[Pkg-xmpp-devel] Bug#1001592: prosody: changes certs/localhost.{crt, key} back to snakeoil on upgrade

Thorsten Glaser tg at mirbsd.de
Sun Dec 12 19:32:30 GMT 2021 

Package: prosody
Version: 0.11.9-2
Severity: serious
Justification: Policy 10.7.3

During an upgrade from buster to bullseye, prosody broke my SSL configuration,
as shown by etckeeper / “git log -p” in /etc:

diff --git a/prosody/certs/localhost.crt b/prosody/certs/localhost.crt
index f119f6c..2d292e2 120000
--- a/prosody/certs/localhost.crt
+++ b/prosody/certs/localhost.crt
@@ -1 +1 @@
-../../ssl/deflt+ca.pem
\ No newline at end of file
+/etc/ssl/certs/ssl-cert-snakeoil.pem
\ No newline at end of file
diff --git a/prosody/certs/localhost.key b/prosody/certs/localhost.key
index 7fbf56c..8dd7db9 120000
--- a/prosody/certs/localhost.key
+++ b/prosody/certs/localhost.key
@@ -1 +1 @@
-../../ssl/private/default.key
\ No newline at end of file
+/etc/ssl/private/ssl-cert-snakeoil.key
\ No newline at end of file

And indeed, I had to manually revert this change:

root at caas:/etc/prosody/certs # ll
total 0
[…]
lrwxrwxrwx 1 root root 36 Dec 12 19:16 localhost.crt -> /etc/ssl/certs/ssl-cert-snakeoil.pem
lrwxrwxrwx 1 root root 38 Dec 12 19:16 localhost.key -> /etc/ssl/private/ssl-cert-snakeoil.key
root at caas:/etc/prosody/certs # ln -sf ../../ssl/deflt+ca.pem localhost.crt
root at caas:/etc/prosody/certs # ln -sf ../../ssl/private/default.key localhost.key
root at caas:/etc/prosody/certs # ll
total 0
[…]
lrwxrwxrwx 1 root root 22 Dec 12 19:29 localhost.crt -> ../../ssl/deflt+ca.pem
lrwxrwxrwx 1 root root 29 Dec 12 19:29 localhost.key -> ../../ssl/private/default.key

This is a violation of Policy:

* local changes must be preserved during a package upgrade, and


-- System Information:
Debian Release: 11.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-18-amd64 (SMP w/1 CPU thread)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages prosody depends on:
ii  adduser                             3.118
ii  init-system-helpers                 1.60
ii  libc6                               2.31-13+deb11u2
ii  libidn11                            1.33-3
ii  libssl1.1                           1.1.1k-1+deb11u1
ii  lsb-base                            11.1.0
ii  lua-bitop [lua5.2-bitop]            1.0.2-5
ii  lua-expat [lua5.2-expat]            1.3.0-4+b1
ii  lua-filesystem [lua5.2-filesystem]  1.8.0-1
ii  lua-sec [lua5.2-sec]                1.0-1
ii  lua-socket [lua5.2-socket]          3.0~rc1+git+ac3201d-4
ii  lua5.2                              5.2.4-1.1+b3
ii  ssl-cert                            1.1.0+nmu1

Versions of packages prosody recommends:
pn  lua5.2-event  <none>

Versions of packages prosody suggests:
pn  lua-dbi-mysql       <none>
pn  lua-dbi-postgresql  <none>
pn  lua-dbi-sqlite3     <none>
pn  lua-zlib            <none>

-- Configuration Files:
/etc/init.d/prosody changed [not included]
/etc/prosody/conf.avail/example.com.cfg.lua [Errno 13] Permission denied: '/etc/prosody/conf.avail/example.com.cfg.lua'
/etc/prosody/conf.avail/localhost.cfg.lua [Errno 13] Permission denied: '/etc/prosody/conf.avail/localhost.cfg.lua'
/etc/prosody/prosody.cfg.lua [Errno 13] Permission denied: '/etc/prosody/prosody.cfg.lua'

-- no debconf information

More information about the Pkg-xmpp-devel mailing list