Ubuntu
irssi package

security regression: SSL CN check breaks IRC proxy

Bug #565182 reported by Steve Langasek
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Irssi
New
Undecided
Unassigned
irssi (Ubuntu)
Fix Released
High
Steve Langasek
Hardy
Fix Released
High
Jamie Strandboge
Intrepid
Fix Released
High
Jamie Strandboge
Jaunty
Fix Released
High
Jamie Strandboge
Karmic
Fix Released
High
Jamie Strandboge
Lucid
Fix Released
High
Steve Langasek

Bug Description

Binary package hint: irssi

The latest security update for irssi breaks the use of SSL with proxies, because irssi tries to check the SSL cert's CN against the server name instead of against the proxy hostname.

Steve Langasek (vorlon)
Changed in irssi (Ubuntu Karmic):
status: New → Triaged
Changed in irssi (Ubuntu Lucid):
status: New → In Progress
Changed in irssi (Ubuntu Jaunty):
status: New → Triaged
Changed in irssi (Ubuntu Intrepid):
importance: Undecided → High
Changed in irssi (Ubuntu Lucid):
importance: Undecided → High
Changed in irssi (Ubuntu Karmic):
importance: Undecided → High
Changed in irssi (Ubuntu Jaunty):
importance: Undecided → High
Changed in irssi (Ubuntu Hardy):
importance: Undecided → High
tags: added: regression-update
Revision history for this message
Steve Langasek (vorlon) wrote :

Here's a debdiff to fix this. Have uploaded to lucid, waiting in the unapproved queue there.

Changed in irssi (Ubuntu Hardy):
status: New → Triaged
Changed in irssi (Ubuntu Intrepid):
status: New → Triaged
Changed in irssi (Ubuntu Lucid):
status: In Progress → Fix Committed
assignee: nobody → Steve Langasek (vorlon)
Marc Deslauriers (mdeslaur)
Changed in irssi (Ubuntu Hardy):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in irssi (Ubuntu Intrepid):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in irssi (Ubuntu Jaunty):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in irssi (Ubuntu Karmic):
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package irssi - 0.8.14-1ubuntu4

---------------
irssi (0.8.14-1ubuntu4) lucid; urgency=low

  * 91_ssl_proxy.patch: when we have a proxy setting, we expect the CN to
    match the proxy hostname, not the server hostname. LP: #565182
 -- Steve Langasek <email address hidden> Sat, 17 Apr 2010 04:18:10 +0000

Changed in irssi (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks, Steve. I've forwarded the patch upstream and will roll this out to stable releases on Monday.

Jamie Strandboge (jdstrand)
Changed in irssi (Ubuntu Hardy):
status: Triaged → In Progress
Changed in irssi (Ubuntu Intrepid):
status: Triaged → In Progress
Changed in irssi (Ubuntu Jaunty):
status: Triaged → In Progress
Changed in irssi (Ubuntu Karmic):
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package irssi - 0.8.14-1ubuntu1.2

---------------
irssi (0.8.14-1ubuntu1.2) karmic-security; urgency=low

  * debian/patches/91_ssl_proxy.patch: when we have a proxy setting, we expect
    the CN to match the proxy hostname, not the server hostname. Patch thanks
    to Steve Langasek. (LP: #565182)
 -- Jamie Strandboge <email address hidden> Mon, 19 Apr 2010 12:57:24 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package irssi - 0.8.12-6ubuntu1.3

---------------
irssi (0.8.12-6ubuntu1.3) jaunty-security; urgency=low

  * debian/patches/91_ssl_proxy.patch: when we have a proxy setting, we expect
    the CN to match the proxy hostname, not the server hostname. Patch thanks
    to Steve Langasek. (LP: #565182)
 -- Jamie Strandboge <email address hidden> Mon, 19 Apr 2010 13:01:12 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package irssi - 0.8.12-4ubuntu2.3

---------------
irssi (0.8.12-4ubuntu2.3) intrepid-security; urgency=low

  * debian/patches/91_ssl_proxy.patch: when we have a proxy setting, we expect
    the CN to match the proxy hostname, not the server hostname. Patch thanks
    to Steve Langasek. (LP: #565182)
 -- Jamie Strandboge <email address hidden> Mon, 19 Apr 2010 13:02:15 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package irssi - 0.8.12-3ubuntu3.3

---------------
irssi (0.8.12-3ubuntu3.3) hardy-security; urgency=low

  * debian/patches/92_ssl_proxy.patch: when we have a proxy setting, we expect
    the CN to match the proxy hostname, not the server hostname. Patch thanks
    to Steve Langasek. (LP: #565182)
 -- Jamie Strandboge <email address hidden> Mon, 19 Apr 2010 13:03:33 -0500

Changed in irssi (Ubuntu Hardy):
status: In Progress → Fix Released
Changed in irssi (Ubuntu Intrepid):
status: In Progress → Fix Released
Changed in irssi (Ubuntu Jaunty):
status: In Progress → Fix Released
Changed in irssi (Ubuntu Karmic):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.