Bug#1064058: Bug#1050336: Bug#1064058: libxml-stream-perl: TLS/SSL broken with IO-Socket-SSL >= 2.078 when hostname verification is enabled
On Sun, 18 Feb 2024 01:41:20 +0100, gregor herrmann via pkg-perl-maintainers wrote: > If yes, I'm happy to > - do some BTS manipulation > - more relevant: get this fix into bookworm for the next point > release. Fixed package uploaded to bookworm right now, and unblock request filed: #1065376 Cheers, gregor -- .''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe `- signature.asc Description: Digital Signature
Bug#1050336: Bug#1064058: libxml-stream-perl: TLS/SSL broken with IO-Socket-SSL >= 2.078 when hostname verification is enabled
Control: reassign 1032868 libxml-stream-perl 1.24-4 Control: reassign 1050336 libxml-stream-perl 1.24-4 Control: fixed 1032868 1.24-5 Control: fixed 1050336 1.24-5 Control: tag 986971 bookworm sid trixie upstream Control: tag 1032868 bookworm sid trixie upstream Control: tag 1050336 bookworm sid trixie upstream On Mon, 19 Feb 2024 20:48:26 +0100, Manfred Stock wrote: > > I remember looking at #1050336 in libnet-xmpp-perl and having the > > suspicion that the problem is actually in libxml-stream-perl, but > > never managed to nail it down. > It actually took me a while, too ;). Heh :) > I think I ended up in XML-Stream > because of the debug output, especially the binary part that was printed > in the output of a read operation. A few detours later, I found the > IO-Socket-SSL release where it stopped working and remembered that > start_SSL() was called in XML::Stream and that an example in the > documentation somewhere passed a hostname, which wasn't done in > XML::Stream. And that was the nice finding. > > I've uploaded libxml-stream-perl 1.24-5 to unstable right now. > Thanks! I quickly tested this package and can confirm that it works for > me. Great, thanks. > > > I'd like to invite the submitters of the other bugs to tests if there > > problems are fixed with libxml-stream-perl 1.24-5. > > > > If yes, I'm happy to > > - do some BTS manipulation > > - more relevant: get this fix into bookworm for the next point > > release. > > This would be great, thanks! In #986971 Martin has already confirmed that libxml-stream-perl/1.24-5 fixes his issue, and the bug has been reassigned. I'm now reassigning the other 2 bugs and will merge them later. Cheers, gregor -- .''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe `- signature.asc Description: Digital Signature
Bug#1050336: Bug#1064058: libxml-stream-perl: TLS/SSL broken with IO-Socket-SSL >= 2.078 when hostname verification is enabled
On Fri, 16 Feb 2024 15:56:04 +0100, Manfred Stock wrote: > after upgrading to Debian Bookworm, we noticed that the sendxmpp command > line tool was not working anymore in our setup. During the investigation > of this issue, I noticed that downgrading IO-Socket-SSL to the version > in Bullseye made sendxmpp work again. I then started to try all versions > of IO-Socket-SSL between the version in Bullseye and the one in Bookworm > and found that it stopped working with version 2.078. Eventually, I came > up with a pull request [1] containing a patch that fixed it for us - > apparently, the way XML-Stream was using IO-Socket-SSL most likely > always resulted in the hostname verification to be done against the IP > address of the peer instead of an actual hostname, which was always > considered to be successful in IO-Socket-SSL < 2.078, but not anymore in > newer versions. Oh wow -- thank you! I remember looking at #1050336 in libnet-xmpp-perl and having the suspicion that the problem is actually in libxml-stream-perl, but never managed to nail it down. > Since the upstream seems quite inactive, it might be worth considering > to add this or a similar patch to the package in Debian, as I came > across several other bug reports in the Debian BTS which might actually > be caused by this issue, like #986971 [2], #1032868 [3] and maybe also > #1050336 [4] - at least the error messages in the first two look very > similar to what I saw. I've uploaded libxml-stream-perl 1.24-5 to unstable right now. I'd like to invite the submitters of the other bugs to tests if there problems are fixed with libxml-stream-perl 1.24-5. If yes, I'm happy to - do some BTS manipulation - more relevant: get this fix into bookworm for the next point release. Thanks again, gregor -- .''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe `- signature.asc Description: Digital Signature