Bug#1064058: libxml-stream-perl: TLS/SSL broken with IO-Socket-SSL >= 2.078 when hostname verification is enabled

Manfred Stock m-debian at nfred.ch
Fri Feb 16 14:56:04 GMT 2024 

Package: libxml-stream-perl
Version: 1.24-4
Severity: normal
Tags: upstream
Control: affects -1 sendxmpp libnet-xmpp-perl

Dear Maintainers,

after upgrading to Debian Bookworm, we noticed that the sendxmpp command
line tool was not working anymore in our setup. During the investigation
of this issue, I noticed that downgrading IO-Socket-SSL to the version
in Bullseye made sendxmpp work again. I then started to try all versions
of IO-Socket-SSL between the version in Bullseye and the one in Bookworm
and found that it stopped working with version 2.078. Eventually, I came
up with a pull request [1] containing a patch that fixed it for us -
apparently, the way XML-Stream was using IO-Socket-SSL most likely
always resulted in the hostname verification to be done against the IP
address of the peer instead of an actual hostname, which was always
considered to be successful in IO-Socket-SSL < 2.078, but not anymore in
newer versions.

Since the upstream seems quite inactive, it might be worth considering
to add this or a similar patch to the package in Debian, as I came
across several other bug reports in the Debian BTS which might actually
be caused by this issue, like #986971 [2], #1032868 [3] and maybe also
#1050336 [4] - at least the error messages in the first two look very
similar to what I saw.

Cheers,
Manfred

[1]: https://github.com/dap/XML-Stream/pull/28
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986971
[3]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032868
[4]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050336

-- System Information:
Debian Release: 12.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-18-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_CH.utf8, LC_CTYPE=de_CH.utf8 (charmap=UTF-8), LANGUAGE=de_CH:de
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect

Versions of packages libxml-stream-perl depends on:
ii  libauthen-sasl-perl    2.1600-3
ii  libio-socket-ssl-perl  2.081-2
ii  perl                   5.36.0-7+deb12u1

libxml-stream-perl recommends no packages.

Versions of packages libxml-stream-perl suggests:
ii  libnet-dns-perl  1.36-1

-- no debconf information

More information about the pkg-perl-maintainers mailing list