r65625 - in /branches/squeeze/libio-socket-ssl-perl/debian: changelog control copyright patches/ patches/CVE-2010-4334.patch patches/series rules
carnil at users.alioth.debian.org
carnil at users.alioth.debian.org
Thu Dec 9 09:44:29 UTC 2010
Author: carnil
Date: Thu Dec 9 09:44:19 2010
New Revision: 65625
URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=65625
Log:
* Change my email address.
* Add CVE-2010-4334.patch patch to fix that IO::Socket::SSL verify peer mode
is ignored if no cert is supplied. This is CVE-2010-4334.
(Closes: #606058).
* debian/control: Bump debhelper versioned Build-Depends to (>= 7.0.8) and
add quilt (>= 0.46-7).
* debian/rules: Add quilt framework.
Added:
branches/squeeze/libio-socket-ssl-perl/debian/patches/
branches/squeeze/libio-socket-ssl-perl/debian/patches/CVE-2010-4334.patch
branches/squeeze/libio-socket-ssl-perl/debian/patches/series
Modified:
branches/squeeze/libio-socket-ssl-perl/debian/changelog
branches/squeeze/libio-socket-ssl-perl/debian/control
branches/squeeze/libio-socket-ssl-perl/debian/copyright
branches/squeeze/libio-socket-ssl-perl/debian/rules
Modified: branches/squeeze/libio-socket-ssl-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libio-socket-ssl-perl/debian/changelog?rev=65625&op=diff
==============================================================================
--- branches/squeeze/libio-socket-ssl-perl/debian/changelog (original)
+++ branches/squeeze/libio-socket-ssl-perl/debian/changelog Thu Dec 9 09:44:19 2010
@@ -1,3 +1,15 @@
+libio-socket-ssl-perl (1.33-1+squeeze1) testing-proposed-updates; urgency=low
+
+ * Change my email address.
+ * Add CVE-2010-4334.patch patch to fix that IO::Socket::SSL verify peer mode
+ is ignored if no cert is supplied. This is CVE-2010-4334.
+ (Closes: #606058).
+ * debian/control: Bump debhelper versioned Build-Depends to (>= 7.0.8) and
+ add quilt (>= 0.46-7).
+ * debian/rules: Add quilt framework.
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Thu, 09 Dec 2010 10:39:03 +0100
+
libio-socket-ssl-perl (1.33-1) unstable; urgency=low
* New upstream release
Modified: branches/squeeze/libio-socket-ssl-perl/debian/control
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libio-socket-ssl-perl/debian/control?rev=65625&op=diff
==============================================================================
--- branches/squeeze/libio-socket-ssl-perl/debian/control (original)
+++ branches/squeeze/libio-socket-ssl-perl/debian/control Thu Dec 9 09:44:19 2010
@@ -5,9 +5,9 @@
Uploaders: gregor herrmann <gregoa at debian.org>,
Ansgar Burchardt <ansgar at 43-1.org>, Rene Mayorga <rmayorga at debian.org>,
Antonio Radici <antonio at dyne.org>,
- Salvatore Bonaccorso <salvatore.bonaccorso at gmail.com>,
+ Salvatore Bonaccorso <carnil at debian.org>,
Angel Abad <angelabad at gmail.com>
-Build-Depends: debhelper (>= 7)
+Build-Depends: debhelper (>= 7.0.8), quilt (>= 0.46-7)
Build-Depends-Indep: libio-socket-inet6-perl, libnet-libidn-perl,
libnet-ssleay-perl (>= 1.35), netbase, perl
Standards-Version: 3.8.4
Modified: branches/squeeze/libio-socket-ssl-perl/debian/copyright
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libio-socket-ssl-perl/debian/copyright?rev=65625&op=diff
==============================================================================
--- branches/squeeze/libio-socket-ssl-perl/debian/copyright (original)
+++ branches/squeeze/libio-socket-ssl-perl/debian/copyright Thu Dec 9 09:44:19 2010
@@ -19,7 +19,7 @@
2008, Mark Hymers <mhy at debian.org>
2008, Rene Mayorga <rmayorga at debian.org.sv>
2009, Antonio Radici <antonio at dyne.org>
- 2009, Salvatore Bonaccorso <salvatore.bonaccorso at gmail.com>
+ 2009, Salvatore Bonaccorso <carnil at debian.org>
2010, Angel Abad <angelabad at gmail.com>
License: Artistic or GPL-1+
Added: branches/squeeze/libio-socket-ssl-perl/debian/patches/CVE-2010-4334.patch
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libio-socket-ssl-perl/debian/patches/CVE-2010-4334.patch?rev=65625&op=file
==============================================================================
--- branches/squeeze/libio-socket-ssl-perl/debian/patches/CVE-2010-4334.patch (added)
+++ branches/squeeze/libio-socket-ssl-perl/debian/patches/CVE-2010-4334.patch Thu Dec 9 09:44:19 2010
@@ -1,0 +1,35 @@
+Description: IO::Socket::SSL verify peer mode ignored if no cert
+ supplied. (CVE-2010-4334)
+ .
+ Patch changes the following:
+ .
+ - the default verify_mode stays verify_none
+ - if the user wants a different verify_mode SSL.pm should not ignore
+ the users request if it will not work or set some undocumented
+ defaults, but throw an error
+ - the default for SSL_ca_file and SSL_ca_path will stay because
+ they were documented for a long time.
+Origin: upstream
+Bug: https://rt.cpan.org/Ticket/Display.html?id=63637
+Bug-Debian: http://bugs.debian.org/606058
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil at debian.org>
+Reviewed-by: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2010-12-09
+
+--- a/SSL.pm
++++ b/SSL.pm
+@@ -1370,12 +1370,7 @@
+ if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and
+ ! Net::SSLeay::CTX_load_verify_locations(
+ $ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) {
+- if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) {
+- carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known");
+- $verify_mode = Net::SSLeay::VERIFY_NONE();
+- } else {
+- return IO::Socket::SSL->error("Invalid certificate authority locations");
+- }
++ return IO::Socket::SSL->error("Invalid certificate authority locations");
+ }
+
+ if ($arg_hash->{'SSL_check_crl'}) {
Added: branches/squeeze/libio-socket-ssl-perl/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libio-socket-ssl-perl/debian/patches/series?rev=65625&op=file
==============================================================================
--- branches/squeeze/libio-socket-ssl-perl/debian/patches/series (added)
+++ branches/squeeze/libio-socket-ssl-perl/debian/patches/series Thu Dec 9 09:44:19 2010
@@ -1,0 +1,1 @@
+CVE-2010-4334.patch
Modified: branches/squeeze/libio-socket-ssl-perl/debian/rules
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libio-socket-ssl-perl/debian/rules?rev=65625&op=diff
==============================================================================
--- branches/squeeze/libio-socket-ssl-perl/debian/rules (original)
+++ branches/squeeze/libio-socket-ssl-perl/debian/rules Thu Dec 9 09:44:19 2010
@@ -1,4 +1,4 @@
#!/usr/bin/make -f
%:
- dh $@
+ dh $@ --with quilt
More information about the Pkg-perl-cvs-commits
mailing list