Your message dated Sun, 24 Mar 2024 20:44:29 +0000
with message-id <e1rouhh-00a0iu...@fasolo.debian.org>
and subject line Bug#1064058: fixed in libxml-stream-perl 1.24-4+deb12u1
has caused the Debian Bug report #1064058,
regarding libxml-stream-perl: TLS/SSL broken with IO-Socket-SSL >= 2.078 when
hostname verification is enabled
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1064058: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064058
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libxml-stream-perl
Version: 1.24-4
Severity: normal
Tags: upstream
Control: affects -1 sendxmpp libnet-xmpp-perl
Dear Maintainers,
after upgrading to Debian Bookworm, we noticed that the sendxmpp command
line tool was not working anymore in our setup. During the investigation
of this issue, I noticed that downgrading IO-Socket-SSL to the version
in Bullseye made sendxmpp work again. I then started to try all versions
of IO-Socket-SSL between the version in Bullseye and the one in Bookworm
and found that it stopped working with version 2.078. Eventually, I came
up with a pull request [1] containing a patch that fixed it for us -
apparently, the way XML-Stream was using IO-Socket-SSL most likely
always resulted in the hostname verification to be done against the IP
address of the peer instead of an actual hostname, which was always
considered to be successful in IO-Socket-SSL < 2.078, but not anymore in
newer versions.
Since the upstream seems quite inactive, it might be worth considering
to add this or a similar patch to the package in Debian, as I came
across several other bug reports in the Debian BTS which might actually
be caused by this issue, like #986971 [2], #1032868 [3] and maybe also
#1050336 [4] - at least the error messages in the first two look very
similar to what I saw.
Cheers,
Manfred
[1]: https://github.com/dap/XML-Stream/pull/28
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986971
[3]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032868
[4]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050336
-- System Information:
Debian Release: 12.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-18-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_CH.utf8, LC_CTYPE=de_CH.utf8 (charmap=UTF-8), LANGUAGE=de_CH:de
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect
Versions of packages libxml-stream-perl depends on:
ii libauthen-sasl-perl 2.1600-3
ii libio-socket-ssl-perl 2.081-2
ii perl 5.36.0-7+deb12u1
libxml-stream-perl recommends no packages.
Versions of packages libxml-stream-perl suggests:
ii libnet-dns-perl 1.36-1
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: libxml-stream-perl
Source-Version: 1.24-4+deb12u1
Done: gregor herrmann <gre...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libxml-stream-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1064...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <gre...@debian.org> (supplier of updated libxml-stream-perl
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 03 Mar 2024 16:02:42 +0100
Source: libxml-stream-perl
Architecture: source
Version: 1.24-4+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: gregor herrmann <gre...@debian.org>
Closes: 1064058
Changes:
libxml-stream-perl (1.24-4+deb12u1) bookworm; urgency=medium
.
* Team upload.
* Add Set_SSL_verifycn_name_parameter_to_fix_hostname_verification.patch
to adjust to IO::Socket::SSL >= 2.078.
Thanks to Manfred Stock for the bug report and the patch.
(Closes: #1064058)
Checksums-Sha1:
fb30bd6a1ea3e8ace0475749f6f5cb65137d960c 2523
libxml-stream-perl_1.24-4+deb12u1.dsc
bec97360ef55ee94793a7827fa89a667be233aeb 7140
libxml-stream-perl_1.24-4+deb12u1.debian.tar.xz
Checksums-Sha256:
5e3b78e6fca3396feee7456fd6e38fcb038563fde93de1032e01e745787c779d 2523
libxml-stream-perl_1.24-4+deb12u1.dsc
eadf675738027ab8447228686bfe8d20c6dd521f3c7a9ab31d809288c6e6d92d 7140
libxml-stream-perl_1.24-4+deb12u1.debian.tar.xz
Files:
328f6fcb20ce0c9cf8c0f740da766a9e 2523 perl optional
libxml-stream-perl_1.24-4+deb12u1.dsc
140814e7bf2be6f8c54c982b2aabe05a 7140 perl optional
libxml-stream-perl_1.24-4+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmXkkfJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgavnBAAsuD/5y/HrswOTmuSxZ1hBxDi3utJfqD+OqWcKRUk9EcUrEJImMRWnRRa
1Whsmj3Cz2Rp/vH2xMzkFp2a63O/j3UqbRKk/+KD18oYi5eD/yRQxEKii84AQB91
MX1hwsjYF6LlGf6tXxZbXEuOYhM941RC26QLs+MTmqRSPwe3HYvFI6eAYizxhdj1
/0yFkBb2LOD7dS3jwRFkDMwbk0Fsy+36U3s3mU5nfHJuqGsCB/rw04mHUBIhruJX
MXAI7yBUT41fG8jz5YCK3xdQQu8wDsig/e1BjaJQ5v5uJeIYIkXJbbYAwnO/Zh9P
vnDba2XJOa00iFiDEHXD8M5GX9OUdKo5iS3zfAswRijDH4y2A4QguQmAlrlRWRGS
u2P723Ec6PpaaEhp+PGwV1joPE1hyTaw3Q+N80MtQUZZ4Bc6fZ4ADLcJcgxhUpqX
maKi+pTaK9ujQIfPE/XUszBP52q1C1xp2xJ1EWO0wuS0QdAk3PAqg5cwYvzBkR8q
/+VXybeJ1+oSUbLTOAaDXOYl/BtGPKgjomxIaPnnn14egfoYXZv9owTEoq2oMvJK
COAd6GvleO5a1Qw5Q5tOK1VWhIIh4cgsuBKkKeT0/6p66EogV7HpEqX1DL2oFSAW
K1rAQKU6buPRdSa/FfckcbVbyxk/33JhPzh83baTH6sTjG5LnDs=
=Qs9I
-----END PGP SIGNATURE-----
pgpK3tKpFYEat.pgp
Description: PGP signature
--- End Message ---
