Possible upload for libio-socket-ssl-perl to t-p-u?

To: debian-release@lists.debian.org
Subject: Possible upload for libio-socket-ssl-perl to t-p-u?
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 6 Dec 2010 13:38:03 +0100
Message-id: <[🔎] 20101206123803.GA7524@elende>
Mail-followup-to: debian-release@lists.debian.org

Dear Release Team

I just uploaded libio-socket-ssl-perl 1.35-1 to unstable fixing Bug
#606058 (http://bugs.debian.org/606058) (Severity normal, tagged
security). The change done by upstream is, that if the verify_mode is
not VERIFY_NONE and the ca_file/ca_path cannot be verified as valid
then IO::Socket::SSL will not fall back to VERIFY_NONE but at least
throw an error to inform the user. The reasoning from upstream is:

> I've changed it for version 1.35 like given in the
> no-defaults-cacert.patch, e.g.
> 
> - the default verify_mode stays verify_none
> - if the user wants a different verify_mode SSL.pm should not ignore
> the users request if it will not work or set some undocumented
> defaults, but throw an error
> - the default for SSL_ca_file and SSL_ca_path will stay because
> they were documented for a long time.
> 
> 
> Actually, i'm not that happy with having these defaults for SSL_ca_*
> and SSL_verify_mode but would rather have the user to explicitly
> specify mode and path - it's a security decision which should not have
> any defaults.
> But because it was forever like this I risk to break some application
> due to this, so I rather do it later after finding a strategy of not
> breaking to much.

If you would agree on it, should I prepare an upload too for t-p-u for
it? The changes done by upstream are the following:

---(SSL.pm)-------------------------------------------------------------
@@ -78,7 +78,7 @@ BEGIN {
        }) {
                @ISA = qw(IO::Socket::INET);
        }
-       $VERSION = '1.34';
+       $VERSION = '1.35';
        $GLOBAL_CONTEXT_ARGS = {};
 
        #Make $DEBUG another name for $Net::SSLeay::trace
@@ -1366,12 +1366,7 @@ sub new {
        if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and
                ! Net::SSLeay::CTX_load_verify_locations(
                        $ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) {
-               if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) {
-                       carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known");
-                       $verify_mode = Net::SSLeay::VERIFY_NONE();
-               } else {
-                       return IO::Socket::SSL->error("Invalid certificate authority locations");
-               }
+               return IO::Socket::SSL->error("Invalid certificate authority locations");
        }
 
        if ($arg_hash->{'SSL_check_crl'}) {
------------------------------------------------------------------------
See: http://search.cpan.org/diff?from=IO-Socket-SSL-1.34&to=IO-Socket-SSL-1.35

If you have time so far, could you give some advice?

Thanks a lot for your work towards releasing Squeeze!

Bests
Salvatore

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Possible upload for libio-socket-ssl-perl to t-p-u?
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#606106: unblock: gitosis/0.2+20090917-11
Next by Date: pre-upload approval for yaboot (t-p-u) and yaboot-installer
Previous by thread: Bug#606106: marked as done (unblock: gitosis/0.2+20090917-11)
Next by thread: Re: Possible upload for libio-socket-ssl-perl to t-p-u?
Index(es):
- Date
- Thread