GnuTLS bug in https method from apt-1.0.1ubuntu2.15 package
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gnutls28 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
** NOTE **
Marking this as security vulnerability as it has the potential to exclude security updates from repositories using HTTPS protocol on Ubuntu 14.04 (perhaps when only going through a proxy).
I have four Ubuntu 14.04 boxes which have either Phusion Passenger, or Jenkins software installed. The repositories for these software packages are served over HTTPS protocl, rather than the customary HTTP:
:: # cat /etc/apt/
:: deb https:/
::
:: # cat /etc/apt/
:: deb https:/
When going through a Blue Coat proxy system (https:/
:: Hit http://
:: Err https:/
:: gnutls_handshake() failed: A TLS packet with unexpected length was received.
::
:: W: Failed to fetch https:/
:: /main/binary-
I've noticed the Ubuntu 14.04 https method (/usr/lib/
To test, I've checked the original /usr/lib/
:: # ldd /usr/lib/
:: linux-vdso.so.1 => (0x00007ffe2ff4
:: libapt-pkg.so.4.12 => /usr/lib/
:: libcurl-gnutls.so.4 => /usr/lib/
:: ...
I installed apt-1.0.1ubuntu2.15 source package using `apt-get source` and proceeded to build using the configure options shown here: https:/
This indeed produced a binary linked against libcurl-
:: # ldd /usr/lib/
:: ...
:: libcurl.so.4 => /usr/lib/
:: ...
:: libssl.so.1.0.0 => /lib/x86_
::
:: # cp /usr/lib/
::
:: # apt-get update
:: Get:1 http://
:: Hit http://
:: Hit http://
:: Hit http://
:: Hit http://
:: Hit http://
:: Hit http://
:: Hit http://
:: Hit http://
:: Hit http://
:: Hit http://
:: Hit http://
:: Hit http://
:: Get:2 https:/
:: Ign https:/
:: Hit https:/
:: Hit https:/
:: Hit https:/
:: Hit https:/
:: Get:3 https:/
:: Ign https:/
:: ...
This appears to resolve the issue of trying to contact HTTPS repositories while going through a Blue Coat proxy (perhaps any proxy?). Would it be possible to have a package made available in Ubuntu 14.04 repos which is compiled against openssl instead of libcurl4-gnutls?
tags: | added: gnutls |
tags: | added: apt apt-transport-https |
tags: | removed: apt-transport-https gnutls |
tags: |
added: apt-transport-https removed: apt |
tags: | added: apt gnutls |
information type: | Private Security → Public |
affects: | git (Ubuntu) → apt (Ubuntu) |
OK, Launchpad lost the comment, so let me repeat it:
No, we cannot legally link APT's https method against OpenSSL, the licenses are not compatible.