libio-socket-ssl-perl: IO::Socket::SSL ignores user request for peer verification

Debian Bug report logs - #606058
libio-socket-ssl-perl: IO::Socket::SSL ignores user request for peer verification

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libio-socket-ssl-perl: IO::Socket::SSL ignores user request for peer verification

Date: Sun, 05 Dec 2010 20:42:23 -0500

[Message part 1 (text/plain, inline)]

Package: libio-socket-ssl-perl
Version: 1.34-1
Severity: normal
Tags: patch , security

Using IO::Socket::SSL, if i set verify_mode to 0x03 (verify peer, fail
verification if no peer certificate exists), these requests are
removed unless i also supply either ca_file or ca_path.

This is demonstrably the wrong behavior if (for example) the user
supplies a verify_callback.

It also means that IO::Socket::SSL "fails open" if the user simply
forgets to supply information about the acceptable set of "trusted"
CAs -- which seems like a particularly bad thing for a module whose
explicit purpose is improving communications security.

While i'm glad that the module carps that it is failing open, there is
nothing in the documentation to suggest that this behavior will
happen, and, well, it just seems wrong that it happens in the first
place.

I'm attaching two (mutually exclusive) patches to resolve this.

The first patch (default-to-etc-ssl-certs.patch) is less aggressive --
if the user sets verify_mode to a non-zero value, but does not supply
either ca_file or ca_path, it uses /etc/ssl/certs as ca_path -- this
is managed by the sysadmin on debian systems, and is usually populated
by the ca-certificates package.

The second patch (no-default-ca-certs.patch) simply doesn't check for
this condition at all, and allows the underlying library to make the
decision.

Of the two patches, i prefer no-default-ca-certs.patch.

The documentation makes references to ca/ and certs/my-ca.pem -- if
these are actually used by the tool, then no-default-ca-certs.patch is
definitely the way to go.

           --dkg

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.36-trunk-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libio-socket-ssl-perl depends on:
ii  libnet-ssleay-perl            1.36-1     Perl module for Secure Sockets Lay
ii  netbase                       4.43       Basic TCP/IP networking system
ii  perl                          5.10.1-16  Larry Wall's Practical Extraction 

Versions of packages libio-socket-ssl-perl recommends:
ii  libnet-libidn-perl          0.12.ds-1+b1 Perl bindings for GNU Libidn

Versions of packages libio-socket-ssl-perl suggests:
pn  libio-socket-inet6-perl       <none>     (no description available)

-- no debconf information

[default-to-etc-ssl-certs.patch (text/x-diff, attachment)]

[no-default-ca-certs.patch (text/x-diff, attachment)]

Message #10 received at 606058@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: bug-IO-Socket-SSL@rt.cpan.org

Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 606058@bugs.debian.org

Subject: IO::Socket::SSL ignores user request for peer verification

Date: Mon, 6 Dec 2010 07:55:46 +0100

[Message part 1 (text/plain, inline)]

Hi Daniel, Hi Steffen

Daniel Kahn Gillmor reported to our Bugtracker in Debian the report
below (See: http://bugs.debian.org/606058). Steffen, what do you
think, would be best?

Bests
Salvatore

----- Forwarded message from Daniel Kahn Gillmor <dkg@fifthhorseman.net> -----

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Resent-From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Reply-To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
	606058@bugs.debian.org
X-Mailer: reportbug 4.12.6
Date: Sun, 05 Dec 2010 20:42:23 -0500
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#606058: libio-socket-ssl-perl: IO::Socket::SSL ignores user
	request for peer verification

Package: libio-socket-ssl-perl
Version: 1.34-1
Severity: normal
Tags: patch , security

Using IO::Socket::SSL, if i set verify_mode to 0x03 (verify peer, fail
verification if no peer certificate exists), these requests are
removed unless i also supply either ca_file or ca_path.

This is demonstrably the wrong behavior if (for example) the user
supplies a verify_callback.

It also means that IO::Socket::SSL "fails open" if the user simply
forgets to supply information about the acceptable set of "trusted"
CAs -- which seems like a particularly bad thing for a module whose
explicit purpose is improving communications security.

While i'm glad that the module carps that it is failing open, there is
nothing in the documentation to suggest that this behavior will
happen, and, well, it just seems wrong that it happens in the first
place.

I'm attaching two (mutually exclusive) patches to resolve this.

The first patch (default-to-etc-ssl-certs.patch) is less aggressive --
if the user sets verify_mode to a non-zero value, but does not supply
either ca_file or ca_path, it uses /etc/ssl/certs as ca_path -- this
is managed by the sysadmin on debian systems, and is usually populated
by the ca-certificates package.

The second patch (no-default-ca-certs.patch) simply doesn't check for
this condition at all, and allows the underlying library to make the
decision.

Of the two patches, i prefer no-default-ca-certs.patch.

The documentation makes references to ca/ and certs/my-ca.pem -- if
these are actually used by the tool, then no-default-ca-certs.patch is
definitely the way to go.

           --dkg

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.36-trunk-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libio-socket-ssl-perl depends on:
ii  libnet-ssleay-perl            1.36-1     Perl module for Secure Sockets Lay
ii  netbase                       4.43       Basic TCP/IP networking system
ii  perl                          5.10.1-16  Larry Wall's Practical Extraction 

Versions of packages libio-socket-ssl-perl recommends:
ii  libnet-libidn-perl          0.12.ds-1+b1 Perl bindings for GNU Libidn

Versions of packages libio-socket-ssl-perl suggests:
pn  libio-socket-inet6-perl       <none>     (no description available)

-- no debconf information

diff --git a/SSL.pm b/SSL.pm
index ffb4029..7c8861b 100644
--- a/SSL.pm
+++ b/SSL.pm
@@ -1367,8 +1367,11 @@ sub new {
 		! Net::SSLeay::CTX_load_verify_locations(
 			$ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) {
 		if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) {
-			carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known");
-			$verify_mode = Net::SSLeay::VERIFY_NONE();
+			carp("verify requested, but neither SSL_ca_file nor SSL_ca_path known; defaulting to SSL_ca_path = /etc/ssl/certs");
+                        $arg_hash->{SSL_ca_path} = '/etc/ssl/certs';
+                        if ( ! Net::SSLeay::CTX_load_verify_locations($ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '/etc/ssl/certs') ) {
+                          return IO::Socket::SSL->error("Error loading default ca_path /etc/ssl/certs ");
+                        }
 		} else {
 			return IO::Socket::SSL->error("Invalid certificate authority locations");
 		}

diff --git a/SSL.pm b/SSL.pm
index ffb4029..4d20dd7 100644
--- a/SSL.pm
+++ b/SSL.pm
@@ -1364,14 +1364,10 @@ sub new {
 
 	my $verify_mode = $arg_hash->{SSL_verify_mode};
 	if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and
-		! Net::SSLeay::CTX_load_verify_locations(
+             ( $arg_hash->{SSL_ca_file} || $arg_hash->{SSL_ca_path} ) and
+             ! Net::SSLeay::CTX_load_verify_locations(
 			$ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) {
-		if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) {
-			carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known");
-			$verify_mode = Net::SSLeay::VERIFY_NONE();
-		} else {
-			return IO::Socket::SSL->error("Invalid certificate authority locations");
-		}
+          return IO::Socket::SSL->error("Invalid certificate authority locations");
 	}
 
 	if ($arg_hash->{'SSL_check_crl'}) {

_______________________________________________
pkg-perl-maintainers mailing list
pkg-perl-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-perl-maintainers

----- End forwarded message -----

[default-to-etc-ssl-certs.patch (text/x-diff, attachment)]

[no-default-ca-certs.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 606058@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: bug-IO-Socket-SSL@rt.cpan.org, 606058@bugs.debian.org

