Bug#784670: jessie-pu: package pound/2.6-6+deb8u1
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I'd like to update pound in jessie to fix the ability to disable ssl client
renegotiation (#765649). The same patch has been uploaded to sid a few days ago.
Wheezy and earlier are not affected by this specific issue.
After this patch is applied I can get an "A" score at SSLlabs with pound.
Cheers,
Thijs
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
diff -Nru pound-2.6/debian/changelog pound-2.6/debian/changelog
--- pound-2.6/debian/changelog 2014-10-19 23:49:01.000000000 +0000
+++ pound-2.6/debian/changelog 2015-05-07 16:30:55.000000000 +0000
@@ -1,3 +1,11 @@
+pound (2.6-6+deb8u1) jessie; urgency=medium
+
+ * Non-maintainer upload by the security team with maintainer approval.
+ * Add missing part of anti_beast patch to fix disabling of client
+ renegotiation. (Closes: #765649)
+
+ -- Thijs Kinkhorst <thijs@debian.org> Tue, 05 May 2015 13:27:06 +0000
+
pound (2.6-6) unstable; urgency=low
* Add options to disable SSLv2 and SSLv3.
diff -Nru pound-2.6/debian/patches/0008-disable_client_initiated_renegotiation.patch pound-2.6/debian/patches/0008-disable_client_initiated_renegotiation.patch
--- pound-2.6/debian/patches/0008-disable_client_initiated_renegotiation.patch 1970-01-01 00:00:00.000000000 +0000
+++ pound-2.6/debian/patches/0008-disable_client_initiated_renegotiation.patch 2015-05-07 16:30:22.000000000 +0000
@@ -0,0 +1,120 @@
+Added the missing parts that makes the option SSLAllowClientRenegotiation
+work as advertised, allowing client initiated renegotiation to be turned off.
+This patch is a compliment to the changes introduced in the 0001-anti_beast.patch,
+which was missing the changes to http.c as seen in the original patch from
+Joe Gooch <mrwizard@k12system.com> at:
+http://goochfriend.org/pound_2.6f_ssl_renegotiation_and_ciphers.patch
+
+--- a/http.c
++++ b/http.c
+@@ -273,6 +273,11 @@
+
+ static int err_to = -1;
+
++typedef struct {
++ int timeout;
++ RENEG_STATE *reneg_state;
++} BIO_ARG;
++
+ /*
+ * Time-out for client read/gets
+ * the SSL manual says not to do it, but it works well enough anyway...
+@@ -280,6 +285,7 @@
+ static long
+ bio_callback(BIO *const bio, const int cmd, const char *argp, int argi, long argl, long ret)
+ {
++ BIO_ARG *bio_arg;
+ struct pollfd p;
+ int to, p_res, p_err;
+
+@@ -287,11 +293,22 @@
+ return ret;
+
+ /* a time-out already occured */
+- if((to = *((int *)BIO_get_callback_arg(bio)) * 1000) < 0) {
++ if((bio_arg = (BIO_ARG*)BIO_get_callback_arg(bio))==NULL) return ret;
++ if((to = bio_arg->timeout * 1000) < 0) {
+ errno = ETIMEDOUT;
+ return -1;
+ }
+
++ /* Renegotiations */
++ if (bio_arg->reneg_state != NULL && *bio_arg->reneg_state == RENEG_ABORT) {
++ logmsg(LOG_NOTICE, "REJECTING renegotiated session");
++ errno = ECONNABORTED;
++ return -1;
++ }
++
++ //logmsg(LOG_NOTICE, "TO %d", to);
++ if (to == 0) return ret;
++
+ for(;;) {
+ memset(&p, 0, sizeof(p));
+ BIO_get_fd(bio, &p.fd);
+@@ -326,7 +343,7 @@
+ return -1;
+ case 0:
+ /* timeout - mark the BIO as unusable for the future */
+- BIO_set_callback_arg(bio, (char *)&err_to);
++ bio_arg->timeout = err_to;
+ #ifdef EBUG
+ logmsg(LOG_WARNING, "(%lx) CALLBACK timeout poll after %d secs: %s",
+ pthread_self(), to / 1000, strerror(p_err));
+@@ -531,6 +548,15 @@
+ struct linger l;
+ double start_req, end_req;
+
++ RENEG_STATE reneg_state;
++ BIO_ARG ba1, ba2;
++
++ reneg_state = RENEG_INIT;
++ ba1.reneg_state = &reneg_state;
++ ba2.reneg_state = &reneg_state;
++ ba1.timeout = 0;
++ ba2.timeout = 0;
++
+ from_host = ((thr_arg *)arg)->from_host;
+ memcpy(&from_host_addr, from_host.ai_addr, from_host.ai_addrlen);
+ from_host.ai_addr = (struct sockaddr *)&from_host_addr;
+@@ -539,6 +565,8 @@
+ free(((thr_arg *)arg)->from_host.ai_addr);
+ free(arg);
+
++ if(lstn->allow_client_reneg) reneg_state = RENEG_ALLOW;
++
+ n = 1;
+ setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&n, sizeof(n));
+ l.l_onoff = 1;
+@@ -562,10 +590,10 @@
+ close(sock);
+ return;
+ }
+- if(lstn->to > 0) {
+- BIO_set_callback_arg(cl, (char *)&lstn->to);
+- BIO_set_callback(cl, bio_callback);
+- }
++
++ ba1.timeout = lstn->to;
++ BIO_set_callback_arg(cl, (char *)&ba1);
++ BIO_set_callback(cl, bio_callback);
+
+ if(lstn->ctx != NULL) {
+ if((ssl = SSL_new(lstn->ctx->ctx)) == NULL) {
+@@ -574,6 +602,7 @@
+ BIO_free_all(cl);
+ return;
+ }
++ SSL_set_app_data(ssl, &reneg_state);
+ SSL_set_bio(ssl, cl, cl);
+ if((bb = BIO_new(BIO_f_ssl())) == NULL) {
+ logmsg(LOG_WARNING, "(%lx) BIO_new(Bio_f_ssl()) failed", pthread_self());
+@@ -875,7 +904,8 @@
+ }
+ BIO_set_close(be, BIO_CLOSE);
+ if(backend->to > 0) {
+- BIO_set_callback_arg(be, (char *)&backend->to);
++ ba2.timeout = backend->to;
++ BIO_set_callback_arg(be, (char *)&ba2);
+ BIO_set_callback(be, bio_callback);
+ }
+ if(backend->ctx != NULL) {
diff -Nru pound-2.6/debian/patches/series pound-2.6/debian/patches/series
--- pound-2.6/debian/patches/series 2014-10-19 23:50:51.000000000 +0000
+++ pound-2.6/debian/patches/series 2015-05-07 16:30:22.000000000 +0000
@@ -5,3 +5,4 @@
0005-wait_on_semaphore_fix.patch
0006-add_mkcalendar_support.patch
0007-anti_poodle.patch
+0008-disable_client_initiated_renegotiation.patch
Reply to: