--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi Release Team,
Please unblock package libio-socket-ssl-perl. Stefano Rivera reported in
#767692[1], that libio-socket-ssl-perl incrrectly uses the Public Suffix
List to restrict wildcard certificates. The same conclusion was done by
upstream which fixed the problem with [2].
[1] https://bugs.debian.org/767692
[2] https://github.com/noxxi/p5-io-socket-ssl/commit/1f9482771fd8d71083a2e388634b3787bd9fe147
Attached is the debdiff used for 2.002-2 uploaded yesterday to unstable.
Could you please unblock libio-socket-ssl-perl?
unblock libio-socket-ssl-perl/2.002-2
Regards,
Salvatore
diff -Nru libio-socket-ssl-perl-2.002/debian/changelog libio-socket-ssl-perl-2.002/debian/changelog
--- libio-socket-ssl-perl-2.002/debian/changelog 2014-10-22 09:03:25.000000000 +0200
+++ libio-socket-ssl-perl-2.002/debian/changelog 2014-11-01 23:43:45.000000000 +0100
@@ -1,3 +1,11 @@
+libio-socket-ssl-perl (2.002-2) unstable; urgency=medium
+
+ * Add 0001-use-only-ICANN-part-in-public-suffix-list.patch.
+ Fixes "Don't use public suffix list to restrict wildcard certificates."
+ Thanks to Stefano Rivera (Closes: #767692)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sat, 01 Nov 2014 23:39:14 +0100
+
libio-socket-ssl-perl (2.002-1) unstable; urgency=low
* Imported upstream version 2.002
diff -Nru libio-socket-ssl-perl-2.002/debian/patches/0001-use-only-ICANN-part-in-public-suffix-list.patch libio-socket-ssl-perl-2.002/debian/patches/0001-use-only-ICANN-part-in-public-suffix-list.patch
--- libio-socket-ssl-perl-2.002/debian/patches/0001-use-only-ICANN-part-in-public-suffix-list.patch 1970-01-01 01:00:00.000000000 +0100
+++ libio-socket-ssl-perl-2.002/debian/patches/0001-use-only-ICANN-part-in-public-suffix-list.patch 2014-11-01 23:43:45.000000000 +0100
@@ -0,0 +1,61 @@
+Description: use only ICANN part in public suffix list
+Origin: backport, https://github.com/noxxi/p5-io-socket-ssl/commit/1f9482771fd8d71083a2e388634b3787bd9fe147
+Bug-Debian: https://bugs.debian.org/767692
+Forwarded: not-needed
+Author: Steffen Ullrich <Steffen_Ullrich@genua.de>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2014-11-01
+
+---
+diff --git a/lib/IO/Socket/SSL/PublicSuffix.pm b/lib/IO/Socket/SSL/PublicSuffix.pm
+index 87c8b0b..a84aacd 100644
+--- a/lib/IO/Socket/SSL/PublicSuffix.pm
++++ b/lib/IO/Socket/SSL/PublicSuffix.pm
+@@ -293,10 +293,8 @@ sub public_suffix {
+ sub _default_data {
+ if ( ! defined $data ) {
+ $data = do { local $/; <DATA> };
+- # known exceptions of behavior of SSL certificates from PSL
+- $data .= "!googleapis.com\n";
+- $data .= "!s3.amazonaws.com\n"; # RT#99702
+-
++ $data =~s{^// ===END ICANN DOMAINS.*}{}ms
++ or die "cannot find END ICANN DOMAINS";
+ }
+ return $data;
+ }
+diff --git a/t/public_suffix_lib.pl b/t/public_suffix_lib.pl
+index 66bdfe4..a9dc4c8 100644
+--- a/t/public_suffix_lib.pl
++++ b/t/public_suffix_lib.pl
+@@ -30,7 +30,7 @@ sub run_with_lib {
+
+ require IO::Socket::SSL::PublicSuffix;
+
+- plan tests => 83;
++ plan tests => 79;
+
+
+ # all one-level, but co.uk two-level
+@@ -117,10 +117,14 @@ sub run_with_lib {
+ is public_suffix('example.com'), 'com';
+ is public_suffix('b.example.com'), 'com';
+ is public_suffix('a.b.example.com'), 'com';
+- is public_suffix('uk.com'), 'uk.com';
+- is public_suffix('example.uk.com'), 'uk.com';
+- is public_suffix('b.example.uk.com'), 'uk.com';
+- is public_suffix('a.b.example.uk.com'), 'uk.com';
++
++ # uk.com is not in the ICANN part of the list
++ if(0) {
++ is public_suffix('uk.com'), 'uk.com';
++ is public_suffix('example.uk.com'), 'uk.com';
++ is public_suffix('b.example.uk.com'), 'uk.com';
++ is public_suffix('a.b.example.uk.com'), 'uk.com';
++ }
+ is public_suffix('test.ac'), 'ac';
+
+ # TLD with only one (wildcard) rule:
+--
+2.1.1
+
diff -Nru libio-socket-ssl-perl-2.002/debian/patches/series libio-socket-ssl-perl-2.002/debian/patches/series
--- libio-socket-ssl-perl-2.002/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libio-socket-ssl-perl-2.002/debian/patches/series 2014-11-01 23:43:45.000000000 +0100
@@ -0,0 +1 @@
+0001-use-only-ICANN-part-in-public-suffix-list.patch
--- End Message ---