Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
youtube-dl 2014.08.05-1 requires SSLv3 in https requests, and doesn't use protocol negotiation. See #780059. This, besides being bad, and not very future-proof has caused complete incompatibility with Python 2.7.9, which dropped the PROTOCOL_SSLv3 attribute from the ssl module. This bug has been fixed, by the upstream, in unstable. But at this point in the freeze, I doubt you'd consider letting the latest upstream version migrate to testing. So, please consider this t-p-u upload: diff -Nru youtube-dl-2014.08.05/debian/changelog youtube-dl-2014.08.05/debian/changelog --- youtube-dl-2014.08.05/debian/changelog 2014-08-06 11:43:31.000000000 -0700 +++ youtube-dl-2014.08.05/debian/changelog 2015-03-09 17:15:30.000000000 -0700 @@ -1,3 +1,11 @@ +youtube-dl (2014.08.05-1jessie0.1) testing; urgency=medium + + * Non-maintainer upload. + * Use SSL protocol negotiation, rather than requiring SSLv3 (which is no + longer supported in python 2.7.9). Closes: #780059. + + -- Stefano Rivera <stefa...@debian.org> Mon, 09 Mar 2015 17:14:45 -0700 + youtube-dl (2014.08.05-1) unstable; urgency=medium * Imported Upstream version 2014.08.05. diff -Nru youtube-dl-2014.08.05/debian/patches/no-sslv3 youtube-dl-2014.08.05/debian/patches/no-sslv3 --- youtube-dl-2014.08.05/debian/patches/no-sslv3 1969-12-31 16:00:00.000000000 -0800 +++ youtube-dl-2014.08.05/debian/patches/no-sslv3 2015-03-09 17:09:54.000000000 -0700 @@ -0,0 +1,34 @@ +Description: Support Python 2.7.9, which removed PROTOCOL_SSLv3 + In fact, don't try to force an SSL version at all. Debian OpenSSL doesn't + support insecure versions. + Upstream use Python's default SSL handshake since + https://github.com/rg3/youtube-dl/commit/0db261ba567cb5370455d67c4398e11e5e2119f8 + And switches to TLSv1 in legacy paths in + https://github.com/rg3/youtube-dl/commit/d79323136fabc2cd72afc7c124e17797e32df514 +Author: Stefano Rivera <stefa...@debian.org> +Bug-Debian: https://bugs.debian.org/780059 +Forwarded: not-needed +Last-Update: 2015-03-08 + +--- a/youtube_dl/utils.py ++++ b/youtube_dl/utils.py +@@ -588,17 +588,14 @@ + if getattr(self, '_tunnel_host', False): + self.sock = sock + self._tunnel() +- try: +- self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv3) +- except ssl.SSLError: +- self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23) ++ self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23) + + class HTTPSHandlerV3(compat_urllib_request.HTTPSHandler): + def https_open(self, req): + return self.do_open(HTTPSConnectionV3, req) + return HTTPSHandlerV3(**kwargs) + else: +- context = ssl.SSLContext(ssl.PROTOCOL_SSLv3) ++ context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) + context.verify_mode = (ssl.CERT_NONE + if opts_no_check_certificate + else ssl.CERT_REQUIRED) diff -Nru youtube-dl-2014.08.05/debian/patches/series youtube-dl-2014.08.05/debian/patches/series --- youtube-dl-2014.08.05/debian/patches/series 1969-12-31 16:00:00.000000000 -0800 +++ youtube-dl-2014.08.05/debian/patches/series 2015-03-08 13:43:36.000000000 -0700 @@ -0,0 +1 @@ +no-sslv3 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org