Your message dated Sun, 14 Dec 2014 21:49:38 +0000 with message-id <e1y0h2o-00019x...@franck.debian.org> and subject line Bug#772040: fixed in syncevolution 1.4.99.4-3 has caused the Debian Bug report #772040, regarding syncevolution-http: syncevo-http-server script uses SSLv3, no TLS support to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 772040: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772040 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: syncevolution-http Version: 1.4.99.4-2 Severity: grave Tags: security upstream patch Justification: user security hole syncevo-http-server only supports SSLv3 and no TLS connections when using HTTPS. This is 1. a potential security risk, as shown by the poodle attack 2. a problem with the SyncML client of syncevolution in sid and jessie, as SSLv3 connections won't work anymore ('Error performing TLS handshake: GnuTLS internal error.') when using HTTPS. So the Syncevolution SyncML client can't connect to the SyncML server provided by the same version of syncevolution. The fix is rather small. A patch against upstream (no debdiff) is attached. -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.12.7-05353-g11687ee (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages syncevolution-http depends on: ii dbus-x11 1.8.12-1 ii python 2.7.8-2 ii python-dbus 1.2.0-2+b3 ii python-gobject 3.14.0-1 ii python-openssl 0.14-1 ii python-twisted-web 14.0.2-2 ii syncevolution-dbus 1.4.99.4-2+b1 syncevolution-http recommends no packages. syncevolution-http suggests no packages. -- no debconf informationdiff --git a/test/syncevo-http-server.py b/test/syncevo-http-server.py index 57210ae..6c14088 100755 --- a/test/syncevo-http-server.py +++ b/test/syncevo-http-server.py @@ -40,7 +40,7 @@ timeout=100000 class ChainedOpenSSLContextFactory(ssl.DefaultOpenSSLContextFactory): def __init__(self, privateKeyFileName, certificateChainFileName, - sslmethod = SSL.SSLv3_METHOD): + sslmethod = SSL.TLSv1_METHOD): """ @param privateKeyFileName: Name of a file containing a private key @param certificateChainFileName: Name of a file containing a certificate chain
--- End Message ---
--- Begin Message ---Source: syncevolution Source-Version: 1.4.99.4-3 We believe that the bug you reported is fixed in the latest version of syncevolution, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 772...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Tino Mettler <tino+deb...@tikei.de> (supplier of updated syncevolution package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 04 Dec 2014 22:44:49 +0100 Source: syncevolution Binary: syncevolution sync-ui syncevolution-common syncevolution-libs syncevolution-libs-gnome syncevolution-libs-kde syncevolution-dbus syncevolution-http syncevolution-dbg libsyncevolution0 libsyncevo-dbus0 libgdbussyncevo0 Architecture: source amd64 all Version: 1.4.99.4-3 Distribution: unstable Urgency: medium Maintainer: Tino Mettler <tino+deb...@tikei.de> Changed-By: Tino Mettler <tino+deb...