Re: Possible upload for libio-socket-ssl-perl to t-p-u?
Hi Adam On Wed, Dec 08, 2010 at 09:21:41PM +, Adam D. Barratt wrote: On Mon, 2010-12-06 at 13:38 +0100, Salvatore Bonaccorso wrote: I just uploaded libio-socket-ssl-perl 1.35-1 to unstable fixing Bug #606058 (http://bugs.debian.org/606058) (Severity normal, tagged security). The change done by upstream is, that if the verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be verified as valid then IO::Socket::SSL will not fall back to VERIFY_NONE but at least throw an error to inform the user. The reasoning from upstream is: [...] If you would agree on it, should I prepare an upload too for t-p-u for it? The changes done by upstream are the following: Please go ahead; thanks. Prepared, by directly patching SSL.pm. Attached is the debdiff between 1.33-1 to 1.33-1+squeeze1. Fine with that? Bests Salvatore diff -u libio-socket-ssl-perl-1.33/debian/control libio-socket-ssl-perl-1.33/debian/control --- libio-socket-ssl-perl-1.33/debian/control +++ libio-socket-ssl-perl-1.33/debian/control @@ -5,7 +5,7 @@ Uploaders: gregor herrmann gre...@debian.org, Ansgar Burchardt ans...@43-1.org, Rene Mayorga rmayo...@debian.org, Antonio Radici anto...@dyne.org, - Salvatore Bonaccorso salvatore.bonacco...@gmail.com, + Salvatore Bonaccorso car...@debian.org, Angel Abad angela...@gmail.com Build-Depends: debhelper (= 7) Build-Depends-Indep: libio-socket-inet6-perl, libnet-libidn-perl, diff -u libio-socket-ssl-perl-1.33/debian/copyright libio-socket-ssl-perl-1.33/debian/copyright --- libio-socket-ssl-perl-1.33/debian/copyright +++ libio-socket-ssl-perl-1.33/debian/copyright @@ -19,7 +19,7 @@ 2008, Mark Hymers m...@debian.org 2008, Rene Mayorga rmayo...@debian.org.sv 2009, Antonio Radici anto...@dyne.org - 2009, Salvatore Bonaccorso salvatore.bonacco...@gmail.com + 2009, Salvatore Bonaccorso car...@debian.org 2010, Angel Abad angela...@gmail.com License: Artistic or GPL-1+ diff -u libio-socket-ssl-perl-1.33/debian/changelog libio-socket-ssl-perl-1.33/debian/changelog --- libio-socket-ssl-perl-1.33/debian/changelog +++ libio-socket-ssl-perl-1.33/debian/changelog @@ -1,3 +1,12 @@ +libio-socket-ssl-perl (1.33-1+squeeze1) testing-proposed-updates; urgency=low + + * Change my email address. + * Patch SSL.pm to fix vulnerability with IO::Socket::SSL verify peer +mode which is ignored if no cert is supplied. This is CVE-2010-4334. +(Closes: #606058). + + -- Salvatore Bonaccorso car...@debian.org Thu, 09 Dec 2010 10:56:23 +0100 + libio-socket-ssl-perl (1.33-1) unstable; urgency=low * New upstream release @@ -303 +311,0 @@ - only in patch2: unchanged: --- libio-socket-ssl-perl-1.33.orig/SSL.pm +++ libio-socket-ssl-perl-1.33/SSL.pm @@ -1370,12 +1370,7 @@ if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and ! Net::SSLeay::CTX_load_verify_locations( $ctx, $arg_hash-{SSL_ca_file} || '',$arg_hash-{SSL_ca_path} || '') ) { - if ( ! $arg_hash-{SSL_ca_file} ! $arg_hash-{SSL_ca_path} ) { - carp(No certificate verification because neither SSL_ca_file nor SSL_ca_path known); - $verify_mode = Net::SSLeay::VERIFY_NONE(); - } else { - return IO::Socket::SSL-error(Invalid certificate authority locations); - } + return IO::Socket::SSL-error(Invalid certificate authority locations); } if ($arg_hash-{'SSL_check_crl'}) { signature.asc Description: Digital signature
Re: Possible upload for libio-socket-ssl-perl to t-p-u?
On Thu, December 9, 2010 11:52, Salvatore Bonaccorso wrote: Prepared, by directly patching SSL.pm. Attached is the debdiff between 1.33-1 to 1.33-1+squeeze1. Fine with that? Yes; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/76fe32add47873d8c1b3edd71b2c9946.squir...@adsl.funky-badger.org
Re: Possible upload for libio-socket-ssl-perl to t-p-u?
Hi On Thu, Dec 09, 2010 at 01:08:34PM -, Adam D. Barratt wrote: On Thu, December 9, 2010 11:52, Salvatore Bonaccorso wrote: Prepared, by directly patching SSL.pm. Attached is the debdiff between 1.33-1 to 1.33-1+squeeze1. Fine with that? Yes; thanks. Ok, as requested, just uploaded. Bests Salvatore signature.asc Description: Digital signature
Re: Possible upload for libio-socket-ssl-perl to t-p-u?
On Thu, December 9, 2010 14:32, Salvatore Bonaccorso wrote: Hi On Thu, Dec 09, 2010 at 01:08:34PM -, Adam D. Barratt wrote: On Thu, December 9, 2010 11:52, Salvatore Bonaccorso wrote: Prepared, by directly patching SSL.pm. Attached is the debdiff between 1.33-1 to 1.33-1+squeeze1. Fine with that? Yes; thanks. Ok, as requested, just uploaded. Thanks. I've approved the upload, so it should migrate to testing in this evening's britney run. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/9bf1a269ac05235812509bd32c0fd378.squir...@adsl.funky-badger.org
Re: Possible upload for libio-socket-ssl-perl to t-p-u?
On Mon, 2010-12-06 at 13:38 +0100, Salvatore Bonaccorso wrote: I just uploaded libio-socket-ssl-perl 1.35-1 to unstable fixing Bug #606058 (http://bugs.debian.org/606058) (Severity normal, tagged security). The change done by upstream is, that if the verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be verified as valid then IO::Socket::SSL will not fall back to VERIFY_NONE but at least throw an error to inform the user. The reasoning from upstream is: [...] If you would agree on it, should I prepare an upload too for t-p-u for it? The changes done by upstream are the following: Please go ahead; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1291843301.15017.504.ca...@hathi.jungle.funky-badger.org
Possible upload for libio-socket-ssl-perl to t-p-u?
Dear Release Team I just uploaded libio-socket-ssl-perl 1.35-1 to unstable fixing Bug #606058 (http://bugs.debian.org/606058) (Severity normal, tagged security). The change done by upstream is, that if the verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be verified as valid then IO::Socket::SSL will not fall back to VERIFY_NONE but at least throw an error to inform the user. The reasoning from upstream is: I've changed it for version 1.35 like given in the no-defaults-cacert.patch, e.g. - the default verify_mode stays verify_none - if the user wants a different verify_mode SSL.pm should not ignore the users request if it will not work or set some undocumented defaults, but throw an error - the default for SSL_ca_file and SSL_ca_path will stay because they were documented for a long time. Actually, i'm not that happy with having these defaults for SSL_ca_* and SSL_verify_mode but would rather have the user to explicitly specify mode and path - it's a security decision which should not have any defaults. But because it was forever like this I risk to break some application due to this, so I rather do it later after finding a strategy of not breaking to much. If you would agree on it, should I prepare an upload too for t-p-u for it? The changes done by upstream are the following: ---(SSL.pm)- @@ -78,7 +78,7 @@ BEGIN { }) { @ISA = qw(IO::Socket::INET); } - $VERSION = '1.34'; + $VERSION = '1.35'; $GLOBAL_CONTEXT_ARGS = {}; #Make $DEBUG another name for $Net::SSLeay::trace @@ -1366,12 +1366,7 @@ sub new { if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and ! Net::SSLeay::CTX_load_verify_locations( $ctx, $arg_hash-{SSL_ca_file} || '',$arg_hash-{SSL_ca_path} || '') ) { - if ( ! $arg_hash-{SSL_ca_file} ! $arg_hash-{SSL_ca_path} ) { - carp(No certificate verification because neither SSL_ca_file nor SSL_ca_path known); - $verify_mode = Net::SSLeay::VERIFY_NONE(); - } else { - return IO::Socket::SSL-error(Invalid certificate authority locations); - } + return IO::Socket::SSL-error(Invalid certificate authority locations); } if ($arg_hash-{'SSL_check_crl'}) { See: http://search.cpan.org/diff?from=IO-Socket-SSL-1.34to=IO-Socket-SSL-1.35 If you have time so far, could you give some advice? Thanks a lot for your work towards releasing Squeeze! Bests Salvatore signature.asc Description: Digital signature