Merge updates from debian/bullseye

da6f2427 · Apertis CI robot · ae1d7c33 · b66ea442 · da6f2427 · da6f2427
Commit da6f2427 authored 3 years ago by Apertis CI robot
--- a/debian/changelog
+++ b/debian/changelog
+golang-1.15 (1.15.9-6+apertis0) apertis; urgency=medium
+
+  * Sync from debian/bullseye.
+
+ -- Apertis CI <devel@lists.apertis.org>  Thu, 29 Jul 2021 19:18:39 +0000
+
+golang-1.15 (1.15.9-6) unstable; urgency=medium
+
+  * Team upload.
+  * Backport patche for CVE-2021-34558
+    crypto/tls: clients can panic when provided a certificate of the wrong type
+    for the negotiated parameters
+
+ -- Shengjing Zhu <zhsj@debian.org>  Tue, 13 Jul 2021 13:55:42 +0800
+
 golang-1.15 (1.15.9-5+apertis0) apertis; urgency=medium

  * Sync from debian/bullseye.

--- a/debian/patches/0013-CVE-2021-34558.patch
+++ b/debian/patches/0013-CVE-2021-34558.patch
+From c77980bc077f3774276ab2deba78d8e6bfe4b3bd Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 9 Jun 2021 11:31:27 -0700
+Subject: [PATCH] [release-branch.go1.15] crypto/tls: test key type when
+ casting
+
+When casting the certificate public key in generateClientKeyExchange,
+check the type is appropriate. This prevents a panic when a server
+agrees to a RSA based key exchange, but then sends an ECDSA (or
+other) certificate.
+
+Updates #47143
+Fixes #47144
+Fixes CVE-2021-34558
+
+Thanks to Imre Rad for reporting this issue.
+
+Change-Id: Iabccacca6052769a605cccefa1216a9f7b7f6aea
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1116723
+Reviewed-by: Filippo Valsorda <valsorda@google.com>
+Reviewed-by: Katie Hockman <katiehockman@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/334030
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+---
+ src/crypto/tls/key_agreement.go | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/crypto/tls/key_agreement.go b/src/crypto/tls/key_agreement.go
+index 7e6534bd465e3..22f1b2e1f2441 100644
+--- a/src/crypto/tls/key_agreement.go
+++ b/src/crypto/tls/key_agreement.go
+@@ -67,7 +67,11 @@ func (ka rsaKeyAgreement) generateClientKeyExchange(config *Config, clientHello
+ 		return nil, nil, err
+ 	}
+ 
+-	encrypted, err := rsa.EncryptPKCS1v15(config.rand(), cert.PublicKey.(*rsa.PublicKey), preMasterSecret)
+	rsaKey, ok := cert.PublicKey.(*rsa.PublicKey)
+	if !ok {
+		return nil, nil, errors.New("tls: server certificate contains incorrect key type for selected ciphersuite")
+	}
+	encrypted, err := rsa.EncryptPKCS1v15(config.rand(), rsaKey, preMasterSecret)
+ 	if err != nil {
+ 		return nil, nil, err
+ 	}
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,4 @@
 0010-CVE-2021-33195-2.patch
 0011-CVE-2021-33197.patch
 0012-CVE-2021-33198.patch
+0013-CVE-2021-34558.patch