Seems there was a typo in bug number. Re-sending to apparently correct bug
---------- Forwarded message ---------- From: Jonathan Wiltshire <j...@debian.org> Date: 2011/12/14 Subject: Bug#619246: pu: mutt: diff for NMU version 1.5.20-9+squeeze2 CC: 619...@bugs.debian.org Package: release.debian.org Severity: normal Tags: patch squeeze User: release.debian....@packages.debian.org Usertags: pu Dear maintainer, I've prepared an NMU for mutt (versioned as 1.5.20-9+squeeze2) to fix a security problem. The diff is attached to this message and it is a backport of your fix in unstable. Please note that I am applying for release team approval to upload an NMU of this patch, if you do not object. Regards. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
diff -u mutt-1.5.20/debian/changelog mutt-1.5.20/debian/changelog --- mutt-1.5.20/debian/changelog +++ mutt-1.5.20/debian/changelog @@ -1,3 +1,12 @@ +mutt (1.5.20-9+squeeze2) stable; urgency=low + + * Non-maintainer upload. + * 619216-gnutls-CN-validation.patch: backport from unstable + Fixes the validation of the commonname in the gnutls code + (Closes: #619216) + + -- Jonathan Wiltshire <j...@debian.org> Wed, 14 Dec 2011 20:55:08 +0000 + mutt (1.5.20-9+squeeze1) unstable; urgency=low * upstream/537061-dont-recode-saved-attachments.patch: as the patch says, diff -u mutt-1.5.20/debian/patches/series mutt-1.5.20/debian/patches/series --- mutt-1.5.20/debian/patches/series +++ mutt-1.5.20/debian/patches/series @@ -61,6 +61,7 @@ upstream/573823-imap_internal_date upstream/542344-dont_fold_From_ upstream/537061-dont-recode-saved-attachments.patch +upstream/619216-gnutls-CN-validation.patch upstream/path_max misc/hyphen-as-minus.patch only in patch2: unchanged: --- mutt-1.5.20.orig/debian/patches/upstream/619216-gnutls-CN-validation.patch +++ mutt-1.5.20/debian/patches/upstream/619216-gnutls-CN-validation.patch @@ -0,0 +1,36 @@ +This patch addresses a security problem due to the fact that the validation of +the SSL CN is not correctly done in the gnutls-related code of mutt. + +The patch has been provided by hhorak on http://bugs.mutt.org/3506, the original +bug where the security problem was reported for Debian is +http://bugs.debian.org/619216 + +--- a/mutt_ssl_gnutls.c ++++ b/mutt_ssl_gnutls.c +@@ -999,6 +999,7 @@ + unsigned int cert_list_size = 0; + gnutls_certificate_status certstat; + int certerr, i, preauthrc, savedcert, rc = 0; ++ int rcpeer; + + if (gnutls_auth_get_type (state) != GNUTLS_CRD_CERTIFICATE) + { +@@ -1024,6 +1025,9 @@ + for (i = 0; i < cert_list_size; i++) { + rc = tls_check_preauth(&cert_list[i], certstat, conn->account.host, i, + &certerr, &savedcert); ++ if (i ==0) ++ rcpeer = rc; ++ + preauthrc += rc; + + if (savedcert) +@@ -1049,7 +1053,7 @@ + dprint (1, (debugfile, "error trusting certificate %d: %d\n", i, rc)); + + certstat = tls_verify_peers (state); +- if (!certstat) ++ if (!certstat && !rcpeer) + return 1; + } + }
signature.asc
Description: PGP signature
