Bug#640903: marked as done (Fwd: regression: breaks $ldap->start_tls())

Debian Bug Tracking System Fri, 02 Dec 2011 07:09:23 -0800

Your message dated Fri, 02 Dec 2011 15:06:40 +0000
with message-id <e1rwuhe-0002sa...@franck.debian.org>
and subject line Bug#640883: fixed in libnet-ldap-perl 1:0.4300-2
has caused the Debian Bug report #640883,
regarding Fwd: regression: breaks $ldap->start_tls()
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
640883: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640883
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libnet-ldap-perl
Version: 1:0.4300-1
Severity: important
Tags: patch

Hi,

libnet-ldap-perl 0.4300-1 has a regression:
It breaks calls to start_tls() completely and issues warnings on every
LDAPS connection.

The culprit is the addition of parameter
        SSL_verifycn_scheme => "ldap"
to the SSL context in _SSL_context_init_args().

I see two alternative solutions to fix the issue:

A) revert this addition
   This is done by the attached patch
B) Fix the issue by useing the commit
   https://github.com/marschap/perl-
ldap/commit/a3c4f7fe85129b036d915c9064752d9b542ad803
   from my perl-ldap github repo, which I already proposed to put upstream in
   a pull request to G. Barr.

Comparison of the two alternatives:
Solution A) completely restores the situation of pre-0.43 releases,
but leaves a risk for MITM attacks by not checking the host names
in the certificates against the hostname an application connects.

Solution B) mitigates this risk by doing the hostname verification,
but my break applications that rely on the insecure behaviour.
In addition to that: there's no guarantee that solution B) will be
incorporated upstream.

Nevertheless I personally prefer B)  ;-)


Best
Peter

PS: I am not sure if the potential security aspects should increase the 
severity even more.


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 
'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.0.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libnet-ldap-perl depends on:
ii  libconvert-asn1-perl          0.22-1     Perl module for encoding and 
decod
ii  libwww-perl                   6.02-1     simple and consistent interface 
to
ii  perl [libmime-base64-perl]    5.12.4-4   Larry Wall's Practical Extraction 

libnet-ldap-perl recommends no packages.

Versions of packages libnet-ldap-perl suggests:
ii  libauthen-sasl-perl          2.1500-1    Authen::SASL - SASL 
Authentication
ii  libio-socket-ssl-perl        1.44-1      Perl module implementing object 
or
ii  liburi-perl                  1.59-1      module to manipulate and access 
UR
ii  libxml-parser-perl           2.41-1      Perl module for parsing XML files
ii  libxml-sax-perl              0.96+dfsg-2 Perl module for using and 
building
ii  perl [libdigest-md5-perl]    5.12.4-4    Larry Wall's Practical Extraction 

-- no debconf information

diff --git a/lib/Net/LDAP.pm b/lib/Net/LDAP.pm
--- a/lib/Net/LDAP.pm
+++ b/lib/Net/LDAP.pm
@@ -230,7 +230,6 @@ sub _SSL_context_init_args {
     SSL_verify_mode     => $verify,
     SSL_version         => defined $arg->{'sslversion'} ? $arg->{'sslversion'} :
                            'sslv2/3',
-    SSL_verifycn_scheme => "ldap",
   );
 }

--- End Message ---

--- Begin Message ---

Source: libnet-ldap-perl
Source-Version: 1:0.4300-2

We believe that the bug you reported is fixed in the latest version of
libnet-ldap-perl, which is due to be installed in the Debian FTP archive:

