Re: Possible upload for libio-socket-ssl-perl to t-p-u?
Hi Adam
On Wed, Dec 08, 2010 at 09:21:41PM +, Adam D. Barratt wrote:
On Mon, 2010-12-06 at 13:38 +0100, Salvatore Bonaccorso wrote:
I just uploaded libio-socket-ssl-perl 1.35-1 to unstable fixing Bug
#606058 (http://bugs.debian.org/606058) (Severity normal, tagged
security). The change done by upstream is, that if the verify_mode is
not VERIFY_NONE and the ca_file/ca_path cannot be verified as valid
then IO::Socket::SSL will not fall back to VERIFY_NONE but at least
throw an error to inform the user. The reasoning from upstream is:
[...]
If you would agree on it, should I prepare an upload too for t-p-u for
it? The changes done by upstream are the following:
Please go ahead; thanks.
Prepared, by directly patching SSL.pm. Attached is the debdiff between
1.33-1 to 1.33-1+squeeze1.
Fine with that?
Bests
Salvatore
diff -u libio-socket-ssl-perl-1.33/debian/control libio-socket-ssl-perl-1.33/debian/control
--- libio-socket-ssl-perl-1.33/debian/control
+++ libio-socket-ssl-perl-1.33/debian/control
@@ -5,7 +5,7 @@
Uploaders: gregor herrmann gre...@debian.org,
Ansgar Burchardt ans...@43-1.org, Rene Mayorga rmayo...@debian.org,
Antonio Radici anto...@dyne.org,
- Salvatore Bonaccorso salvatore.bonacco...@gmail.com,
+ Salvatore Bonaccorso car...@debian.org,
Angel Abad angela...@gmail.com
Build-Depends: debhelper (= 7)
Build-Depends-Indep: libio-socket-inet6-perl, libnet-libidn-perl,
diff -u libio-socket-ssl-perl-1.33/debian/copyright libio-socket-ssl-perl-1.33/debian/copyright
--- libio-socket-ssl-perl-1.33/debian/copyright
+++ libio-socket-ssl-perl-1.33/debian/copyright
@@ -19,7 +19,7 @@
2008, Mark Hymers m...@debian.org
2008, Rene Mayorga rmayo...@debian.org.sv
2009, Antonio Radici anto...@dyne.org
- 2009, Salvatore Bonaccorso salvatore.bonacco...@gmail.com
+ 2009, Salvatore Bonaccorso car...@debian.org
2010, Angel Abad angela...@gmail.com
License: Artistic or GPL-1+
diff -u libio-socket-ssl-perl-1.33/debian/changelog libio-socket-ssl-perl-1.33/debian/changelog
--- libio-socket-ssl-perl-1.33/debian/changelog
+++ libio-socket-ssl-perl-1.33/debian/changelog
@@ -1,3 +1,12 @@
+libio-socket-ssl-perl (1.33-1+squeeze1) testing-proposed-updates; urgency=low
+
+ * Change my email address.
+ * Patch SSL.pm to fix vulnerability with IO::Socket::SSL verify peer
+mode which is ignored if no cert is supplied. This is CVE-2010-4334.
+(Closes: #606058).
+
+ -- Salvatore Bonaccorso car...@debian.org Thu, 09 Dec 2010 10:56:23 +0100
+
libio-socket-ssl-perl (1.33-1) unstable; urgency=low
* New upstream release
@@ -303 +311,0 @@
-
only in patch2:
unchanged:
--- libio-socket-ssl-perl-1.33.orig/SSL.pm
+++ libio-socket-ssl-perl-1.33/SSL.pm
@@ -1370,12 +1370,7 @@
if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and
! Net::SSLeay::CTX_load_verify_locations(
$ctx, $arg_hash-{SSL_ca_file} || '',$arg_hash-{SSL_ca_path} || '') ) {
- if ( ! $arg_hash-{SSL_ca_file} ! $arg_hash-{SSL_ca_path} ) {
- carp(No certificate verification because neither SSL_ca_file nor SSL_ca_path known);
- $verify_mode = Net::SSLeay::VERIFY_NONE();
- } else {
- return IO::Socket::SSL-error(Invalid certificate authority locations);
- }
+ return IO::Socket::SSL-error(Invalid certificate authority locations);
}
if ($arg_hash-{'SSL_check_crl'}) {
signature.asc
Description: Digital signature
Re: Possible upload for libio-socket-ssl-perl to t-p-u?
On Thu, December 9, 2010 11:52, Salvatore Bonaccorso wrote: Prepared, by directly patching SSL.pm. Attached is the debdiff between 1.33-1 to 1.33-1+squeeze1. Fine with that? Yes; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/76fe32add47873d8c1b3edd71b2c9946.squir...@adsl.funky-badger.org
Re: Possible upload for libio-socket-ssl-perl to t-p-u?
Hi On Thu, Dec 09, 2010 at 01:08:34PM -, Adam D. Barratt wrote: On Thu, December 9, 2010 11:52, Salvatore Bonaccorso wrote: Prepared, by directly patching SSL.pm. Attached is the debdiff between 1.33-1 to 1.33-1+squeeze1. Fine with that? Yes; thanks. Ok, as requested, just uploaded. Bests Salvatore signature.asc Description: Digital signature
Re: Possible upload for libio-socket-ssl-perl to t-p-u?
On Thu, December 9, 2010 14:32, Salvatore Bonaccorso wrote: Hi On Thu, Dec 09, 2010 at 01:08:34PM -, Adam D. Barratt wrote: On Thu, December 9, 2010 11:52, Salvatore Bonaccorso wrote: Prepared, by directly patching SSL.pm. Attached is the debdiff between 1.33-1 to 1.33-1+squeeze1. Fine with that? Yes; thanks. Ok, as requested, just uploaded. Thanks. I've approved the upload, so it should migrate to testing in this evening's britney run. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/9bf1a269ac05235812509bd32c0fd378.squir...@adsl.funky-badger.org
Re: Possible upload for libio-socket-ssl-perl to t-p-u?
On Mon, 2010-12-06 at 13:38 +0100, Salvatore Bonaccorso wrote: I just uploaded libio-socket-ssl-perl 1.35-1 to unstable fixing Bug #606058 (http://bugs.debian.org/606058) (Severity normal, tagged security). The change done by upstream is, that if the verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be verified as valid then IO::Socket::SSL will not fall back to VERIFY_NONE but at least throw an error to inform the user. The reasoning from upstream is: [...] If you would agree on it, should I prepare an upload too for t-p-u for it? The changes done by upstream are the following: Please go ahead; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1291843301.15017.504.ca...@hathi.jungle.funky-badger.org
Possible upload for libio-socket-ssl-perl to t-p-u?
Dear Release Team
I just uploaded libio-socket-ssl-perl 1.35-1 to unstable fixing Bug
#606058 (http://bugs.debian.org/606058) (Severity normal, tagged
security). The change done by upstream is, that if the verify_mode is
not VERIFY_NONE and the ca_file/ca_path cannot be verified as valid
then IO::Socket::SSL will not fall back to VERIFY_NONE but at least
throw an error to inform the user. The reasoning from upstream is:
I've changed it for version 1.35 like given in the
no-defaults-cacert.patch, e.g.
- the default verify_mode stays verify_none
- if the user wants a different verify_mode SSL.pm should not ignore
the users request if it will not work or set some undocumented
defaults, but throw an error
- the default for SSL_ca_file and SSL_ca_path will stay because
they were documented for a long time.
Actually, i'm not that happy with having these defaults for SSL_ca_*
and SSL_verify_mode but would rather have the user to explicitly
specify mode and path - it's a security decision which should not have
any defaults.
But because it was forever like this I risk to break some application
due to this, so I rather do it later after finding a strategy of not
breaking to much.
If you would agree on it, should I prepare an upload too for t-p-u for
it? The changes done by upstream are the following:
---(SSL.pm)-
@@ -78,7 +78,7 @@ BEGIN {
}) {
@ISA = qw(IO::Socket::INET);
}
- $VERSION = '1.34';
+ $VERSION = '1.35';
$GLOBAL_CONTEXT_ARGS = {};
#Make $DEBUG another name for $Net::SSLeay::trace
@@ -1366,12 +1366,7 @@ sub new {
if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and
! Net::SSLeay::CTX_load_verify_locations(
$ctx, $arg_hash-{SSL_ca_file} ||
'',$arg_hash-{SSL_ca_path} || '') ) {
- if ( ! $arg_hash-{SSL_ca_file} ! $arg_hash-{SSL_ca_path} )
{
- carp(No certificate verification because neither
SSL_ca_file nor SSL_ca_path known);
- $verify_mode = Net::SSLeay::VERIFY_NONE();
- } else {
- return IO::Socket::SSL-error(Invalid certificate
authority locations);
- }
+ return IO::Socket::SSL-error(Invalid certificate authority
locations);
}
if ($arg_hash-{'SSL_check_crl'}) {
See: http://search.cpan.org/diff?from=IO-Socket-SSL-1.34to=IO-Socket-SSL-1.35
If you have time so far, could you give some advice?
Thanks a lot for your work towards releasing Squeeze!
Bests
Salvatore
signature.asc
Description: Digital signature
