Your message dated Sun, 25 Dec 2022 16:04:55 +0000 with message-id <[email protected]> and subject line Bug#954085: fixed in libpandoc-wrapper-perl 0.9.1-4 has caused the Debian Bug report #954085, regarding libpandoc-wrapper-perl: Please verify server identity via SSL to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 954085: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954085 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libpandoc-wrapper-perl Severity: important Dear maintainer, Your package uses the Perl module HTTP::Tiny to access the secure URL https://api.github.com/repos/jgm/pandoc/releases/tags/$version but it does not set the verify_SSL attribute to a true value. By default, the module HTTP::Tiny does not validate the identity of server certificates. The documentation states that "Server identity verification is controversial and potentially tricky..." [1] As late as 2015, upstream has been doubling up: "we're not going to be responsible for the user's trust model" [2] I believe, on the other hand, that the encryption of a transmission has no value when talking to the wrong person. You can easily see the useless and dangerous default by running the script at the end of this message. Will you please turn on the verify_SSL attribute in HTTP::Tiny? Kind regards Felix Lechner [1] https://metacpan.org/pod/HTTP::Tiny#SSL-SUPPORT [2] https://github.com/chansen/p5-http-tiny/issues/68 * * * #!/usr/bin/perl use HTTP::Tiny; my $response = HTTP::Tiny->new->get('https://self-signed.badssl.com/'); die "Failed!\n" unless $response->{success}; print "$response->{status} $response->{reason}\n"; while (my ($k, $v) = each %{$response->{headers}}) { for (ref $v eq 'ARRAY' ? @$v : $v) { print "$k: $_\n"; } } print $response->{content} if length $response->{content};
--- End Message ---
--- Begin Message ---Source: libpandoc-wrapper-perl Source-Version: 0.9.1-4 Done: Jonas Smedegaard <[email protected]> We believe that the bug you reported is fixed in the latest version of libpandoc-wrapper-perl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jonas Smedegaard <[email protected]> (supplier of updated libpandoc-wrapper-perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 25 Dec 2022 16:53:37 +0100 Source: libpandoc-wrapper-perl Architecture: source Version: 0.9.1-4 Distribution: unstable Urgency: medium Maintainer: Debian Perl Group <[email protected]> Changed-By: Jonas Smedegaard <[email protected]> Closes: 954085 Changes: libpandoc-wrapper-perl (0.9.1-4) unstable; urgency=medium . * add patch 1002 to verify TLS; depend on ca-certificates; closes: bug#954085, thanks to Felix Lechner * declare compliance with Debian Policy 4.6.2 Checksums-Sha1: 7d8e6901e0893d3354f583cc10bb550a079102dd 2367 libpandoc-wrapper-perl_0.9.1-4.dsc 9469e07b4c2fc4f1e38b254985e83cbb1429caf7 9384 libpandoc-wrapper-perl_0.9.1-4.debian.tar.xz 35ef5dac2fb291b0d15157c2b830e74393b4b484 6640 libpandoc-wrapper-perl_0.9.1-4_amd64.buildinfo Checksums-Sha256: 6636a77dce042623f9223067205ff49535001cc3965ef242e0c7df43232464e2 2367 libpandoc-wrapper-perl_0.9.1-4.dsc 653eef0a5f54d1bda2d2d8f4414a803409f15b51fa82f39bacec89b2b1db4cdb 9384 libpandoc-wrapper-perl_0.9.1-4.debian.tar.xz 119f54e6147f60ed833903f2ac94d320b2fff55120371da8a9f7a41a7953b36d 6640 libpandoc-wrapper-perl_0.9.1-4_amd64.buildinfo Files: 86fcae39e219ef0ca3f8d1e2520d683c 2367 perl optional libpandoc-wrapper-perl_0.9.1-4.dsc 3771bca6f0dd55d96e5772a4d3a7e0a8 9384 perl optional libpandoc-wrapper-perl_0.9.1-4.debian.tar.xz f291337c61c7d4d50435881ca780c288 6640 perl optional libpandoc-wrapper-perl_0.9.1-4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmOocwsACgkQLHwxRsGg ASFCdQ/7BmKeQFtHWVqtntmDS9OtSBV2MLbl7iXLtCj4bCFtk9OlLhH6OJsjFiw/ foxFKAelS6mjnYcboUH346iL6Ar/oMFz4QaM8tnuBJ/+Qj9yAeR8MpVbHVob3hdQ 7TKlH2lmaX4FZFmzobJojoby7JjqtWhCil+TZvipmUHX5CVd0wQ5eFYJOHaacIqd E80HKTjo0DBbosyguOWC/2fW6uXdA4ezj0zXeNQVRMYumPmAeMOgqy7C48NlwlVq FG/GvACAFolhhp7y4iHEA/JLkirqqG9FM5vR06WwVsHdpgrFPOg4hCKR2H3uwRfk vLt+ILmACGvhJ6Z58yx5lUqH7xzXsduXj8T+MPz2vsJRzcZ89SywLWaixsm12aLr ZQtOkh87YjqLLYSh+EPDS+V/9nNkRGZ+hB6DJTY8Em/AYoJHBXAZFTl+coE6mmQc JtIKDHXkIBXAKY239/Pm/l0jqDR8oDwVbpGZtT4nzlCgMfGUdgBCfxX1A7u6fu5K JkH0nANUKkiBhoJJU8oAWrBsMXASDG6koGMUJB9LqLztc1PUsn71JUfQKSRVsvVc zyuyoEjBxQsbigeigh7orCDSU/UrF7YLbn17M6KaF11U/8Uo5a3uvbFVxnBgIf+6 1enAk3L/S6Kmzcix4F135CX1dOP6dXhLTmwne2umvTQfwMR6Pdk= =9QZu -----END PGP SIGNATURE-----
--- End Message ---
