Control: tags -1 pending Control: severity -1 important On 2015-05-03 Andreas Metzler <ametz...@bebt.de> wrote: > tags -1 patch
> On 2015-04-18 Andreas Metzler <ametz...@bebt.de> wrote: > [...] >> I have just tried building mutt against gnutls 3.4.0 and got this >> build-error: >> ------------------------ > [...] >> /tmp/buildd/mutt-1.5.23/obj-i586-linux-gnu-patched/../mutt_ssl_gnutls.c:323: >> undefined reference to `gnutls_protocol_set_priority' >> collect2: error: ld returned 1 exit status >> Makefile:633: recipe for target 'mutt' failed >> ------------------------ > The issue is fixed in upstream HG, but the Debian package lost the > patch. Find attached a debdiff cherrypicking the relevant parts from > upstream HG, without the compatibility stuff for ancient (< 2.2.0) > GnuTLS. Hello, I have just uploaded a NMU with these changes to delayed/15: * upstream/624058-gnutls-deprecated.patch: Use gnutls_priority_set_direct() instead of gnutls_protocol_set_priority() together with gnutls_set_default_priority(). Cherrypick the relevant parts from upstream HG, without the compatibilty stuff for ancient (< 2.2.0) GnuTLS. Closes: #624058 Please tell me if I should delay further. Thanks, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
diff -Nru mutt-1.5.23/debian/changelog mutt-1.5.23/debian/changelog --- mutt-1.5.23/debian/changelog 2014-12-04 22:11:02.000000000 +0100 +++ mutt-1.5.23/debian/changelog 2015-08-01 13:57:01.000000000 +0200 @@ -1,3 +1,14 @@ +mutt (1.5.23-3.1) unstable; urgency=low + + * Non-maintainer upload. + * upstream/624058-gnutls-deprecated.patch: Use gnutls_priority_set_direct() + instead of gnutls_protocol_set_priority() together with + gnutls_set_default_priority(). Cherrypick the relevant parts from upstream + HG, without the compatibilty stuff for ancient (< 2.2.0) GnuTLS. + Closes: #624058 + + -- Andreas Metzler <ametz...@debian.org> Sat, 01 Aug 2015 13:54:03 +0200 + mutt (1.5.23-3) unstable; urgency=medium * Fixed upstream/771125-CVE-2014-9116-jessie.patch thanks to Salvatore diff -Nru mutt-1.5.23/debian/patches/series mutt-1.5.23/debian/patches/series --- mutt-1.5.23/debian/patches/series 2014-12-04 22:11:02.000000000 +0100 +++ mutt-1.5.23/debian/patches/series 2015-08-01 13:47:26.000000000 +0200 @@ -35,6 +35,7 @@ upstream/path_max.patch translations/update_german_translation.patch upstream/771125-CVE-2014-9116-jessie.patch +upstream/624058-gnutls-deprecated.patch __separator__mutt.org.patch mutt-patched/sidebar.patch mutt-patched/sidebar-dotpathsep.patch diff -Nru mutt-1.5.23/debian/patches/upstream/624058-gnutls-deprecated.patch mutt-1.5.23/debian/patches/upstream/624058-gnutls-deprecated.patch --- mutt-1.5.23/debian/patches/upstream/624058-gnutls-deprecated.patch 1970-01-01 01:00:00.000000000 +0100 +++ mutt-1.5.23/debian/patches/upstream/624058-gnutls-deprecated.patch 2015-08-01 13:47:26.000000000 +0200 @@ -0,0 +1,109 @@ +Description: Use gnutls_priority_set_direct() + instead of gnutls_protocol_set_priority() together with + gnutls_set_default_priority(). Cherrypick the relevant parts from upstream + HG, without the compatibilty stuff for ancient (< 2.2.0) GnuTLS. +Bug-Debian: https://bugs.debian.org/624058 +Origin: upstream, http://dev.mutt.org/hg/mutt/rev/48f5e2a51809 +Forwarded: not-needed + +--- mutt-1.5.23.orig/mutt_ssl_gnutls.c ++++ mutt-1.5.23/mutt_ssl_gnutls.c +@@ -238,11 +238,51 @@ err_crt: + gnutls_x509_crt_deinit (clientcrt); + } + +-/* This array needs to be large enough to hold all the possible values support +- * by Mutt. The initialized values are just placeholders--the array gets +- * overwrriten in tls_negotiate() depending on the $ssl_use_* options. +- */ +-static int protocol_priority[] = {GNUTLS_TLS1_2, GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3, 0}; ++static int tls_set_priority(tlssockdata *data) ++{ ++ size_t nproto = 4; ++ char priority[SHORT_STRING]; ++ int err; ++ ++ priority[0] = 0; ++ safe_strcat (priority, sizeof (priority), "NORMAL"); ++ ++ if (! option(OPTTLSV1_2)) ++ { ++ nproto--; ++ safe_strcat (priority, sizeof (priority), ":-VERS-TLS1.2"); ++ } ++ if (! option(OPTTLSV1_1)) ++ { ++ nproto--; ++ safe_strcat (priority, sizeof (priority), ":-VERS-TLS1.1"); ++ } ++ if (! option(OPTTLSV1)) ++ { ++ nproto--; ++ safe_strcat (priority, sizeof (priority), ":-VERS-TLS1.0"); ++ } ++ if (! option(OPTSSLV3)) ++ { ++ nproto--; ++ safe_strcat (priority, sizeof (priority), ":-VERS-SSL3.0"); ++ } ++ ++ if (nproto == 0) ++ { ++ mutt_error (_("All available protocols for TLS/SSL connection disabled")); ++ return -1; ++ } ++ ++ if ((err = gnutls_priority_set_direct (data->state, priority, NULL)) < 0) ++ { ++ mutt_error ("gnutls_priority_set_direct(%s): %s", priority, gnutls_strerror(err)); ++ mutt_sleep (2); ++ return -1; ++ } ++ ++ return 0; ++} + + /* tls_negotiate: After TLS state has been initialized, attempt to negotiate + * TLS over the wire, including certificate checks. */ +@@ -250,7 +290,6 @@ static int tls_negotiate (CONNECTION * c + { + tlssockdata *data; + int err; +- size_t nproto = 0; /* number of tls/ssl protocols */ + + data = (tlssockdata *) safe_calloc (1, sizeof (tlssockdata)); + conn->sockdata = data; +@@ -295,32 +334,9 @@ static int tls_negotiate (CONNECTION * c + + /* set socket */ + gnutls_transport_set_ptr (data->state, (gnutls_transport_ptr)conn->fd); +- +- if (option(OPTTLSV1_2)) +- protocol_priority[nproto++] = GNUTLS_TLS1_2; +- if (option(OPTTLSV1_1)) +- protocol_priority[nproto++] = GNUTLS_TLS1_1; +- if (option(OPTTLSV1)) +- protocol_priority[nproto++] = GNUTLS_TLS1; +- if (option(OPTSSLV3)) +- protocol_priority[nproto++] = GNUTLS_SSL3; +- protocol_priority[nproto] = 0; +- +- /* disable TLS/SSL protocols as needed */ +- if (nproto == 0) +- { +- mutt_error (_("All available protocols for TLS/SSL connection disabled")); ++ if (tls_set_priority(data) < 0) { + goto fail; + } +- /* +- else +- use the list set above +- */ +- +- /* We use default priorities (see gnutls documentation), +- except for protocol version */ +- gnutls_set_default_priority (data->state); +- gnutls_protocol_set_priority (data->state, protocol_priority); + + if (SslDHPrimeBits > 0) + {
signature.asc
Description: Digital signature
