[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#767726: marked as done (unblock: libio-socket-ssl-perl/2.002-2)

Your message dated Sun, 02 Nov 2014 09:20:05 +0100
with message-id <5455E935.1080106@thykier.net>
and subject line Re: Bug#767726: unblock: libio-socket-ssl-perl/2.002-2
has caused the Debian Bug report #767726,
regarding unblock: libio-socket-ssl-perl/2.002-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
767726: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767726
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Team,

Please unblock package libio-socket-ssl-perl. Stefano Rivera reported in
#767692[1], that libio-socket-ssl-perl incrrectly uses the Public Suffix
List to restrict wildcard certificates. The same conclusion was done by
upstream which fixed the problem with [2].

 [1] https://bugs.debian.org/767692
 [2] https://github.com/noxxi/p5-io-socket-ssl/commit/1f9482771fd8d71083a2e388634b3787bd9fe147

Attached is the debdiff used for 2.002-2 uploaded yesterday to unstable.
Could you please unblock libio-socket-ssl-perl?

unblock libio-socket-ssl-perl/2.002-2

Regards,
Salvatore

diff -Nru libio-socket-ssl-perl-2.002/debian/changelog libio-socket-ssl-perl-2.002/debian/changelog
--- libio-socket-ssl-perl-2.002/debian/changelog	2014-10-22 09:03:25.000000000 +0200
+++ libio-socket-ssl-perl-2.002/debian/changelog	2014-11-01 23:43:45.000000000 +0100
@@ -1,3 +1,11 @@
+libio-socket-ssl-perl (2.002-2) unstable; urgency=medium
+
+  * Add 0001-use-only-ICANN-part-in-public-suffix-list.patch.
+    Fixes "Don't use public suffix list to restrict wildcard certificates."
+    Thanks to Stefano Rivera (Closes: #767692)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 01 Nov 2014 23:39:14 +0100
+
 libio-socket-ssl-perl (2.002-1) unstable; urgency=low
 
   * Imported upstream version 2.002
diff -Nru libio-socket-ssl-perl-2.002/debian/patches/0001-use-only-ICANN-part-in-public-suffix-list.patch libio-socket-ssl-perl-2.002/debian/patches/0001-use-only-ICANN-part-in-public-suffix-list.patch
--- libio-socket-ssl-perl-2.002/debian/patches/0001-use-only-ICANN-part-in-public-suffix-list.patch	1970-01-01 01:00:00.000000000 +0100
+++ libio-socket-ssl-perl-2.002/debian/patches/0001-use-only-ICANN-part-in-public-suffix-list.patch	2014-11-01 23:43:45.000000000 +0100
@@ -0,0 +1,61 @@
+Description: use only ICANN part in public suffix list
+Origin: backport, https://github.com/noxxi/p5-io-socket-ssl/commit/1f9482771fd8d71083a2e388634b3787bd9fe147
+Bug-Debian: https://bugs.debian.org/767692
+Forwarded: not-needed
+Author: Steffen Ullrich <Steffen_Ullrich@genua.de>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2014-11-01
+
+---
+diff --git a/lib/IO/Socket/SSL/PublicSuffix.pm b/lib/IO/Socket/SSL/PublicSuffix.pm
+index 87c8b0b..a84aacd 100644
+--- a/lib/IO/Socket/SSL/PublicSuffix.pm
++++ b/lib/IO/Socket/SSL/PublicSuffix.pm
+@@ -293,10 +293,8 @@ sub public_suffix {
+     sub _default_data {
+ 	if ( ! defined $data ) {
+ 	    $data = do { local $/; <DATA> };
+-	    # known exceptions of behavior of SSL certificates from PSL
+-	    $data .= "!googleapis.com\n";
+-	    $data .= "!s3.amazonaws.com\n"; # RT#99702
+-
++	    $data =~s{^// ===END ICANN DOMAINS.*}{}ms
++		or die "cannot find END ICANN DOMAINS";
+ 	}
+ 	return $data;
+     }
+diff --git a/t/public_suffix_lib.pl b/t/public_suffix_lib.pl
+index 66bdfe4..a9dc4c8 100644
+--- a/t/public_suffix_lib.pl
++++ b/t/public_suffix_lib.pl
+@@ -30,7 +30,7 @@ sub run_with_lib {
+ 
+     require IO::Socket::SSL::PublicSuffix;
+ 
+-    plan tests => 83;
++    plan tests => 79;
+ 
+ 
+     # all one-level, but co.uk two-level
+@@ -117,10 +117,14 @@ sub run_with_lib {
+     is public_suffix('example.com'), 'com';
+     is public_suffix('b.example.com'), 'com';
+     is public_suffix('a.b.example.com'), 'com';
+-    is public_suffix('uk.com'), 'uk.com';
+-    is public_suffix('example.uk.com'), 'uk.com';
+-    is public_suffix('b.example.uk.com'), 'uk.com';
+-    is public_suffix('a.b.example.uk.com'), 'uk.com';
++
++    # uk.com is not in the ICANN part of the list
++    if(0) {
++	is public_suffix('uk.com'), 'uk.com';
++	is public_suffix('example.uk.com'), 'uk.com';
++	is public_suffix('b.example.uk.com'), 'uk.com';
++	is public_suffix('a.b.example.uk.com'), 'uk.com';
++    }
+     is public_suffix('test.ac'), 'ac';
+ 
+     # TLD with only one (wildcard) rule:
+-- 
+2.1.1
+
diff -Nru libio-socket-ssl-perl-2.002/debian/patches/series libio-socket-ssl-perl-2.002/debian/patches/series
--- libio-socket-ssl-perl-2.002/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libio-socket-ssl-perl-2.002/debian/patches/series	2014-11-01 23:43:45.000000000 +0100
@@ -0,0 +1 @@
+0001-use-only-ICANN-part-in-public-suffix-list.patch

--- End Message ---
--- Begin Message --- 
On 2014-11-02 07:56, Salvatore Bonaccorso wrote:
>[...]
> 
> Hi Release Team,
> 
> [...]
> Could you please unblock libio-socket-ssl-perl?
> 
> unblock libio-socket-ssl-perl/2.002-2
> 
> Regards,
> Salvatore
> 

Unblocked and aged, thanks.

~Niels

--- End Message ---
Reply to: