Re: Bug#954089: libplack-perl: Please verify server identity via SSL

To: Damyan Ivanov <dmn@debian.org>
Cc: gregor herrmann <gregoa@debian.org>, 954089@bugs.debian.org, Paul Wise <pabs@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, Debian Perl Mailing List <debian-perl@lists.debian.org>
Subject: Re: Bug#954089: libplack-perl: Please verify server identity via SSL
From: Felix Lechner <felix.lechner@lease-up.com>
Date: Mon, 16 Mar 2020 11:34:51 -0700
Message-id: <[🔎] CAFHYt57wB0OLdC5KRwo4Cf92A0NgPGYeLKwcc9MV_AuReQziCA@mail.gmail.com>
In-reply-to: <[🔎] 20200316172937.neum4wuddxa2vdyk@fbd7c150-3361-11e8-8c11-5badabdd4a8d>
References: <CAFHYt55BmsvEZAMTnUDot6AxCSFk6FYg4DGtGMXBagts_L+_-A@mail.gmail.com> <[🔎] 20200316163516.GA18598@jadzia.comodo.priv.at> <[🔎] CAFHYt57_PviNOHYpOH2kE-HiT1KJrpTPmW-sb6O14o-1_7nUcg@mail.gmail.com> <[🔎] 20200316172937.neum4wuddxa2vdyk@fbd7c150-3361-11e8-8c11-5badabdd4a8d>

Hi Damyan,

On Mon, Mar 16, 2020 at 10:29 AM Damyan Ivanov <dmn@debian.org> wrote:
>
> Any idea how many packages are we talking about?

Below is my working list for filing bugs. It is based on a full text
search from codesearch.d.n.

My designations may not be entirely consistent, but in general 'good'
means that verify_SSL was turned on (or SSL_verify_mode was set in
SSL_options) while 'fpos' means it was a false positive that mentioned
HTTP::Tiny but did not use it.

As a side note, the POD for HTTP::Tiny is ambiguous whether to use
'verify_SSL' or 'SSL_verify'.

If we fix the issue on the consumer side, as suggested by the security
team, we should also include the consumers of many libraries on this
list, such as HTTP::Thin. Please see #954057 for details.

Kind regards
Felix Lechner

#954040 cpanminus
#954041 cpanoutdated
 [good] devscripts
#954042 inxi
 [fpos] libalien-gnuplot-perl
#954043 libcpan-common-index-perl
#954044 libcpan-perl-releases-perl
#954045 libcpanplus-perl
#954046 libcpan-sqlite-perl
 [http] libdancer2-perl
 [http] libdancer-perl
 [fpos] libdbix-class-schema-loader-perl
#954054 libdist-inkt-role-test-perl
 [fpos] libfile-slurp-perl
#954051 libgitlab-api-v4-perl
 [fpos] libhijk-perl
#954056 libhtml-html5-parser-perl
 [fpos] libhttp-lite-perl
#954057 libhttp-thin-perl
#954058 libhttp-tinyish-perl
libhttp-tiny-multipart-perl
libhttp-tiny-perl
 [????] libio-socket-ssl-perl
 [fpos] liblexical-accessor-perl
 [good] libmenlo-legacy-perl
#954059 libmenlo-perl
#954083 libmetacpan-client-perl
 [fpos] libmodule-corelist-perl
 [fpos] libmongodb-perl
 [test] libmoo-perl
#954084 libnanomsg-raw-perl
 [fpos] libnet-ssleay-perl
#954085 libpandoc-wrapper-perl
 [fpos] libparallel-forkmanager-perl
#954089 libplack-perl
 [good] libprotocol-acme-perl
librole-rest-client-perl
libsearch-elasticsearch-perl
libspreadsheet-readsxc-perl
libtask-kensho-perl
liburi-encode-perl
#954048 libwww-oauth-perl
 [fpos] libyahc-perl
 [good] ntp
 [fpos] percona-toolkit
perl
 [fpos] pinto
#954038 pkg-perl-tools
#954047 pmuninstall

Reply to:

Follow-Ups:
- Re: Bug#954089: libplack-perl: Please verify server identity via SSL
  - From: Damyan Ivanov <dmn@debian.org>

References:
- Re: Bug#954089: libplack-perl: Please verify server identity via SSL
  - From: gregor herrmann <gregoa@debian.org>
- Re: Bug#954089: libplack-perl: Please verify server identity via SSL
  - From: Felix Lechner <felix.lechner@lease-up.com>
- Re: Bug#954089: libplack-perl: Please verify server identity via SSL
  - From: Damyan Ivanov <dmn@debian.org>

Prev by Date: Re: Bug#954089: libplack-perl: Please verify server identity via SSL
Next by Date: Re: Bug#954089: libplack-perl: Please verify server identity via SSL
Previous by thread: Re: Bug#954089: libplack-perl: Please verify server identity via SSL
Next by thread: Re: Bug#954089: libplack-perl: Please verify server identity via SSL
Index(es):
- Date
- Thread