@tikei.de> Description: libgdbussyncevo0 - Sync personal information data using SyncML and CalDAV/CardDAV (s libsyncevo-dbus0 - Sync personal information data using SyncML and CalDAV/CardDAV (s libsyncevolution0 - Sync personal information data using SyncML and CalDAV/CardDAV (s sync-ui - Sync personal information data using SyncML and CalDAV/CardDAV (G syncevolution - Sync personal information data using SyncML and CalDAV/CardDAV (C syncevolution-common - Sync personal information data using SyncML and CalDAV/CardDAV syncevolution-dbg - Sync personal information data using SyncML and CalDAV/CardDAV (d syncevolution-dbus - Sync personal information data using SyncML and CalDAV/CardDAV (D syncevolution-http - Sync personal information data using SyncML and CalDAV/CardDAV (H syncevolution-libs - Sync personal information data using SyncML and CalDAV/CardDAV (l syncevolution-libs-gnome - Sync personal information data using SyncML and CalDAV/CardDAV (l syncevolution-libs-kde - Sync personal information data using SyncML and CalDAV/CardDAV (l Closes: 772040 Changes: syncevolution (1.4.99.4-3) unstable; urgency=medium . * Use TLS instead of SSLv3 in SyncML server script (Closes: #772040) Checksums-Sha1: eb5ca887b1e847b38b07b0d5148a5de9d592e8c7 3082 syncevolution_1.4.99.4-3.dsc b96ebcc50feddc52099ff9b9522551324478c4fe 13008 syncevolution_1.4.99.4-3.debian.tar.xz 1edbbd3341f5a3798ca04b2c918122480cc6fb38 248030 syncevolution_1.4.99.4-3_amd64.deb 00a4d7a6676d0046f5d8d99370faaf00838b98f5 48418 sync-ui_1.4.99.4-3_amd64.deb 94f3b2c319f91e4e8d07b835f0ee055a8fdbbdd9 121506 syncevolution-common_1.4.99.4-3_all.deb 69b11fdb34eae0d64fd8353f29b785b1a0963658 260448 syncevolution-libs_1.4.99.4-3_amd64.deb 2484711ea1973a07074adcea6e91ee92c8f66652 172898 syncevolution-libs-gnome_1.4.99.4-3_amd64.deb cffdacb3e0198dc50781b824016c81118d3b6670 93710 syncevolution-libs-kde_1.4.99.4-3_amd64.deb 9985e1681c19b32dc909d475522c09a4d4738707 521654 syncevolution-dbus_1.4.99.4-3_amd64.deb 50c39cb7a56c1e24bf922bddfd4750e93128ae8f 14732 syncevolution-http_1.4.99.4-3_all.deb f0a929b22ca5f63e3f812119d3303981c148d5ff 27945440 syncevolution-dbg_1.4.99.4-3_amd64.deb fdec2534d6d0897b292e4b6f870c0b54dca4ca5c 865822 libsyncevolution0_1.4.99.4-3_amd64.deb 3a1c6eae485b39e0d6fe2f4f7d2eeb2aeb809034 19868 libsyncevo-dbus0_1.4.99.4-3_amd64.deb 0b63e557ae6898276d4ac8f1c0692a29e25aecaf 24574 libgdbussyncevo0_1.4.99.4-3_amd64.deb Checksums-Sha256: 9eb9dca7fbe4102918173063b385cc630b523aeadcfc73ac8800bb01e040d81a 3082 syncevolution_1.4.99.4-3.dsc 896a8433d29e09231cbeef79d5cdf001b51f762ba8a802743657f55f0b71a651 13008 syncevolution_1.4.99.4-3.debian.tar.xz b397b2f392e2dc3f45edf94146630b0cc7c217ac118d6ff847069509b635f07d 248030 syncevolution_1.4.99.4-3_amd64.deb ab75d73206180d833fcf56a5201534a28af4769a39e18e15803f4970ce2dac41 48418 sync-ui_1.4.99.4-3_amd64.deb ba4c86b8b5af3bf9b748064774abcbb1ec70ec3a9cfd8b528d65b2eb98c52449 121506 syncevolution-common_1.4.99.4-3_all.deb 1e5423ad2e3e89d1880955f049c276ff61714d8512ed3d72a955cdd69c52f60a 260448 syncevolution-libs_1.4.99.4-3_amd64.deb ec13d08528c53630626a537a2850603a06df0bcc0378368456222574cfb9dbf4 172898 syncevolution-libs-gnome_1.4.99.4-3_amd64.deb c65a1fbff152034fd357f47946d29da724e216605e58f7a70b9e46602ef882b7 93710 syncevolution-libs-kde_1.4.99.4-3_amd64.deb 0105c03034d4ef5669cdfcff1bcdeac88cb85c1a3f4c02a1b0d9307b0f404e1e 521654 syncevolution-dbus_1.4.99.4-3_amd64.deb 20e040ece8dd9c6e059f295256f3163dbcd9625deefaa83aafec761324901791 14732 syncevolution-http_1.4.99.4-3_all.deb ccedfb7bfe8b4366d93e57275475ed7313633b3b9fd81afd8d805bcb1a80f61c 27945440 syncevolution-dbg_1.4.99.4-3_amd64.deb 63cfe673a73f5c48d838d1b8a75575e9b6b4f5f9cfa12904411b8f1ccacdb8c9 865822 libsyncevolution0_1.4.99.4-3_amd64.deb 8062c1a0701bf00700d2f13128528e3c5c287f10616e596265e398f4ad9d63e8 19868 libsyncevo-dbus0_1.4.99.4-3_amd64.deb 46742b2f3a5e7849fb6d67c9e7cfe6969cf8506536c34c7744c477fe686fb4e2 24574 libgdbussyncevo0_1.4.99.4-3_amd64.deb Files: bfb8b917fad1ebcb9d4c8ab60d86beae 3082 utils optional syncevolution_1.4.99.4-3.dsc 44ef7583a4e5e07f3e37dfb9e7b78e1c 13008 utils optional syncevolution_1.4.99.4-3.debian.tar.xz fad510ef864e1d84303e38147c4d566c 248030 utils optional syncevolution_1.4.99.4-3_amd64.deb 9269e4230e7f80b094dde71b76731b77 48418 utils optional sync-ui_1.4.99.4-3_amd64.deb 10ec53353263ed78407805ded50f5186 121506 utils optional syncevolution-common_1.4.99.4-3_all.deb 60fced20de36cdf2b3cc2240cac5847e 260448 utils optional syncevolution-libs_1.4.99.4-3_amd64.deb 9899bfa9199992aed640c942c6b49f94 172898 utils optional syncevolution-libs-gnome_1.4.99.4-3_amd64.deb c1cd891848810d4b323a214f7bfb4d2e 93710 utils optional syncevolution-libs-kde_1.4.99.4-3_amd64.deb 326a21e1c19c817eb15e3ae81fc673cd 521654 utils optional syncevolution-dbus_1.4.99.4-3_amd64.deb 74cdfbb9cadd49fdde71e350226494cb 14732 utils optional syncevolution-http_1.4.99.4-3_all.deb ce05000d50dcca993195748c30372e8f 27945440 debug extra syncevolution-dbg_1.4.99.4-3_amd64.deb 7fe011c5362db556d437c1ada87168a7 865822 utils optional libsyncevolution0_1.4.99.4-3_amd64.deb db668e6e0de2129cd8fa125b123b5674 19868 utils optional libsyncevo-dbus0_1.4.99.4-3_amd64.deb 69bf7d1435375ba8d46c16eb012ddb23 24574 utils optional libgdbussyncevo0_1.4.99.4-3_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUjgFhAAoJECzs6TUOzr5KnpsP/2rrD4nqPITybYIYgrLM8sQj ioupPNmUqkyBr4mzVC9jrkW9LEj/5sooZQ0+TiFgFL1l1gv2svEi4XtbF2H82HK9 PNhBH4yPQC7XxL7HBx5aRuCJSBSQnJbxDuIFF98tRiSs4gk+cplTu+M09+GiXMOE vSZtKl6kyFDI4/GWhImebLlO46nGvJmaASYHibciBvFcF0/bGHAHdt531rSeHWp2 jdqxcps36az2UEoTXQXrBYkTpZjHebmq8+z/YykmcpvZ0rmPn5+d+RpUYVkkfzmL Wrs1i/9V+wr4DxczsyYkQU1EvhSKxLWRdbKB2svuLa7tCyevNNBere1l1dAyJuI8 333TIdJiHpu7QU39HhJlkUkz0INySCY3zjwNW/r1+xNQE6OuTOdC5sD2OGozAWNg XfHmjiqVHqIk8BntWfBrJAe9KVbLODBZ8D5+PXr8zjZp9Ykr8srCu3XX4MmcRpid rrednmQesjxN+0nsFNTlFqiK2fkZshFvUPPNDY33Tb0hLE44rvQ5L2NpCj3a4plb hOXyxbWRBVKf7wEOwaB36+CN0Zt4XIUlW5XdtTYbXosWr2Qzuqa3nplzGKtZWNAr VksmhlTSQxQAcr/ATX9ojiUZIti10sHg8PjK1jhvP7PsQ3cgCCZDnXFdQG0H0G7M 7y11XsKcKZjKrMHINio3 =23Yz -----END PGP SIGNATURE-----
--- End Message ---
