[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#780169: jessie-pu: package youtube-dl/2014.08.05-1jessie0.1

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

youtube-dl 2014.08.05-1 requires SSLv3 in https requests, and doesn't use
protocol negotiation. See #780059. This, besides being bad, and not very
future-proof has caused complete incompatibility with Python 2.7.9,
which dropped the PROTOCOL_SSLv3 attribute from the ssl module.

This bug has been fixed, by the upstream, in unstable. But at this point
in the freeze, I doubt you'd consider letting the latest upstream
version migrate to testing.

So, please consider this t-p-u upload:

diff -Nru youtube-dl-2014.08.05/debian/changelog youtube-dl-2014.08.05/debian/changelog
--- youtube-dl-2014.08.05/debian/changelog	2014-08-06 11:43:31.000000000 -0700
+++ youtube-dl-2014.08.05/debian/changelog	2015-03-09 17:15:30.000000000 -0700
@@ -1,3 +1,11 @@
+youtube-dl (2014.08.05-1jessie0.1) testing; urgency=medium
+
+  * Non-maintainer upload.
+  * Use SSL protocol negotiation, rather than requiring SSLv3 (which is no
+    longer supported in python 2.7.9). Closes: #780059.
+
+ -- Stefano Rivera <stefanor@debian.org>  Mon, 09 Mar 2015 17:14:45 -0700
+
 youtube-dl (2014.08.05-1) unstable; urgency=medium
 
   * Imported Upstream version 2014.08.05.
diff -Nru youtube-dl-2014.08.05/debian/patches/no-sslv3 youtube-dl-2014.08.05/debian/patches/no-sslv3
--- youtube-dl-2014.08.05/debian/patches/no-sslv3	1969-12-31 16:00:00.000000000 -0800
+++ youtube-dl-2014.08.05/debian/patches/no-sslv3	2015-03-09 17:09:54.000000000 -0700
@@ -0,0 +1,34 @@
+Description: Support Python 2.7.9, which removed PROTOCOL_SSLv3
+ In fact, don't try to force an SSL version at all. Debian OpenSSL doesn't
+ support insecure versions.
+ Upstream use Python's default SSL handshake since
+ https://github.com/rg3/youtube-dl/commit/0db261ba567cb5370455d67c4398e11e5e2119f8
+ And switches to TLSv1 in legacy paths in
+ https://github.com/rg3/youtube-dl/commit/d79323136fabc2cd72afc7c124e17797e32df514
+Author: Stefano Rivera <stefanor@debian.org>
+Bug-Debian: https://bugs.debian.org/780059
+Forwarded: not-needed
+Last-Update: 2015-03-08
+
+--- a/youtube_dl/utils.py
++++ b/youtube_dl/utils.py
+@@ -588,17 +588,14 @@
+                 if getattr(self, '_tunnel_host', False):
+                     self.sock = sock
+                     self._tunnel()
+-                try:
+-                    self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv3)
+-                except ssl.SSLError:
+-                    self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23)
++                self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23)
+ 
+         class HTTPSHandlerV3(compat_urllib_request.HTTPSHandler):
+             def https_open(self, req):
+                 return self.do_open(HTTPSConnectionV3, req)
+         return HTTPSHandlerV3(**kwargs)
+     else:
+-        context = ssl.SSLContext(ssl.PROTOCOL_SSLv3)
++        context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+         context.verify_mode = (ssl.CERT_NONE
+                                if opts_no_check_certificate
+                                else ssl.CERT_REQUIRED)
diff -Nru youtube-dl-2014.08.05/debian/patches/series youtube-dl-2014.08.05/debian/patches/series
--- youtube-dl-2014.08.05/debian/patches/series	1969-12-31 16:00:00.000000000 -0800
+++ youtube-dl-2014.08.05/debian/patches/series	2015-03-08 13:43:36.000000000 -0700
@@ -0,0 +1 @@
+no-sslv3
Reply to: