Your message dated Sat, 13 Jan 2024 19:48:30 +0100
with message-id <[email protected]>
and subject line Re: Bug#954051: libgitlab-api-v4-perl: Please verify server
identity via SSL
has caused the Debian Bug report #954051,
regarding libgitlab-api-v4-perl: CVE-2023-31485
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
954051: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954051
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libgitlab-api-v4-perl
Severity: important
Dear maintainer,
Your package uses the Perl module HTTP::Tiny but does not set the
verify_SSL attribute to a true value.
By default, that module does not validate the identity of server
certificates. The documentation states that "Server identity
verification is controversial and potentially tricky..." [1]
As late as 2015, upstream has been doubling up: "we're not going to be
responsible for the user's trust model" [2]
I believe, on the other hand, that the encryption of a transmission
has no value when talking to the wrong person. You can easily see the
useless and dangerous default by running the script at the end of this
message.
Will you please turn on the verify_SSL attribute in HTTP::Tiny?
Kind regards
Felix Lechner
[1] https://metacpan.org/pod/HTTP::Tiny#SSL-SUPPORT
[2] https://github.com/chansen/p5-http-tiny/issues/68
* * *
#!/usr/bin/perl
use HTTP::Tiny;
my $response = HTTP::Tiny->new->get('https://self-signed.badssl.com/');
die "Failed!\n"
unless $response->{success};
print "$response->{status} $response->{reason}\n";
while (my ($k, $v) = each %{$response->{headers}}) {
for (ref $v eq 'ARRAY' ? @$v : $v) {
print "$k: $_\n";
}
}
print $response->{content}
if length $response->{content};
--- End Message ---
--- Begin Message ---
Version: 0.27-1
On Sun, 15 Mar 2020 19:43:16 -0700, Felix Lechner wrote:
> Your package uses the Perl module HTTP::Tiny but does not set the
> verify_SSL attribute to a true value.
Fixed in 0.27-1, sorry for missing it during the upload.
Cheers,
gregor
--
.''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
: :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
`. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
`-
signature.asc
Description: Digital Signature
--- End Message ---