Subject: [rt.cpan.org #63637] Re: IO::Socket::SSL ignores user request for peer verification

Date: Mon, 06 Dec 2010 02:25:09 -0500

[Message part 1 (text/plain, inline)]

Thanks for forwarding this, Salvatore--

On 12/06/2010 01:55 AM, Salvatore Bonaccorso wrote:
> Of the two patches, i prefer no-default-ca-certs.patch.
> 
> The documentation makes references to ca/ and certs/my-ca.pem -- if
> these are actually used by the tool, then no-default-ca-certs.patch is
> definitely the way to go.

Hrm, as i look at it further, i'm not entirely sure that
no-default-ca-certs operates as expected with users who relying on the
defaults of ca/ or certs/my-ca.pem.

I do think that IO::Socket::SSL needs to fail *closed* though, and not
revert to accepting unverified connections in the event that the user
forgets to specify CAs (or fails to correctly populate the default
locations).

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Message #20 received at 606058@bugs.debian.org (full text, mbox, reply):

From: pkg-perl-maintainers@lists.alioth.debian.org

To: 606058@bugs.debian.org, 606058-submitter@bugs.debian.org

Subject: Bug in libio-socket-ssl-perl fixed in revision 65548

Date: Mon, 06 Dec 2010 08:40:04 +0000

tag 606058 + pending
thanks

Some bugs are closed in revision 65548
by Salvatore Bonaccorso (carnil)

Commit message:

New upstream release (Closes: #606058).

Message #30 received at 606058-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 606058-close@bugs.debian.org

Subject: Bug#606058: fixed in libio-socket-ssl-perl 1.35-1

Date: Mon, 06 Dec 2010 10:02:20 +0000

Source: libio-socket-ssl-perl
Source-Version: 1.35-1

We believe that the bug you reported is fixed in the latest version of
libio-socket-ssl-perl, which is due to be installed in the Debian FTP archive:

