[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#771219: marked as done (unblock: ruby-httpclient/2.3.3-3.1)

Your message dated Thu, 27 Nov 2014 19:25:21 +0100
with message-id <54776C91.5010800@thykier.net>
and subject line Re: Bug#771219: unblock: ruby-httpclient/2.3.3-3.1
has caused the Debian Bug report #771219,
regarding unblock: ruby-httpclient/2.3.3-3.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
771219: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771219
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package ruby-httpclient

ruby-httpclient currently in Jessie FTBFS due to failing tests because
of a deprecated default SSL configuration (#768673).
The bug is fixed with 2.3.3-3.1 uploaded in unstable earlier today,
thanks to Tomasz Buchert, who imported some fixes from upstream for a
sane default configuration.

Please find in attachment the debdiff between the two versions.

Thanks in advance.

Best wishes,

Cédric


unblock ruby-httpclient/2.3.3-3.1

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru ruby-httpclient-2.3.3/debian/changelog ruby-httpclient-2.3.3/debian/changelog
--- ruby-httpclient-2.3.3/debian/changelog	2014-06-27 03:03:36.000000000 +0200
+++ ruby-httpclient-2.3.3/debian/changelog	2014-11-27 11:33:03.000000000 +0100
@@ -1,3 +1,12 @@
+ruby-httpclient (2.3.3-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix default SSL configuration (Closes: #768673)
+      The patch 0003-fix-ssl-config.patch extracted from upstream code is
+      added to set the default SSL configuration to auto instead of SSLv3.
+
+ -- Tomasz Buchert <tomasz.buchert@inria.fr>  Wed, 26 Nov 2014 18:59:26 +0100
+
 ruby-httpclient (2.3.3-3) unstable; urgency=medium
 
   * fix-port-allocation-in-tests.patch: fix port allocation for servers
diff -Nru ruby-httpclient-2.3.3/debian/patches/0003-fix-ssl-config.patch ruby-httpclient-2.3.3/debian/patches/0003-fix-ssl-config.patch
--- ruby-httpclient-2.3.3/debian/patches/0003-fix-ssl-config.patch	1970-01-01 01:00:00.000000000 +0100
+++ ruby-httpclient-2.3.3/debian/patches/0003-fix-ssl-config.patch	2014-11-27 11:16:13.000000000 +0100
@@ -0,0 +1,64 @@
+Description: Change default SSL configuration
+ The POODLE attack (https://en.wikipedia.org/wiki/POODLE) deprecated the use
+ of SSLv3 protocol. We change the default configuration to autodetection
+ and try to explicitly disable SSLv2 and SSLv3, preferring TLS protocol suites
+ instead.
+ This patch is a minimal adaptation of a commit in the project's upstream:
+ https://github.com/nahi/httpclient/commit/90d5c791c941c72521784dc4ea8eed60987800da
+
+--- a/lib/httpclient/ssl_config.rb
++++ b/lib/httpclient/ssl_config.rb
+@@ -34,7 +34,13 @@
+   class SSLConfig
+     include OpenSSL if SSLEnabled
+ 
+-    # String name of OpenSSL's SSL version method name: SSLv2, SSLv23 or SSLv3
++    # Which TLS protocol version (also called method) will be used. Defaults
++    # to :auto which means that OpenSSL decides (In my tests this resulted 
++    # with always the highest available protocol being used).
++    # String name of OpenSSL's SSL version method name: TLSv1_2, TLSv1_1, TLSv1,
++    # SSLv2, SSLv23, SSLv3 or :auto (and nil) to allow version negotiation (default).
++    # See {OpenSSL::SSL::SSLContext::METHODS} for a list of available versions
++    # in your specific Ruby environment.
+     attr_reader :ssl_version
+     # OpenSSL::X509::Certificate:: certificate for SSL client authenticateion.
+     # nil by default. (no client authenticateion)
+@@ -83,8 +89,13 @@
+       @verify_callback = nil
+       @dest = nil
+       @timeout = nil
+-      @ssl_version = "SSLv3"
+-      @options = defined?(SSL::OP_ALL) ? SSL::OP_ALL | SSL::OP_NO_SSLv2 : nil
++      @ssl_version = :auto
++      # Follow ruby-ossl's definition
++      @options = OpenSSL::SSL::OP_ALL
++      @options &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
++      @options |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
++      @options |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
++      @options |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
+       # OpenSSL 0.9.8 default: "ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH"
+       @ciphers = "ALL:!aNULL:!eNULL:!SSLv2" # OpenSSL >1.0.0 default
+       @cacerts_loaded = false
+@@ -283,7 +294,7 @@
+       ctx.timeout = @timeout
+       ctx.options = @options
+       ctx.ciphers = @ciphers
+-      ctx.ssl_version = @ssl_version
++      ctx.ssl_version = @ssl_version unless @ssl_version == :auto
+     end
+ 
+     # post connection check proc for ruby < 1.8.5.
+--- a/test/test_ssl.rb
++++ b/test/test_ssl.rb
+@@ -33,7 +33,10 @@
+     assert_equal(OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT, cfg.verify_mode)
+     assert_nil(cfg.verify_callback)
+     assert_nil(cfg.timeout)
+-    assert_equal(OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2, cfg.options)
++    expected_options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3
++    expected_options &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
++    expected_options |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
++    assert_equal(expected_options, cfg.options)
+     assert_equal("ALL:!aNULL:!eNULL:!SSLv2", cfg.ciphers)
+     assert_instance_of(OpenSSL::X509::Store, cfg.cert_store)
+   end
diff -Nru ruby-httpclient-2.3.3/debian/patches/series ruby-httpclient-2.3.3/debian/patches/series
--- ruby-httpclient-2.3.3/debian/patches/series	2014-06-27 00:41:13.000000000 +0200
+++ ruby-httpclient-2.3.3/debian/patches/series	2014-11-27 11:16:13.000000000 +0100
@@ -1,2 +1,3 @@
 0001-Remove-Hash-element-order-dependency.patch
 fix-port-allocation-in-tests.patch
+0003-fix-ssl-config.patch

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
On 2014-11-27 18:51, Cédric Boutillier wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package ruby-httpclient
> 
> ruby-httpclient currently in Jessie FTBFS due to failing tests because
> of a deprecated default SSL configuration (#768673).
> The bug is fixed with 2.3.3-3.1 uploaded in unstable earlier today,
> thanks to Tomasz Buchert, who imported some fixes from upstream for a
> sane default configuration.
> 
> Please find in attachment the debdiff between the two versions.
> 
> Thanks in advance.
> 
> Best wishes,
> 
> Cédric
> 
> [...]

Unblocked, thanks.

~Niels

--- End Message ---
Reply to: