| Summary: | Fix lftp certificate chain verification with cross-signed certificates by relying on gnutls functions | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Davy Defaud <davy.defaud> |
| Component: | RPM Packages | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, marja11, nicolas.salguero, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/lavv17/lftp/issues/641 | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | lftp-4.9.2-2.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
Davy Defaud
2022-09-07 19:30:54 CEST
(In reply to Davy Defaud from comment #0) > A connection to a FTP site secured by TLS with a cross-signed certificate in > the chain is failing with lftp. For instance, a certificate from Let’s > Encrypt will always be considered invalid because of the famous “DST Root CA > X3 expiration”. > See: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ > > See the upstream issue: > https://github.com/lavv17/lftp/issues/641 > > There’s already a fix merged upstream that will be included in next release: > https://github.com/lavv17/lftp/pull/642 > > The patch can be applied directly to the latest version 4.9.2 as is, which > is the current version both in MGA8 and Cauldron. It can be downloaded from > GitHub: > > https://github.com/lavv17/lftp/commit/ > fd40ee3542d877c37ff129d5c9b02df21d20c6a0.patch > > I’ve successfully rebuilt the RPM locally on a Mageia 8. I think an update > for MGA 8 would be useful... It should be included in Caudron too, as there > no release planned anytime soon (4.9.2 has been released in August 2020!). Thanks, Davy, Assigning to all packagers collectively, since there is no registered maintainer for this package CC:
(none) =>
marja11 Suggested advisory: ======================== The updated packages fix lftp certificate chain verification with cross-signed certificates by relying on gnutls functions. References: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ https://github.com/lavv17/lftp/issues/641 https://bugs.mageia.org/show_bug.cgi?id=30826 ======================== Updated packages in core/updates_testing: ======================== lftp-4.9.2-2.1.mga8 lftp-scripts-4.9.2-2.1.mga8 lib(64)lftp0-4.9.2-2.1.mga8 lib(64)lftp-devel-4.9.2-2.1.mga8 from SRPM: lftp-4.9.2-2.1.mga8.src.rpm Whiteboard:
MGA8TOO =>
(none) MGA8-64 Plasma on Acer Aspire 5253 No installation issues Ref bug 23374 for testing, so $ lftp mach1 lftp mach1:~> pwd ftp://mach1 lftp mach1:~> user herman Password: lftp herman@mach1:~> ls drwxr-xr-x 2 root root 4096 Sep 19 2005 2.6.9-11.EL drwxr-xr-x 2 root root 4096 Sep 19 2005 2.6.9-11.ELsmp and a load more...... lftp herman@mach1:~> reget wuustwezel.jpeg 82568 bytes transferred lftp herman@mach1:~> exit [tester8@mach7 ~]$ ls Charts/ Documents/ go/ Pictures/ Templates/ testsqliteupdate Videos/ Desktop/ Downloads/ Music/ qa-testing/ Tester8_0x4F555794_SECRET.asc tmp/ wuustwezel.jpeg Seems good to go. CC:
(none) =>
herman.viaene Validating. Advisory in Comment 2. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2022-09-16 20:23:16 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2022-0125.html Status:
ASSIGNED =>
RESOLVED |