libio-socket-ssl-perl_1.35-1.debian.tar.gz
  to main/libi/libio-socket-ssl-perl/libio-socket-ssl-perl_1.35-1.debian.tar.gz
libio-socket-ssl-perl_1.35-1.dsc
  to main/libi/libio-socket-ssl-perl/libio-socket-ssl-perl_1.35-1.dsc
libio-socket-ssl-perl_1.35-1_all.deb
  to main/libi/libio-socket-ssl-perl/libio-socket-ssl-perl_1.35-1_all.deb
libio-socket-ssl-perl_1.35.orig.tar.gz
  to main/libi/libio-socket-ssl-perl/libio-socket-ssl-perl_1.35.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 606058@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libio-socket-ssl-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 06 Dec 2010 10:48:05 +0100
Source: libio-socket-ssl-perl
Binary: libio-socket-ssl-perl
Architecture: source all
Version: 1.35-1
Distribution: unstable
Urgency: low
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libio-socket-ssl-perl - Perl module implementing object oriented interface to SSL sockets
Closes: 606058
Changes: 
 libio-socket-ssl-perl (1.35-1) unstable; urgency=low
 .
   * New upstream release (Closes: #606058).
   * Refresh debian/copyright: Update copyright information for debian/*
     packaging stanza.
Checksums-Sha1: 
 ea56a4d2252b68dbcc6a4d024d7bc1d2fec15234 2285 libio-socket-ssl-perl_1.35-1.dsc
 26b6610844aac2835b02373216ffdd95015ac991 67587 libio-socket-ssl-perl_1.35.orig.tar.gz
 6b39698b6378a3972e8c359fa414af9360915b5a 4574 libio-socket-ssl-perl_1.35-1.debian.tar.gz
 10b6a720f5dfceb2854a0b4cf7d198af07bb4985 58716 libio-socket-ssl-perl_1.35-1_all.deb
Checksums-Sha256: 
 e6e45985f26eb27b9fc172d13932c3be8ea7f5735c6d0416f524eafd200d80d4 2285 libio-socket-ssl-perl_1.35-1.dsc
 94e9051329fd7da98f290af0b21fd49b2d081ffd4c78c8a4cdfb96445717ea8c 67587 libio-socket-ssl-perl_1.35.orig.tar.gz
 10c392b543c91e25d164f3ec538c65491f2516469dbf0b525f252edd7b0b8939 4574 libio-socket-ssl-perl_1.35-1.debian.tar.gz
 1f59751ce2a6b4ba167fe70d92f66222a6acaf88c93c05d7f44f3a07c1ae3492 58716 libio-socket-ssl-perl_1.35-1_all.deb
Files: 
 28421c33b19b21c68f3bc2e6589b0571 2285 perl optional libio-socket-ssl-perl_1.35-1.dsc
 814126aa56e687a3ccc341be35c16cc5 67587 perl optional libio-socket-ssl-perl_1.35.orig.tar.gz
 20bd595901a49aa00e56b917d067f966 4574 perl optional libio-socket-ssl-perl_1.35-1.debian.tar.gz
 3eab83a707f7532139dda3316a647ea8 58716 perl optional libio-socket-ssl-perl_1.35-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJM/LIfAAoJEHidbwV/2GP+5W0P/1z5yxxIxNn2kbud0e8+vAaw
hUo71ZZTV+A0BDvPudQqaaqXEQtMk07zxnNMnCYsDdPTuOsetcLBNgua3zVYLm2d
LLoQ4w2MQToOVL6LNtm4FtNWRx0xNbTfzNTacXZ7ykFW1syPC+Oxxzn8q0vpBJOT
13jBI9ogZ6XUyTzVdMtVGIJAbp/NiH1UQLUIUEwf3EQpoQe3LCP0Qy3ydXdUDpEj
JK0mTh0Di3h4R7m7rOLqlpZ4mBgq6CoFEJ9ByaPrdBapwy6IyBBun4Q5iNFrD9iN
Z/qdQvKHkE4YUtSwiFE34Is0nE5k5zqPTH+2xfvlyTL1VzuJXVL+yq/vANglumfT
BKWxvS7WPHtnZMmN3+OP7DkbnpqPaX0MK2bnW6ojZWvbU2iIsy0ojz8DIec8P/Mv
9N5YRZRpaT7av1hsbCfTj85D22yNA9ygZYprAqxeUGenGqoMWjlXTKAdxDje8tTw
mZn6y8sUlWIfuKlixnfSGr1mnPUomke4Ge0dCppDfZ8FjM9x2bZlM6Hu+aDruiE2
sHQG3clD/teYjCo9/HthMG1uomT14Y0ww1PWsqKyijbPSuSGynzKBN8MkoKpFV2/
p2YjzjJCOUsOp4Q7fd3+mtoHbkpneAXamrKUuMJzBRLvv+7YSSGG6nDQatiziMTB
vRqeDalTbFl7DG7LJsRt
=9EeH
-----END PGP SIGNATURE-----

Message #33 received at 606058@bugs.debian.org (full text, mbox, reply):

From: pkg-perl-maintainers@lists.alioth.debian.org

To: 606058@bugs.debian.org, 606058-submitter@bugs.debian.org

Subject: Bug in fixed in revision 65625

Date: Thu, 09 Dec 2010 09:44:28 +0000

tag 606058 + pending
thanks

Some bugs are closed in revision 65625
by Salvatore Bonaccorso (carnil)

Commit message:

* Change my email address.
* Add CVE-2010-4334.patch patch to fix that IO::Socket::SSL verify peer mode
  is ignored if no cert is supplied. This is CVE-2010-4334.
  (Closes: #606058).
* debian/control: Bump debhelper versioned Build-Depends to (>= 7.0.8) and
  add quilt (>= 0.46-7).
* debian/rules: Add quilt framework.

Message #43 received at 606058-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 606058-close@bugs.debian.org

Subject: Bug#606058: fixed in libio-socket-ssl-perl 1.33-1+squeeze1

Date: Thu, 09 Dec 2010 14:47:34 +0000

Source: libio-socket-ssl-perl
Source-Version: 1.33-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
libio-socket-ssl-perl, which is due to be installed in the Debian FTP archive:

libio-socket-ssl-perl_1.33-1+squeeze1.diff.gz
  to main/libi/libio-socket-ssl-perl/libio-socket-ssl-perl_1.33-1+squeeze1.diff.gz
libio-socket-ssl-perl_1.33-1+squeeze1.dsc
  to main/libi/libio-socket-ssl-perl/libio-socket-ssl-perl_1.33-1+squeeze1.dsc
libio-socket-ssl-perl_1.33-1+squeeze1_all.deb
  to main/libi/libio-socket-ssl-perl/libio-socket-ssl-perl_1.33-1+squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 606058@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libio-socket-ssl-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 09 Dec 2010 10:56:23 +0100
Source: libio-socket-ssl-perl
Binary: libio-socket-ssl-perl
Architecture: source all
Version: 1.33-1+squeeze1
Distribution: testing-proposed-updates
Urgency: low
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libio-socket-ssl-perl - Perl module implementing object oriented interface to SSL sockets
Closes: 606058
Changes: 
 libio-socket-ssl-perl (1.33-1+squeeze1) testing-proposed-updates; urgency=low
 .
   * Change my email address.
   * Patch SSL.pm to fix vulnerability with IO::Socket::SSL verify peer
     mode which is ignored if no cert is supplied. This is CVE-2010-4334.
     (Closes: #606058).
Checksums-Sha1: 
 6bf7b5c0fee4c7d58e26ecb9555733ad918f7ebb 2293 libio-socket-ssl-perl_1.33-1+squeeze1.dsc
 943dca5c11df4ebe237b5d640c17fa84b8172f08 4374 libio-socket-ssl-perl_1.33-1+squeeze1.diff.gz
 b6fb24b805ef4228ee3d90d51b63f1e3640d8c66 58526 libio-socket-ssl-perl_1.33-1+squeeze1_all.deb
Checksums-Sha256: 
 2cc47f226d048720857973434b51ad47cf59189d4100d4a9b198bf45168908c7 2293 libio-socket-ssl-perl_1.33-1+squeeze1.dsc
 11c51b1c949ffd3e39ea8ae1627f63fdb6569841bf2621a45e08f2452fca40cc 4374 libio-socket-ssl-perl_1.33-1+squeeze1.diff.gz
 8f455b7edaf6a6628212d6192193f6a4549af355a2d42b356fc083145bd97a18 58526 libio-socket-ssl-perl_1.33-1+squeeze1_all.deb
Files: 
 e4905003231067abf325cbdb3f403583 2293 perl optional libio-socket-ssl-perl_1.33-1+squeeze1.dsc
 2026aac372d96643e2808aa4a2008806 4374 perl optional libio-socket-ssl-perl_1.33-1+squeeze1.diff.gz
 165b54e613d7bd21d9efe1719a8ced0b 58526 perl optional libio-socket-ssl-perl_1.33-1+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJNAOaYAAoJEHidbwV/2GP+9nsQAOTKKldcyDGuDzuA+y2KqBtd
wi2Af33gIsL9c57eKwv4kKdLSnI12S39AfWSX0GbNulfBuGfpjIwCpbovrbeMjhI
uimG265D4pUjguT0edRjCwxOz6qQky/P/6j48Hc8Aqe5tCl+iafHOotLDhGP1ePo
6G2WrJAtLOTu/SLcsj9M91EmV0w+C0Gs7Syl5LoSvwtpEAGXahVkvrED0Lm8IS0x
8BpP+3lnzU8PKBAnyAVuMYxZLl3Jd667FWRwxKm2QJx6n7k0UZDcHbGJOBkBoOF3
q4Ws+5t8DOHB0qjJYee0huNauibsEeRLz3RcMxRa0++UDGgyVib2RDmAFBtJOQte
5vY0gF+F4i+BzAZi8ZCUvSvJj8Fj2xWOTSs52PchPXmwZbPeccJzmMSI4VLxP5d7
NOwqjyINfqLpfNcqrqOG1T3q3T2m/Ce5xWI5eE9OIsqtd67J7dlq/IcnodwLeYX5
3PUvXCvEofakx/DJSDVn4wx4Hes71uuvjWE9E8CgZJPJfXdInyem3YTweKYp6ZDK
ExQSgg0D/VT7Np10+M2FdIc3p+p1ng/RkpDth4U7voatwCKMiKIN3u1xkbB6ydnM
8bnpn7g3Nxqz23orWlZDAlU/NPxxxgZUhCKpuG7UG+1IAzNBZ/rvVMaXWtMoMW67
fdsON9OoYXn+SikLXtQs
=1eWO
-----END PGP SIGNATURE-----

Message #48 received at 606058@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 606058@bugs.debian.org

Subject: Stable?

Date: Thu, 9 Dec 2010 17:15:41 +0000

Hello,

Has anyone checked to see whether this security issue applies to stable?

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Message #53 received at 606058@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Dominic Hargreaves <dom@earth.li>, 606058@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#606058: Stable?

Date: Thu, 9 Dec 2010 23:00:53 +0100

[Message part 1 (text/plain, inline)]

Hi Dominic

On Thu, Dec 09, 2010 at 05:15:41PM +0000, Dominic Hargreaves wrote:
> Has anyone checked to see whether this security issue applies to stable?

Not yet checked, at least me, so far I have done only first unstable,
now t-p-u upload. I add Moritz, in case he already did?

In lenny we have:

---(snip)---------------------------------------------------------------
    my $verify_mode = $arg_hash->{SSL_verify_mode};
    unless ($verify_mode == Net::SSLeay::VERIFY_NONE()) {
        Net::SSLeay::CTX_load_verify_locations(
            $ctx, $arg_hash->{SSL_ca_file},$arg_hash->{SSL_ca_path}
        ) || return IO::Socket::SSL->error("Invalid certificate authority locations");                               
    }
------------------------------------------------------------------------

So here we do not change the verify_mode. So IMHO lenny should be ok,
right?

Bests
Salvatore

[signature.asc (application/pgp-signature, inline)]

Message #62 received at 606058@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 606058@bugs.debian.org

Subject: Re: Bug#606058: Stable?

Date: Sun, 19 Dec 2010 12:40:17 +0000

On Thu, Dec 09, 2010 at 11:00:53PM +0100, Salvatore Bonaccorso wrote:
> Hi Dominic
> 
> On Thu, Dec 09, 2010 at 05:15:41PM +0000, Dominic Hargreaves wrote:
> > Has anyone checked to see whether this security issue applies to stable?
> 
> Not yet checked, at least me, so far I have done only first unstable,
> now t-p-u upload. I add Moritz, in case he already did?
> 
> In lenny we have:
> 
> ---(snip)---------------------------------------------------------------
>     my $verify_mode = $arg_hash->{SSL_verify_mode};
>     unless ($verify_mode == Net::SSLeay::VERIFY_NONE()) {
>         Net::SSLeay::CTX_load_verify_locations(
>             $ctx, $arg_hash->{SSL_ca_file},$arg_hash->{SSL_ca_path}
>         ) || return IO::Socket::SSL->error("Invalid certificate authority locations");                               
>     }
> ------------------------------------------------------------------------
> 
> So here we do not change the verify_mode. So IMHO lenny should be ok,
> right?

I'm not familiar with the details of the problem, but this sounds
plausible. Thanks for checking.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Send a report that this bug log contains spam.