Bug#771219: marked as done (unblock: ruby-httpclient/2.3.3-3.1)

Thu, 27 Nov 2014 10:27:36 -0800 

Your message dated Thu, 27 Nov 2014 19:25:21 +0100
with message-id <[email protected]>
and subject line Re: Bug#771219: unblock: ruby-httpclient/2.3.3-3.1
has caused the Debian Bug report #771219,
regarding unblock: ruby-httpclient/2.3.3-3.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
771219: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771219
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock

Please unblock package ruby-httpclient

ruby-httpclient currently in Jessie FTBFS due to failing tests because
of a deprecated default SSL configuration (#768673).
The bug is fixed with 2.3.3-3.1 uploaded in unstable earlier today,
thanks to Tomasz Buchert, who imported some fixes from upstream for a
sane default configuration.

Please find in attachment the debdiff between the two versions.

Thanks in advance.

Best wishes,

Cédric


unblock ruby-httpclient/2.3.3-3.1

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru ruby-httpclient-2.3.3/debian/changelog 
ruby-httpclient-2.3.3/debian/changelog
--- ruby-httpclient-2.3.3/debian/changelog      2014-06-27 03:03:36.000000000 
+0200
+++ ruby-httpclient-2.3.3/debian/changelog      2014-11-27 11:33:03.000000000 
+0100
@@ -1,3 +1,12 @@
+ruby-httpclient (2.3.3-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix default SSL configuration (Closes: #768673)
+      The patch 0003-fix-ssl-config.patch extracted from upstream code is
+      added to set the default SSL configuration to auto instead of SSLv3.
+
+ -- Tomasz Buchert <[email protected]>  Wed, 26 Nov 2014 18:59:26 +0100
+
 ruby-httpclient (2.3.3-3) unstable; urgency=medium
 
   * fix-port-allocation-in-tests.patch: fix port allocation for servers
diff -Nru ruby-httpclient-2.3.3/debian/patches/0003-fix-ssl-config.patch 
ruby-httpclient-2.3.3/debian/patches/0003-fix-ssl-config.patch
--- ruby-httpclient-2.3.3/debian/patches/0003-fix-ssl-config.patch      
1970-01-01 01:00:00.000000000 +0100
+++ ruby-httpclient-2.3.3/debian/patches/0003-fix-ssl-config.patch      
2014-11-27 11:16:13.000000000 +0100
@@ -0,0 +1,64 @@
+Description: Change default SSL configuration
+ The POODLE attack (https://en.wikipedia.org/wiki/POODLE) deprecated the use
+ of SSLv3 protocol. We change the default configuration to autodetection
+ and try to explicitly disable SSLv2 and SSLv3, preferring TLS protocol suites
+ instead.
+ This patch is a minimal adaptation of a commit in the project's upstream:
+ 
https://github.com/nahi/httpclient/commit/90d5c791c941c72521784dc4ea8eed60987800da
+
+--- a/lib/httpclient/ssl_config.rb
++++ b/lib/httpclient/ssl_config.rb
+@@ -34,7 +34,13 @@
+   class SSLConfig
+     include OpenSSL if SSLEnabled
+ 
+-    # String name of OpenSSL's SSL version method name: SSLv2, SSLv23 or SSLv3
++    # Which TLS protocol version (also called method) will be used. Defaults
++    # to :auto which means that OpenSSL decides (In my tests this resulted 
++    # with always the highest available protocol being used).
++    # String name of OpenSSL's SSL version method name: TLSv1_2, TLSv1_1, 
TLSv1,
++    # SSLv2, SSLv23, SSLv3 or :auto (and nil) to allow version negotiation 
(default).
++    # See {OpenSSL::SSL::SSLContext::METHODS} for a list of available versions
++    # in your specific Ruby environment.
+     attr_reader :ssl_version
+     # OpenSSL::X509::Certificate:: certificate for SSL client authenticateion.
+     # nil by default. (no client authenticateion)
+@@ -83,8 +89,13 @@
+       @verify_callback = nil
+       @dest = nil
+       @timeout = nil
+-      @ssl_version = "SSLv3"
+-      @options = defined?(SSL::OP_ALL) ? SSL::OP_ALL | SSL::OP_NO_SSLv2 : nil
++      @ssl_version = :auto
++      # Follow ruby-ossl's definition
++      @options = OpenSSL::SSL::OP_ALL
++      @options &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if 
defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
++      @options |= OpenSSL::SSL::OP_NO_COMPRESSION if 
defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
++      @options |= OpenSSL::SSL::OP_NO_SSLv2 if 
defined?(OpenSSL::SSL::OP_NO_SSLv2)
++      @options |= OpenSSL::SSL::OP_NO_SSLv3 if 
defined?(OpenSSL::SSL::OP_NO_SSLv3)
+       # OpenSSL 0.9.8 default: "ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH"
+       @ciphers = "ALL:!aNULL:!eNULL:!SSLv2" # OpenSSL >1.0.0 default
+       @cacerts_loaded = false
+@@ -283,7 +294,7 @@
+       ctx.timeout = @timeout
+       ctx.options = @options
+       ctx.ciphers = @ciphers
+-      ctx.ssl_version = @ssl_version
++      ctx.ssl_version = @ssl_version unless @ssl_version == :auto
+     end
+ 
+     # post connection check proc for ruby < 1.8.5.
+--- a/test/test_ssl.rb
++++ b/test/test_ssl.rb
+@@ -33,7 +33,10 @@
+     assert_equal(OpenSSL::SSL::VERIFY_PEER | 
OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT, cfg.verify_mode)
+     assert_nil(cfg.verify_callback)
+     assert_nil(cfg.timeout)
+-    assert_equal(OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2, 
cfg.options)
++    expected_options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2 | 
OpenSSL::SSL::OP_NO_SSLv3
++    expected_options &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if 
defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
++    expected_options |= OpenSSL::SSL::OP_NO_COMPRESSION if 
defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
++    assert_equal(expected_options, cfg.options)
+     assert_equal("ALL:!aNULL:!eNULL:!SSLv2", cfg.ciphers)
+     assert_instance_of(OpenSSL::X509::Store, cfg.cert_store)
+   end
diff -Nru ruby-httpclient-2.3.3/debian/patches/series 
ruby-httpclient-2.3.3/debian/patches/series
--- ruby-httpclient-2.3.3/debian/patches/series 2014-06-27 00:41:13.000000000 
+0200
+++ ruby-httpclient-2.3.3/debian/patches/series 2014-11-27 11:16:13.000000000 
+0100
@@ -1,2 +1,3 @@
 0001-Remove-Hash-element-order-dependency.patch
 fix-port-allocation-in-tests.patch
+0003-fix-ssl-config.patch

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
On 2014-11-27 18:51, Cédric Boutillier wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
> 
> Please unblock package ruby-httpclient
> 
> ruby-httpclient currently in Jessie FTBFS due to failing tests because
> of a deprecated default SSL configuration (#768673).
> The bug is fixed with 2.3.3-3.1 uploaded in unstable earlier today,
> thanks to Tomasz Buchert, who imported some fixes from upstream for a
> sane default configuration.
> 
> Please find in attachment the debdiff between the two versions.
> 
> Thanks in advance.
> 
> Best wishes,
> 
> Cédric
> 
> [...]

Unblocked, thanks.

~Niels

--- End Message ---

Reply via email to