security regression: SSL CN check breaks IRC proxy

Bug #565182 reported by Steve Langasek on 2010-04-17
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Irssi
New
Undecided
Unassigned
irssi (Ubuntu)
High
Steve Langasek
Hardy
High
Jamie Strandboge
Intrepid
High
Jamie Strandboge
Jaunty
High
Jamie Strandboge
Karmic
High
Jamie Strandboge
Lucid
High
Steve Langasek

Bug Description

Binary package hint: irssi

The latest security update for irssi breaks the use of SSL with proxies, because irssi tries to check the SSL cert's CN against the server name instead of against the proxy hostname.

Steve Langasek (vorlon) on 2010-04-17
Changed in irssi (Ubuntu Karmic):
status: New → Triaged
Changed in irssi (Ubuntu Lucid):
status: New → In Progress
Changed in irssi (Ubuntu Jaunty):
status: New → Triaged
Changed in irssi (Ubuntu Intrepid):
importance: Undecided → High
Changed in irssi (Ubuntu Lucid):
importance: Undecided → High
Changed in irssi (Ubuntu Karmic):
importance: Undecided → High
Changed in irssi (Ubuntu Jaunty):
importance: Undecided → High
Changed in irssi (Ubuntu Hardy):
importance: Undecided → High
tags: added: regression-update
Steve Langasek (vorlon) wrote :

Here's a debdiff to fix this. Have uploaded to lucid, waiting in the unapproved queue there.

Changed in irssi (Ubuntu Hardy):
status: New → Triaged
Changed in irssi (Ubuntu Intrepid):
status: New → Triaged
Changed in irssi (Ubuntu Lucid):
status: In Progress → Fix Committed
assignee: nobody → Steve Langasek (vorlon)
Changed in irssi (Ubuntu Hardy):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in irssi (Ubuntu Intrepid):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in irssi (Ubuntu Jaunty):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in irssi (Ubuntu Karmic):
assignee: nobody → Jamie Strandboge (jdstrand)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package irssi - 0.8.14-1ubuntu4

---------------
irssi (0.8.14-1ubuntu4) lucid; urgency=low

  * 91_ssl_proxy.patch: when we have a proxy setting, we expect the CN to
    match the proxy hostname, not the server hostname. LP: #565182
 -- Steve Langasek <email address hidden> Sat, 17 Apr 2010 04:18:10 +0000

Changed in irssi (Ubuntu Lucid):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

Thanks, Steve. I've forwarded the patch upstream and will roll this out to stable releases on Monday.

Changed in irssi (Ubuntu Hardy):
status: Triaged → In Progress
Changed in irssi (Ubuntu Intrepid):
status: Triaged → In Progress
Changed in irssi (Ubuntu Jaunty):
status: Triaged → In Progress
Changed in irssi (Ubuntu Karmic):
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package irssi - 0.8.14-1ubuntu1.2

---------------
irssi (0.8.14-1ubuntu1.2) karmic-security; urgency=low

  * debian/patches/91_ssl_proxy.patch: when we have a proxy setting, we expect
    the CN to match the proxy hostname, not the server hostname. Patch thanks
    to Steve Langasek. (LP: #565182)
 -- Jamie Strandboge <email address hidden> Mon, 19 Apr 2010 12:57:24 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package irssi - 0.8.12-6ubuntu1.3

---------------
irssi (0.8.12-6ubuntu1.3) jaunty-security; urgency=low

  * debian/patches/91_ssl_proxy.patch: when we have a proxy setting, we expect
    the CN to match the proxy hostname, not the server hostname. Patch thanks
    to Steve Langasek. (LP: #565182)
 -- Jamie Strandboge <email address hidden> Mon, 19 Apr 2010 13:01:12 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package irssi - 0.8.12-4ubuntu2.3

---------------
irssi (0.8.12-4ubuntu2.3) intrepid-security; urgency=low

  * debian/patches/91_ssl_proxy.patch: when we have a proxy setting, we expect
    the CN to match the proxy hostname, not the server hostname. Patch thanks
    to Steve Langasek. (LP: #565182)
 -- Jamie Strandboge <email address hidden> Mon, 19 Apr 2010 13:02:15 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package irssi - 0.8.12-3ubuntu3.3

---------------
irssi (0.8.12-3ubuntu3.3) hardy-security; urgency=low

  * debian/patches/92_ssl_proxy.patch: when we have a proxy setting, we expect
    the CN to match the proxy hostname, not the server hostname. Patch thanks
    to Steve Langasek. (LP: #565182)
 -- Jamie Strandboge <email address hidden> Mon, 19 Apr 2010 13:03:33 -0500

Changed in irssi (Ubuntu Hardy):
status: In Progress → Fix Released
Changed in irssi (Ubuntu Intrepid):
status: In Progress → Fix Released
Changed in irssi (Ubuntu Jaunty):
status: In Progress → Fix Released
Changed in irssi (Ubuntu Karmic):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers