Dear Release Team I just uploaded libio-socket-ssl-perl 1.35-1 to unstable fixing Bug #606058 (http://bugs.debian.org/606058) (Severity normal, tagged security). The change done by upstream is, that if the verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be verified as valid then IO::Socket::SSL will not fall back to VERIFY_NONE but at least throw an error to inform the user. The reasoning from upstream is: > I've changed it for version 1.35 like given in the > no-defaults-cacert.patch, e.g. > > - the default verify_mode stays verify_none > - if the user wants a different verify_mode SSL.pm should not ignore > the users request if it will not work or set some undocumented > defaults, but throw an error > - the default for SSL_ca_file and SSL_ca_path will stay because > they were documented for a long time. > > > Actually, i'm not that happy with having these defaults for SSL_ca_* > and SSL_verify_mode but would rather have the user to explicitly > specify mode and path - it's a security decision which should not have > any defaults. > But because it was forever like this I risk to break some application > due to this, so I rather do it later after finding a strategy of not > breaking to much. If you would agree on it, should I prepare an upload too for t-p-u for it? The changes done by upstream are the following: ---(SSL.pm)------------------------------------------------------------- @@ -78,7 +78,7 @@ BEGIN { }) { @ISA = qw(IO::Socket::INET); } - $VERSION = '1.34'; + $VERSION = '1.35'; $GLOBAL_CONTEXT_ARGS = {}; #Make $DEBUG another name for $Net::SSLeay::trace @@ -1366,12 +1366,7 @@ sub new { if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and ! Net::SSLeay::CTX_load_verify_locations( $ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) { - if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) { - carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known"); - $verify_mode = Net::SSLeay::VERIFY_NONE(); - } else { - return IO::Socket::SSL->error("Invalid certificate authority locations"); - } + return IO::Socket::SSL->error("Invalid certificate authority locations"); } if ($arg_hash->{'SSL_check_crl'}) { ------------------------------------------------------------------------ See: http://search.cpan.org/diff?from=IO-Socket-SSL-1.34&to=IO-Socket-SSL-1.35 If you have time so far, could you give some advice? Thanks a lot for your work towards releasing Squeeze! Bests Salvatore
Attachment:
signature.asc
Description: Digital signature