r65625 - in /branches/squeeze/libio-socket-ssl-perl/debian: changelog control copyright patches/ patches/CVE-2010-4334.patch patches/series rules

carnil at users.alioth.debian.org carnil at users.alioth.debian.org
Thu Dec 9 09:44:29 UTC 2010 

Author: carnil
Date: Thu Dec  9 09:44:19 2010
New Revision: 65625

URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=65625
Log:
* Change my email address.
* Add CVE-2010-4334.patch patch to fix that IO::Socket::SSL verify peer mode
  is ignored if no cert is supplied. This is CVE-2010-4334.
  (Closes: #606058).
* debian/control: Bump debhelper versioned Build-Depends to (>= 7.0.8) and
  add quilt (>= 0.46-7).
* debian/rules: Add quilt framework.

Added:
    branches/squeeze/libio-socket-ssl-perl/debian/patches/
    branches/squeeze/libio-socket-ssl-perl/debian/patches/CVE-2010-4334.patch
    branches/squeeze/libio-socket-ssl-perl/debian/patches/series
Modified:
    branches/squeeze/libio-socket-ssl-perl/debian/changelog
    branches/squeeze/libio-socket-ssl-perl/debian/control
    branches/squeeze/libio-socket-ssl-perl/debian/copyright
    branches/squeeze/libio-socket-ssl-perl/debian/rules

Modified: branches/squeeze/libio-socket-ssl-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libio-socket-ssl-perl/debian/changelog?rev=65625&op=diff
==============================================================================
--- branches/squeeze/libio-socket-ssl-perl/debian/changelog (original)
+++ branches/squeeze/libio-socket-ssl-perl/debian/changelog Thu Dec  9 09:44:19 2010
@@ -1,3 +1,15 @@
+libio-socket-ssl-perl (1.33-1+squeeze1) testing-proposed-updates; urgency=low
+
+  * Change my email address.
+  * Add CVE-2010-4334.patch patch to fix that IO::Socket::SSL verify peer mode
+    is ignored if no cert is supplied. This is CVE-2010-4334.
+    (Closes: #606058).
+  * debian/control: Bump debhelper versioned Build-Depends to (>= 7.0.8) and
+    add quilt (>= 0.46-7).
+  * debian/rules: Add quilt framework.
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Thu, 09 Dec 2010 10:39:03 +0100
+
 libio-socket-ssl-perl (1.33-1) unstable; urgency=low
 
   * New upstream release

Modified: branches/squeeze/libio-socket-ssl-perl/debian/control
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libio-socket-ssl-perl/debian/control?rev=65625&op=diff
==============================================================================
--- branches/squeeze/libio-socket-ssl-perl/debian/control (original)
+++ branches/squeeze/libio-socket-ssl-perl/debian/control Thu Dec  9 09:44:19 2010
@@ -5,9 +5,9 @@
 Uploaders: gregor herrmann <gregoa at debian.org>,
  Ansgar Burchardt <ansgar at 43-1.org>, Rene Mayorga <rmayorga at debian.org>,
  Antonio Radici <antonio at dyne.org>,
- Salvatore Bonaccorso <salvatore.bonaccorso at gmail.com>,
+ Salvatore Bonaccorso <carnil at debian.org>,
  Angel Abad <angelabad at gmail.com>
-Build-Depends: debhelper (>= 7)
+Build-Depends: debhelper (>= 7.0.8), quilt (>= 0.46-7)
 Build-Depends-Indep: libio-socket-inet6-perl, libnet-libidn-perl,
  libnet-ssleay-perl (>= 1.35), netbase, perl
 Standards-Version: 3.8.4

Modified: branches/squeeze/libio-socket-ssl-perl/debian/copyright
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libio-socket-ssl-perl/debian/copyright?rev=65625&op=diff
==============================================================================
--- branches/squeeze/libio-socket-ssl-perl/debian/copyright (original)
+++ branches/squeeze/libio-socket-ssl-perl/debian/copyright Thu Dec  9 09:44:19 2010
@@ -19,7 +19,7 @@
  2008, Mark Hymers <mhy at debian.org>
  2008, Rene Mayorga <rmayorga at debian.org.sv>
  2009, Antonio Radici <antonio at dyne.org>
- 2009, Salvatore Bonaccorso <salvatore.bonaccorso at gmail.com>
+ 2009, Salvatore Bonaccorso <carnil at debian.org>
  2010, Angel Abad <angelabad at gmail.com>
 License: Artistic or GPL-1+
 

Added: branches/squeeze/libio-socket-ssl-perl/debian/patches/CVE-2010-4334.patch
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libio-socket-ssl-perl/debian/patches/CVE-2010-4334.patch?rev=65625&op=file
==============================================================================
--- branches/squeeze/libio-socket-ssl-perl/debian/patches/CVE-2010-4334.patch (added)
+++ branches/squeeze/libio-socket-ssl-perl/debian/patches/CVE-2010-4334.patch Thu Dec  9 09:44:19 2010
@@ -1,0 +1,35 @@
+Description: IO::Socket::SSL verify peer mode ignored if no cert
+ supplied. (CVE-2010-4334)
+ .
+ Patch changes the following:
+ .
+ - the default verify_mode stays verify_none
+ - if the user wants a different verify_mode SSL.pm should not ignore
+   the users request if it will not work or set some undocumented
+   defaults, but throw an error
+ - the default for SSL_ca_file and SSL_ca_path will stay because
+   they were documented for a long time.  
+Origin: upstream
+Bug: https://rt.cpan.org/Ticket/Display.html?id=63637
+Bug-Debian: http://bugs.debian.org/606058
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil at debian.org>
+Reviewed-by: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2010-12-09
+
+--- a/SSL.pm
++++ b/SSL.pm
+@@ -1370,12 +1370,7 @@
+ 	if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and 
+ 		! Net::SSLeay::CTX_load_verify_locations( 
+ 			$ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) {
+-		if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) {
+-			carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known");
+-			$verify_mode = Net::SSLeay::VERIFY_NONE();
+-		} else {
+-			return IO::Socket::SSL->error("Invalid certificate authority locations");
+-		}
++		return IO::Socket::SSL->error("Invalid certificate authority locations");
+ 	}
+ 
+ 	if ($arg_hash->{'SSL_check_crl'}) {

Added: branches/squeeze/libio-socket-ssl-perl/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libio-socket-ssl-perl/debian/patches/series?rev=65625&op=file
==============================================================================
--- branches/squeeze/libio-socket-ssl-perl/debian/patches/series (added)
+++ branches/squeeze/libio-socket-ssl-perl/debian/patches/series Thu Dec  9 09:44:19 2010
@@ -1,0 +1,1 @@
+CVE-2010-4334.patch

Modified: branches/squeeze/libio-socket-ssl-perl/debian/rules
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libio-socket-ssl-perl/debian/rules?rev=65625&op=diff
==============================================================================
--- branches/squeeze/libio-socket-ssl-perl/debian/rules (original)
+++ branches/squeeze/libio-socket-ssl-perl/debian/rules Thu Dec  9 09:44:19 2010
@@ -1,4 +1,4 @@
 #!/usr/bin/make -f
 
 %:
-	dh $@
+	dh $@ --with quilt

More information about the Pkg-perl-cvs-commits mailing list