libnet-ldap-perl_0.4300-2.debian.tar.gz
  to main/libn/libnet-ldap-perl/libnet-ldap-perl_0.4300-2.debian.tar.gz
libnet-ldap-perl_0.4300-2.dsc
  to main/libn/libnet-ldap-perl/libnet-ldap-perl_0.4300-2.dsc
libnet-ldap-perl_0.4300-2_all.deb
  to main/libn/libnet-ldap-perl/libnet-ldap-perl_0.4300-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 640...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gre...@debian.org> (supplier of updated libnet-ldap-perl 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 02 Dec 2011 15:34:41 +0100
Source: libnet-ldap-perl
Binary: libnet-ldap-perl
Architecture: source all
Version: 1:0.4300-2
Distribution: unstable
Urgency: low
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: gregor herrmann <gre...@debian.org>
Description: 
 libnet-ldap-perl - client interface to LDAP servers
Closes: 640883
Changes: 
 libnet-ldap-perl (1:0.4300-2) unstable; urgency=low
 .
   * Add patch 0001-un-break-certificate-verification.patch, taken from
     upstream's "next" branch (commits a3c4f7f from Peter Marschall and
     db0b090 from Graham Barr): un-break certificate verification.
     (Closes: #640883)
Checksums-Sha1: 
 1a1fbbcb25cbd93924767bf8e2102567ec7459f4 2285 libnet-ldap-perl_0.4300-2.dsc
 fb1dd428511eebe3844c173f5a56f9b457a8263d 8543 
libnet-ldap-perl_0.4300-2.debian.tar.gz
 020529c7d8448a8939df479b0773d636a8821015 375476 
libnet-ldap-perl_0.4300-2_all.deb
Checksums-Sha256: 
 74643f9a13800b5ce815f73023af8b0952b5e61a93bae391dabd693eebf30aa4 2285 
libnet-ldap-perl_0.4300-2.dsc
 9f7895264e2b1fcc7be7fa23b2d59eaf46d88c015d2220ee521e85132cc71513 8543 
libnet-ldap-perl_0.4300-2.debian.tar.gz
 fb888e9c2b22a90b1b9333d86615249eb50fc553e1f0e30572556bfeb86bc4bc 375476 
libnet-ldap-perl_0.4300-2_all.deb
Files: 
 f48be00e87d91c11cab4abbe4882f591 2285 perl optional 
libnet-ldap-perl_0.4300-2.dsc
 1001cd3770836b62fe94cc61a352e46d 8543 perl optional 
libnet-ldap-perl_0.4300-2.debian.tar.gz
 79c40bb9ccd2a7eab77c4b0e8e97abf0 375476 perl optional 
libnet-ldap-perl_0.4300-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJO2OLDAAoJELs6aAGGSaoGOjIP/j/XVoflXOYim/eD6v8dq95V
KkDWOr02BUPh8Jgn+UFpDafViYyaFceVNPpV8Jv24kPYHj5PPbmomL5C/u+8ss+u
poI/C3I7RrZD/OXOk+AFGkJZVpn4tJo25Ry1E1myfRmZzzI4IwIJjBqaL3rqEpRy
MVF2W8sjsF8JkTbMjwD+mPOiBo7CUuVFiJGSlI+tskV3SB9U5o2mjJUqzUW7QFFB
YPDCuJvmbhm4usgt5obhVN4GbW/GLAzPtXbJEVAtnq75Y+sHZp7Pr9AT88bKWloQ
Q469FUI1WcB5sNuKleffJNRrQde89H1iTfSKC2TVpXQHbRIglnsY3or+mrQ0OvN1
qyrEjm9Pw52jbrpwVGCN+PscwzxnAv/rbTsn9vdut7v00CZsV/AWEHw5n2UAiB3M
XLLYR+rv/fXcQNcJELtZ8erq7YICj+GzbAkARfAjl3yUxe0KRVpNhLbVM2gfhPFr
Zet7DzPvGtYlIryfQSdjQaubLfmRnBYtkYcz36r3Oj8lzZPqEem73C/qhGrbUzVz
Z4VN1+KRad2HzCTAb09KO1pRsOfiWG7ZzCD8ARPrcucJoz/GUOEDIprAYDlCJCju
cG1isnT7jQd6qTJFoQvsvk8pH1ySsYuaAdFqOz7iKwSC/DpRB9004IGKQ6oXiyza
UBQrzsZGcrMGZFJOk6/0
=BZ7m
-----END PGP SIGNATURE-----

--- End Message ---

Bug#640903: marked as done (Fwd: regression: breaks $ldap->start_tls())

Reply via email to