Your message dated Sat, 09 Dec 2017 10:47:53 +0000
with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #883292,
regarding jessie-pu: package libio-socket-ssl-perl/2.002-2+deb8u3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
883292: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883292
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
Hi SRM
I know the window for the upcoming point release is this weekend, so
this one might not made it in time. It was reported that the version
in jessie of libio-socket-ssl-perl might segfault when using malformed
client certificates, cf. #881711.
For jessie this issue is open, and the reporter confirmed that the
patch fixes the issue there, so I cherry-picket the change for jessie.
Attached resulted debdiff, would it be fine to include it in this (or
any further point release)?
Regards,
Salvatore
diff -Nru libio-socket-ssl-perl-2.002/debian/changelog
libio-socket-ssl-perl-2.002/debian/changelog
--- libio-socket-ssl-perl-2.002/debian/changelog 2016-10-08
17:26:51.000000000 +0200
+++ libio-socket-ssl-perl-2.002/debian/changelog 2017-12-01
20:40:51.000000000 +0100
@@ -1,3 +1,9 @@
+libio-socket-ssl-perl (2.002-2+deb8u3) jessie; urgency=medium
+
+ * Fix segfault using malformed client certificates (Closes: #881711)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Fri, 01 Dec 2017 20:40:51 +0100
+
libio-socket-ssl-perl (2.002-2+deb8u2) jessie; urgency=medium
* Add 0001-remove-r-for-checking-SSL_-cert-key-_file-since-this.patch.
diff -Nru
libio-socket-ssl-perl-2.002/debian/patches/0001-Propagate-error-if-cert-key-could-not-be-used-instea.patch
libio-socket-ssl-perl-2.002/debian/patches/0001-Propagate-error-if-cert-key-could-not-be-used-instea.patch
---
libio-socket-ssl-perl-2.002/debian/patches/0001-Propagate-error-if-cert-key-could-not-be-used-instea.patch
1970-01-01 01:00:00.000000000 +0100
+++
libio-socket-ssl-perl-2.002/debian/patches/0001-Propagate-error-if-cert-key-could-not-be-used-instea.patch
2017-12-01 20:40:51.000000000 +0100
@@ -0,0 +1,25 @@
+From: Steffen Ullrich <steffen_ullr...@genua.de>
+Date: Sun, 26 Oct 2014 18:23:15 +0100
+Subject: Propagate error if cert/key could not be used instead of continuing
+ with an invalid context which might cause a segmentation fault
+Origin:
https://github.com/noxxi/p5-io-socket-ssl/commit/a09f29f423859565bc0384dcfbbc75811d9e4e4a
+Bug-Debian: https://bugs.debian.org/881711
+
+---
+
+diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
+index 13c6680..2330b45 100644
+--- a/lib/IO/Socket/SSL.pm
++++ b/lib/IO/Socket/SSL.pm
+@@ -489,7 +489,7 @@ sub configure_SSL {
+
+ # create context
+ # this will fill in defaults in $arg_hash
+- $ctx ||= IO::Socket::SSL::SSL_Context->new($arg_hash);
++ $ctx ||= IO::Socket::SSL::SSL_Context->new($arg_hash) || return;
+
+ ${*$self}{'_SSL_arguments'} = $arg_hash;
+ ${*$self}{'_SSL_ctx'} = $ctx;
+--
+2.15.1
+
diff -Nru libio-socket-ssl-perl-2.002/debian/patches/series
libio-socket-ssl-perl-2.002/debian/patches/series
--- libio-socket-ssl-perl-2.002/debian/patches/series 2016-10-08
17:26:51.000000000 +0200
+++ libio-socket-ssl-perl-2.002/debian/patches/series 2017-12-01
20:40:51.000000000 +0100
@@ -1,3 +1,4 @@
0001-use-only-ICANN-part-in-public-suffix-list.patch
0001-make-PublicSuffix-_default_data-thread-safe-by-stori.patch
0001-remove-r-for-checking-SSL_-cert-key-_file-since-this.patch
+0001-Propagate-error-if-cert-key-could-not-be-used-instea.patch
--- End Message ---
--- Begin Message ---
Version: 8.10
Hi,
Each of the updates referenced in these bugs was included in this
morning's jessie point release. Thanks!
Regards,
Adam
--- End Message ---
