Hi
On Wed, Dec 08, 2010 at 09:52:13PM +0100, Moritz Muehlenhoff wrote:
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package libio-socket-ssl-perl. It fixes CVE-2010-4334.
If the diff between 1.33 and 1.35 is to large to unblock, we'll need
a tpu upload with the security fix only, adding Salvatore to CC.
unblock libio-socket-ssl-perl/1.35-1
Thanks Moritz, for filling this as bug too. I asked already for
comment from release team [1], but did it not as bugreport against
release.debian.org.
Agree, if changes from 1.33 to 1.35 are to large to unblock, I can
prepare an upload to t-p-u only containing the fix from 1.34 to 1.35.
In any case I attach here the debdiff between 1.33-1 and 1.35-1 too.
[1] http://lists.debian.org/debian-release/2010/12/msg00209.html
Bests and thanks!
Salvatore
diff -Nru libio-socket-ssl-perl-1.33/Changes libio-socket-ssl-perl-1.35/Changes
--- libio-socket-ssl-perl-1.33/Changes 2010-03-17 13:48:59.0 +0100
+++ libio-socket-ssl-perl-1.35/Changes 2010-12-06 08:57:39.0 +0100
@@ -1,4 +1,18 @@
+v1.35 2010.12.06
+- if verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be
+ verified as valid it will no longer fall back to VERIFY_NONE but throw
+ an error. Thanks to Salvatore Bonaccorso and Daniel Kahn Gillmor for
+ pointing out the problem, see also
+ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058
+v1.34 2010.11.01
+- schema http for certificate verification changed to
+ wildcards_in_cn=1, because according to rfc2818 this is valid and
+ also seen in the wild
+- if upgrading socket from inet to ssl fails due to handshake problems
+ the socket gets downgraded, but is still open.
+ See https://rt.cpan.org/Ticket/Display.html?id=61466
+- depreceate kill_socket, just use close()
v1.33 2010.03.17
- attempt to make t/memleak_bad_handshake.t more stable, it fails
for unknown reason on various systems
diff -Nru libio-socket-ssl-perl-1.33/debian/changelog libio-socket-ssl-perl-1.35/debian/changelog
--- libio-socket-ssl-perl-1.33/debian/changelog 2010-12-08 22:16:05.0 +0100
+++ libio-socket-ssl-perl-1.35/debian/changelog 2010-12-06 10:48:08.0 +0100
@@ -1,3 +1,27 @@
+libio-socket-ssl-perl (1.35-1) unstable; urgency=low
+
+ * New upstream release (Closes: #606058).
+ * Refresh debian/copyright: Update copyright information for debian/*
+packaging stanza.
+
+ -- Salvatore Bonaccorso car...@debian.org Mon, 06 Dec 2010 10:48:05 +0100
+
+libio-socket-ssl-perl (1.34-1) unstable; urgency=low
+
+ [ Salvatore Bonaccorso ]
+ * Update my email address.
+
+ [ Ansgar Burchardt ]
+ * Update my email address.
+ * Use source format 3.0 (quilt).
+ * Bump Standards-Version to 3.9.1.
+
+ [ Angel Abad ]
+ * New upstream release
+ * debian/copyirght: Update license information
+
+ -- Angel Abad angela...@gmail.com Tue, 02 Nov 2010 15:20:49 +0100
+
libio-socket-ssl-perl (1.33-1) unstable; urgency=low
* New upstream release
diff -Nru libio-socket-ssl-perl-1.33/debian/control libio-socket-ssl-perl-1.35/debian/control
--- libio-socket-ssl-perl-1.33/debian/control 2010-12-08 22:16:05.0 +0100
+++ libio-socket-ssl-perl-1.35/debian/control 2010-11-06 21:45:16.0 +0100
@@ -3,14 +3,14 @@
Priority: optional
Maintainer: Debian Perl Group pkg-perl-maintain...@lists.alioth.debian.org
Uploaders: gregor herrmann gre...@debian.org,
- Ansgar Burchardt ans...@43-1.org, Rene Mayorga rmayo...@debian.org,
+ Ansgar Burchardt ans...@debian.org, Rene Mayorga rmayo...@debian.org,
Antonio Radici anto...@dyne.org,
- Salvatore Bonaccorso salvatore.bonacco...@gmail.com,
+ Salvatore Bonaccorso car...@debian.org,
Angel Abad angela...@gmail.com
Build-Depends: debhelper (= 7)
Build-Depends-Indep: libio-socket-inet6-perl, libnet-libidn-perl,
libnet-ssleay-perl (= 1.35), netbase, perl
-Standards-Version: 3.8.4
+Standards-Version: 3.9.1
Homepage: http://search.cpan.org/dist/IO-Socket-SSL/
Vcs-Svn: svn://svn.debian.org/pkg-perl/trunk/libio-socket-ssl-perl/
Vcs-Browser: http://svn.debian.org/viewsvn/pkg-perl/trunk/libio-socket-ssl-perl/
diff -Nru libio-socket-ssl-perl-1.33/debian/copyright libio-socket-ssl-perl-1.35/debian/copyright
--- libio-socket-ssl-perl-1.33/debian/copyright 2010-12-08 22:16:05.0 +0100
+++ libio-socket-ssl-perl-1.35/debian/copyright 2010-12-06 10:17:28.0 +0100
@@ -14,12 +14,12 @@
Copyright: 2000-2004, Davide Puricelli (evo) e...@debian.org
2000, Christian Surchi csur...@debian.org
2005-2007, Florian Ragwitz r...@debian.org
- 2008-2009, Ansgar Burchardt ans...@43-1.org
+ 2008-2009, Ansgar Burchardt ans...@debian.org
2008-2009, gregor herrmann gre...@debian.org
2008, Mark Hymers m...@debian.org
2008, Rene Mayorga rmayo...@debian.org.sv
2009, Antonio Radici anto...@dyne.org
- 2009, Salvatore Bonaccorso salvatore.bonacco...@gmail.com
+ 2009, 2010, Salvatore Bonaccorso car...@debian.org
2010, Angel