Merge ~sergiodj/ubuntu/+source/net-snmp:bug1912389-segv-cert-longer-512-bytes-hirsute into ubuntu/+source/net-snmp:ubuntu/hirsute-devel
Status: | Approved |
---|---|
Approved by: | Sergio Durigan Junior |
Approved revision: | e0b7db537ae67053576d42571acccb3f47b36f3f |
Proposed branch: | ~sergiodj/ubuntu/+source/net-snmp:bug1912389-segv-cert-longer-512-bytes-hirsute |
Merge into: | ubuntu/+source/net-snmp:ubuntu/hirsute-devel |
Diff against target: |
143 lines (+115/-0) 4 files modified
debian/changelog (+12/-0) debian/patches/lp1912389-libsnmp-Handle-certificate-loading-errors-gracefully.patch (+31/-0) debian/patches/lp1912389-libsnmp-SSL-Increase-extension-buffer-size-to-preven.patch (+70/-0) debian/patches/series (+2/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Lucas Kanashiro (community) | Approve | ||
Canonical Server Core Reviewers | Pending | ||
Review via email: mp+403299@code.launchpad.net |
Description of the change
This is the fix for bug 1912389 on Hirsute.
The bug is about snmpd segfaulting when two conditions are met:
1) Debug output is enabled (-D flag), and
2) The TLS certificate being used has an extension longer than 512 bytes.
The first condition is obviously easy to reproduce, but the second one is much trickier. After a while struggling with openssl and its very easy configuration (*ahem*), I was finally able to generate a self-signed certificate that triggers the issue. This is going to be an SRU for Hirsute, so I wrote detailed instructions on the bug; please take a look and let me know what you think.
The bug has been fixed upstream and is part of the new 5.9.1.rc1 release. Initially I thought about waiting to see if Debian would pick this up, but given that they're in freeze and the net-snmp maintainer didn't touch the package since last year, I decided to backport this to Impish/Hirsute just in case. Worst case scenario, Debian will release a new net-snmp and then we can drop these patches.
You can find the proposed packages on the following PPA:
https:/
autopkgtest is still happy:
autopkgtest [20:00:20]: @@@@@@@
command1 PASS
LGTM, +1.