Bug#606390: unblock: libio-socket-ssl-perl/1.35-1

2010-12-08 Thread Moritz Muehlenhoff 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package libio-socket-ssl-perl. It fixes CVE-2010-4334.

If the diff between 1.33 and 1.35 is to large to unblock, we'll need
a tpu upload with the security fix only, adding Salvatore to CC.

unblock libio-socket-ssl-perl/1.35-1

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash



-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20101208205213.10736.29850.report...@localhost.localdomain

Bug#606390: unblock: libio-socket-ssl-perl/1.35-1

2010-12-08 Thread Salvatore Bonaccorso 
Hi

On Wed, Dec 08, 2010 at 09:52:13PM +0100, Moritz Muehlenhoff wrote:
 Package: release.debian.org
 Severity: normal
 User: release.debian@packages.debian.org
 Usertags: unblock
 
 Please unblock package libio-socket-ssl-perl. It fixes CVE-2010-4334.
 
 If the diff between 1.33 and 1.35 is to large to unblock, we'll need
 a tpu upload with the security fix only, adding Salvatore to CC.
 
 unblock libio-socket-ssl-perl/1.35-1

Thanks Moritz, for filling this as bug too. I asked already for
comment from release team [1], but did it not as bugreport against
release.debian.org.

Agree, if changes from 1.33 to 1.35 are to large to unblock, I can
prepare an upload to t-p-u only containing the fix from 1.34 to 1.35.
In any case I attach here the debdiff between 1.33-1 and 1.35-1 too.

 [1] http://lists.debian.org/debian-release/2010/12/msg00209.html

Bests and thanks!
Salvatore
diff -Nru libio-socket-ssl-perl-1.33/Changes libio-socket-ssl-perl-1.35/Changes
--- libio-socket-ssl-perl-1.33/Changes	2010-03-17 13:48:59.0 +0100
+++ libio-socket-ssl-perl-1.35/Changes	2010-12-06 08:57:39.0 +0100
@@ -1,4 +1,18 @@
 
+v1.35 2010.12.06
+- if verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be
+  verified as valid it will no longer fall back to VERIFY_NONE but throw
+  an error. Thanks to Salvatore Bonaccorso and Daniel Kahn Gillmor for
+  pointing out the problem, see also 
+  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058
+v1.34 2010.11.01
+- schema http for certificate verification changed to 
+  wildcards_in_cn=1, because according to rfc2818 this is valid and
+  also seen in the wild
+- if upgrading socket from inet to ssl fails due to handshake problems
+  the socket gets downgraded, but is still open.
+  See https://rt.cpan.org/Ticket/Display.html?id=61466
+- depreceate kill_socket, just use close()
 v1.33 2010.03.17
 - attempt to make t/memleak_bad_handshake.t more stable, it fails 
   for unknown reason on various systems
diff -Nru libio-socket-ssl-perl-1.33/debian/changelog libio-socket-ssl-perl-1.35/debian/changelog
--- libio-socket-ssl-perl-1.33/debian/changelog	2010-12-08 22:16:05.0 +0100
+++ libio-socket-ssl-perl-1.35/debian/changelog	2010-12-06 10:48:08.0 +0100
@@ -1,3 +1,27 @@
+libio-socket-ssl-perl (1.35-1) unstable; urgency=low
+
+  * New upstream release (Closes: #606058).
+  * Refresh debian/copyright: Update copyright information for debian/*
+packaging stanza.
+
+ -- Salvatore Bonaccorso car...@debian.org  Mon, 06 Dec 2010 10:48:05 +0100
+
+libio-socket-ssl-perl (1.34-1) unstable; urgency=low
+
+  [ Salvatore Bonaccorso ]
+  * Update my email address.
+
+  [ Ansgar Burchardt ]
+  * Update my email address.
+  * Use source format 3.0 (quilt).
+  * Bump Standards-Version to 3.9.1.
+
+  [ Angel Abad ]
+  * New upstream release
+  * debian/copyirght: Update license information
+
+ -- Angel Abad angela...@gmail.com  Tue, 02 Nov 2010 15:20:49 +0100
+
 libio-socket-ssl-perl (1.33-1) unstable; urgency=low
 
   * New upstream release
diff -Nru libio-socket-ssl-perl-1.33/debian/control libio-socket-ssl-perl-1.35/debian/control
--- libio-socket-ssl-perl-1.33/debian/control	2010-12-08 22:16:05.0 +0100
+++ libio-socket-ssl-perl-1.35/debian/control	2010-11-06 21:45:16.0 +0100
@@ -3,14 +3,14 @@
 Priority: optional
 Maintainer: Debian Perl Group pkg-perl-maintain...@lists.alioth.debian.org
 Uploaders: gregor herrmann gre...@debian.org,
- Ansgar Burchardt ans...@43-1.org, Rene Mayorga rmayo...@debian.org,
+ Ansgar Burchardt ans...@debian.org, Rene Mayorga rmayo...@debian.org,
  Antonio Radici anto...@dyne.org,
- Salvatore Bonaccorso salvatore.bonacco...@gmail.com,
+ Salvatore Bonaccorso car...@debian.org,
  Angel Abad angela...@gmail.com
 Build-Depends: debhelper (= 7)
 Build-Depends-Indep: libio-socket-inet6-perl, libnet-libidn-perl,
  libnet-ssleay-perl (= 1.35), netbase, perl
-Standards-Version: 3.8.4
+Standards-Version: 3.9.1
 Homepage: http://search.cpan.org/dist/IO-Socket-SSL/
 Vcs-Svn: svn://svn.debian.org/pkg-perl/trunk/libio-socket-ssl-perl/
 Vcs-Browser: http://svn.debian.org/viewsvn/pkg-perl/trunk/libio-socket-ssl-perl/
diff -Nru libio-socket-ssl-perl-1.33/debian/copyright libio-socket-ssl-perl-1.35/debian/copyright
--- libio-socket-ssl-perl-1.33/debian/copyright	2010-12-08 22:16:05.0 +0100
+++ libio-socket-ssl-perl-1.35/debian/copyright	2010-12-06 10:17:28.0 +0100
@@ -14,12 +14,12 @@
 Copyright: 2000-2004, Davide Puricelli (evo) e...@debian.org
  2000, Christian Surchi csur...@debian.org
  2005-2007, Florian Ragwitz r...@debian.org
- 2008-2009, Ansgar Burchardt ans...@43-1.org
+ 2008-2009, Ansgar Burchardt ans...@debian.org
  2008-2009, gregor herrmann gre...@debian.org
  2008, Mark Hymers m...@debian.org
  2008, Rene Mayorga rmayo...@debian.org.sv
  2009, Antonio Radici anto...@dyne.org
- 2009, Salvatore Bonaccorso salvatore.bonacco...@gmail.com
+ 2009, 2010, Salvatore Bonaccorso car...@debian.org
  2010, Angel

Bug#606390: unblock: libio-socket-ssl-perl/1.35-1

2010-12-08 Thread Adam D. Barratt 
On Wed, 2010-12-08 at 21:52 +0100, Moritz Muehlenhoff wrote:
 Please unblock package libio-socket-ssl-perl. It fixes CVE-2010-4334.
 
 If the diff between 1.33 and 1.35 is to large to unblock, we'll need
 a tpu upload with the security fix only, adding Salvatore to CC.

Salvatore already suggested a t-p-u upload a couple of days ago,
although his mail hadn't had a reply; I've just rectified that.  I've no
particular preference whether we close this bug or convert it to cover
the t-p-u.

Regards,

Adam




-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/1291843435.15017.516.ca...@hathi.jungle.funky-badger.org