskell-tls-extra_0.4.6.1-2.debian.tar.gz
 28af3908a5d491ef9f9274470e88675030e962871f39b9362e3428b39d632254 47330 libghc-tls-extra-doc_0.4.6.1-2_all.deb
 4a8e9ff1dafb04de8e5ccf3957f07927d76fbecf9ee9a88f755e74ce78331076 74324 libghc-tls-extra-dev_0.4.6.1-2_amd64.deb
 4ff843aa6a29cc25d5a661648e94e1c2b6fa46cf0019d59022f954def49b6d65 65934 libghc-tls-extra-prof_0.4.6.1-2_amd64.deb
Files: 
 93b7b40a60051f39589d6fb40243d9ca 2427 haskell extra haskell-tls-extra_0.4.6.1-2.dsc
 aebe6c815286834df632e6f86b26ebfd 3288 haskell extra haskell-tls-extra_0.4.6.1-2.debian.tar.gz
 878459aec0f28b24af771fd83b38bcd4 47330 doc extra libghc-tls-extra-doc_0.4.6.1-2_all.deb
 2d5efef937541ad1773f1c6d2a6b0023 74324 haskell extra libghc-tls-extra-dev_0.4.6.1-2_amd64.deb
 4585dd52873e089722d68dd5da3e9d0f 65934 haskell extra libghc-tls-extra-prof_0.4.6.1-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlE89aIACgkQ9ijrk0dDIGyRcgCgozo7o4TjVxHpoWgElnuajuQc
smkAni3yseJ2SCbsdxxYqnlQd6ByQnMl
=fDAk
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 27 Apr 2013 07:28:13 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 16:24:33 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.