Your message dated Tue, 13 May 2014 21:21:31 +0000
with message-id <e1wkk8h-0000ka...@franck.debian.org>
and subject line Bug#746579: fixed in liblwp-protocol-https-perl 6.04-3
has caused the Debian Bug report #746579,
regarding liblwp-protocol-https-perl: CVE-2014-3230: HTTPS_CA_DIR or
HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
746579: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libwww-perl
Version: 6.06-1
Tags: security
Usertags: serious
If LWP uses IO::Socket::SSL as SSL socket class (this is the default),
setting HTTPS_CA_DIR or HTTPS_CA_FILE environment variable disables(!)
server cerificate verification:
$ export PERL_NET_HTTPS_SSL_SOCKET_CLASS=IO::Socket::SSL
$ GET https://www.berlios.de/
Can't connect to www.berlios.de:443
$ HTTPS_CA_DIR=/etc/ssl/certs/ GET https://www.berlios.de/ | grep '<!DOCTYPE'
<!DOCTYPE html>
This is counter-intuitive, and also the opposite of Net::SSL behavior,
which does certificate verification only if you set one of these
variables.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libwww-perl depends on:
ii ca-certificates 20140325
ii libencode-locale-perl 1.03-1
ii libfile-listing-perl 6.04-1
ii libhtml-parser-perl 3.71-1+b1
ii libhtml-tagset-perl 3.20-2
ii libhtml-tree-perl 5.03-1
ii libhttp-cookies-perl 6.00-2
ii libhttp-date-perl 6.02-1
ii libhttp-message-perl 6.06-1
ii libhttp-negotiate-perl 6.00-2
ii liblwp-mediatypes-perl 6.02-1
ii liblwp-protocol-https-perl 6.04-2
ii libnet-http-perl 6.06-1
ii liburi-perl 1.60-1
ii libwww-robotrules-perl 6.01-1
ii netbase 5.2
ii perl 5.18.2-2+b1
--
Jakub Wilk
--- End Message ---
--- Begin Message ---
Source: liblwp-protocol-https-perl
Source-Version: 6.04-3
We believe that the bug you reported is fixed in the latest version of
liblwp-protocol-https-perl, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 746...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated
liblwp-protocol-https-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 13 May 2014 22:45:39 +0200
Source: liblwp-protocol-https-perl
Binary: liblwp-protocol-https-perl
Architecture: source all
Version: 6.04-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Description:
liblwp-protocol-https-perl - HTTPS driver for LWP::UserAgent
Closes: 746579
Changes:
liblwp-protocol-https-perl (6.04-3) unstable; urgency=medium
.
* Team upload.
.
[ gregor herrmann ]
* debian/control: remove Nicholas Bamber from Uploaders on request of
the MIA team.
* Strip trailing slash from metacpan URLs.
.
[ Salvatore Bonaccorso ]
* Refresh cert.patch for offset
* Add 746579-fix-peer-certificate-verification.patch patch.
Fixes "HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate
verification for IO::Socket::SSL". When the intention was to only
disable hostname verification LWP::Protocol::HTTPS disabled also the
peer certificate verification completely. (CVE-2014-3230)
Thanks to Jakub Wilk and Steffen Ullrich (Closes: #746579)
* Update fix-https-proxy for fixed behaviour of LWP::Protocol::https
Checksums-Sha1:
454b1cfa58b971b400cc3db61586a2543b5a217c 2256
liblwp-protocol-https-perl_6.04-3.dsc
bac256c69981c68f2fb05ca75e0cb8ec4b84dffb 7320
liblwp-protocol-https-perl_6.04-3.debian.tar.xz
d828ebf12b7aa370dfe7db6014698c1105f10192 8274
liblwp-protocol-https-perl_6.04-3_all.deb
Checksums-Sha256:
9d9898b00bc092cff6ebb12c64edb50e964c4ce292b3ce8940dc2911ad2eba70 2256
liblwp-protocol-https-perl_6.04-3.dsc
d405b8836241be9e30b8bb91384c798d5d78b426352c5d8ec71a77ed507de363 7320
liblwp-protocol-https-perl_6.04-3.debian.tar.xz
40e5bdaee6a354b7103dbb26eaa9dc5fd518537e701b99866d34ea098540e01e 8274
liblwp-protocol-https-perl_6.04-3_all.deb
Files:
1e4e0d480936b3f31d2a73a70335ff6d 8274 perl optional
liblwp-protocol-https-perl_6.04-3_all.deb
ff0ea6f73469c69fc92edca6fe4aaa5c 2256 perl optional
liblwp-protocol-https-perl_6.04-3.dsc
6b4c3d272aae4de0f6d6ed5f2ec420dc 7320 perl optional
liblwp-protocol-https-perl_6.04-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJTcoUIAAoJEAVMuPMTQ89EyUwP/28ir378pXUDnsOZH5jdhkmd
13OsIo25E+78XznYkGP0ZYg23ZcPHIjyWhWjfoFS1Hgf/jvOMWpnebz2LuWYq9j2
dTcGSC60BP7JhBBXsYYtLucw3p0/yrZbTqoOviSOFSe0hIjceIs8vfjVl80LgSg3
atjDYEYC1eQD5Q/gWjqhcZRJjzp44YEYic/5aDBr5PkZuhllYBWbzOVkRziraJAU
6t86ldGFCRC0JPFcxaGK8BfHGHcybHoRD5//jveyX6uWXIRNzVFbG8+f+NI4/F4q
a/BSAUpwPjuMv9k5MK00F4orakXODlOzpm2La2XFbaQRuDVp4fG2lRZGaREMvSTB
QzINoozQRLQYp0Nv3p3YinnQJgWMZCOB1uVWKL3w/IGqUKvqEipoYWGOFquCifPQ
3fAZoTX0dxLvvkLWs0zRvIdPz28PpIdwV+AJfZKVKTK7XJtOXO3VcqvmHAz7M7KE
c5JGslSGbuNjNsb7TYTZ7rYgtityGTDwCRX0vNqO0kfDSuu/4YFrMa+EaVeWSSUB
luZq8BiR04vA2L8n9c7UhpMNLitNkFHZr2b/XK1PT3vfvugHT7xvhBHotLOekzZN
1hGa9AE708sApyIFHXoc/Yg8MsjGxmb8jLKh5kA720tS/3Gtkz3n5qBBmuLLSjKB
jwBpd6UKBKGDYz5YTv/L
=nI/z
-----END PGP SIGNATURE-----
--- End Message ---
