Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Hi Release Team, Please unblock package libio-socket-ssl-perl. Stefano Rivera reported in #767692[1], that libio-socket-ssl-perl incrrectly uses the Public Suffix List to restrict wildcard certificates. The same conclusion was done by upstream which fixed the problem with [2]. [1] https://bugs.debian.org/767692 [2] https://github.com/noxxi/p5-io-socket-ssl/commit/1f9482771fd8d71083a2e388634b3787bd9fe147 Attached is the debdiff used for 2.002-2 uploaded yesterday to unstable. Could you please unblock libio-socket-ssl-perl? unblock libio-socket-ssl-perl/2.002-2 Regards, Salvatore
diff -Nru libio-socket-ssl-perl-2.002/debian/changelog libio-socket-ssl-perl-2.002/debian/changelog --- libio-socket-ssl-perl-2.002/debian/changelog 2014-10-22 09:03:25.000000000 +0200 +++ libio-socket-ssl-perl-2.002/debian/changelog 2014-11-01 23:43:45.000000000 +0100 @@ -1,3 +1,11 @@ +libio-socket-ssl-perl (2.002-2) unstable; urgency=medium + + * Add 0001-use-only-ICANN-part-in-public-suffix-list.patch. + Fixes "Don't use public suffix list to restrict wildcard certificates." + Thanks to Stefano Rivera (Closes: #767692) + + -- Salvatore Bonaccorso <[email protected]> Sat, 01 Nov 2014 23:39:14 +0100 + libio-socket-ssl-perl (2.002-1) unstable; urgency=low * Imported upstream version 2.002 diff -Nru libio-socket-ssl-perl-2.002/debian/patches/0001-use-only-ICANN-part-in-public-suffix-list.patch libio-socket-ssl-perl-2.002/debian/patches/0001-use-only-ICANN-part-in-public-suffix-list.patch --- libio-socket-ssl-perl-2.002/debian/patches/0001-use-only-ICANN-part-in-public-suffix-list.patch 1970-01-01 01:00:00.000000000 +0100 +++ libio-socket-ssl-perl-2.002/debian/patches/0001-use-only-ICANN-part-in-public-suffix-list.patch 2014-11-01 23:43:45.000000000 +0100 @@ -0,0 +1,61 @@ +Description: use only ICANN part in public suffix list +Origin: backport, https://github.com/noxxi/p5-io-socket-ssl/commit/1f9482771fd8d71083a2e388634b3787bd9fe147 +Bug-Debian: https://bugs.debian.org/767692 +Forwarded: not-needed +Author: Steffen Ullrich <[email protected]> +Reviewed-by: Salvatore Bonaccorso <[email protected]> +Last-Update: 2014-11-01 + +--- +diff --git a/lib/IO/Socket/SSL/PublicSuffix.pm b/lib/IO/Socket/SSL/PublicSuffix.pm +index 87c8b0b..a84aacd 100644 +--- a/lib/IO/Socket/SSL/PublicSuffix.pm ++++ b/lib/IO/Socket/SSL/PublicSuffix.pm +@@ -293,10 +293,8 @@ sub public_suffix { + sub _default_data { + if ( ! defined $data ) { + $data = do { local $/; <DATA> }; +- # known exceptions of behavior of SSL certificates from PSL +- $data .= "!googleapis.com\n"; +- $data .= "!s3.amazonaws.com\n"; # RT#99702 +- ++ $data =~s{^// ===END ICANN DOMAINS.*}{}ms ++ or die "cannot find END ICANN DOMAINS"; + } + return $data; + } +diff --git a/t/public_suffix_lib.pl b/t/public_suffix_lib.pl +index 66bdfe4..a9dc4c8 100644 +--- a/t/public_suffix_lib.pl ++++ b/t/public_suffix_lib.pl +@@ -30,7 +30,7 @@ sub run_with_lib { + + require IO::Socket::SSL::PublicSuffix; + +- plan tests => 83; ++ plan tests => 79; + + + # all one-level, but co.uk two-level +@@ -117,10 +117,14 @@ sub run_with_lib { + is public_suffix('example.com'), 'com'; + is public_suffix('b.example.com'), 'com'; + is public_suffix('a.b.example.com'), 'com'; +- is public_suffix('uk.com'), 'uk.com'; +- is public_suffix('example.uk.com'), 'uk.com'; +- is public_suffix('b.example.uk.com'), 'uk.com'; +- is public_suffix('a.b.example.uk.com'), 'uk.com'; ++ ++ # uk.com is not in the ICANN part of the list ++ if(0) { ++ is public_suffix('uk.com'), 'uk.com'; ++ is public_suffix('example.uk.com'), 'uk.com'; ++ is public_suffix('b.example.uk.com'), 'uk.com'; ++ is public_suffix('a.b.example.uk.com'), 'uk.com'; ++ } + is public_suffix('test.ac'), 'ac'; + + # TLD with only one (wildcard) rule: +-- +2.1.1 + diff -Nru libio-socket-ssl-perl-2.002/debian/patches/series libio-socket-ssl-perl-2.002/debian/patches/series --- libio-socket-ssl-perl-2.002/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libio-socket-ssl-perl-2.002/debian/patches/series 2014-11-01 23:43:45.000000000 +0100 @@ -0,0 +1 @@ +0001-use-only-ICANN-part-in-public-suffix-list.patch
