Your message dated Sat, 07 Nov 2015 00:06:17 +0000 with message-id <[email protected]> and subject line Bug#803975: fixed in libcrypt-ssleay-perl 0.73.04-1 has caused the Debian Bug report #803975, regarding libcrypt-ssleay-perl: Uses SSLv3_client_method() to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 803975: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803975 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Source: libcrypt-ssleay-perl Version: 0.58-1 Severity: serious Hi, Your package has code in SSLeay.xs that does: if(ssl_version == 23) { ctx = SSL_CTX_new(SSLv23_client_method()); } else if(ssl_version == 3) { ctx = SSL_CTX_new(SSLv3_client_method()); } else { #ifndef OPENSSL_NO_SSL2 /* v2 is the default */ ctx = SSL_CTX_new(SSLv2_client_method()); #else /* v3 is the default */ ctx = SSL_CTX_new(SSLv3_client_method()); #endif } You really only ever want to use SSLv23_client_method() since that is the only one that supports multiple versions. I suggest you modify your nossl2.patch to just replace all of the above by: ctx = SSL_CTX_new(SSLv23_client_method()); ssl_version would then become an unused variable. Just like SSLv2 has already been removed, SSLv3 is now also removed because it's insecure. Kurt
--- End Message ---
--- Begin Message ---Source: libcrypt-ssleay-perl Source-Version: 0.73.04-1 We believe that the bug you reported is fixed in the latest version of libcrypt-ssleay-perl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. gregor herrmann <[email protected]> (supplier of updated libcrypt-ssleay-perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 07 Nov 2015 00:53:32 +0100 Source: libcrypt-ssleay-perl Binary: libcrypt-ssleay-perl Architecture: source Version: 0.73.04-1 Distribution: unstable Urgency: medium Maintainer: Debian Perl Group <[email protected]> Changed-By: gregor herrmann <[email protected]> Closes: 803975 Description: libcrypt-ssleay-perl - OpenSSL support for LWP Changes: libcrypt-ssleay-perl (0.73.04-1) unstable; urgency=medium . * Team upload. . [ Harlan Lieberman-Berg ] * New upstream release. * Remove patch accepted upstream. * Rework d/copyright to conform with final spec. * Bump s-v to 3.9.5, compat to 9, d-h to >= 9.20120312 * Add dependency for libtry-tiny-perl * Add deprecation warning. * Update d/control, d/copyright with new dependencies and files. . [ Salvatore Bonaccorso ] * Change Vcs-Git to canonical URI (git://anonscm.debian.org) * Change search.cpan.org based URIs to metacpan.org based URIs . [ gregor herrmann ] * Strip trailing slash from metacpan URLs. . [ Axel Beckert ] * Fix Vcs-* headers (Thanks DUCK!) . [ Salvatore Bonaccorso ] * Update Vcs-Browser URL to cgit web frontend . [ gregor herrmann ] * Update years of upstream and packaging copyright. * Update upstream license. * Add versions to new build dependencies. * Add libdevel-checklib-perl to Build-Depends. * Add debian/upstream/metadata. * debian/watch: temporarily allow devel releases. . * Import upstream development version 0.73_04. Fixes "Uses SSLv3_client_method()". (Closes: #803975) * Add IO::Socket::IP to Recommends and Build-Depends. * Add (build) dependency on libbytes-random-secure-perl. * Mark package as autopkgtest-able. * Declare compliance with Debian Policy 3.9.6. Checksums-Sha1: 377d48759dbbb6c8357bc8c64bb2bcaffd92375f 2469 libcrypt-ssleay-perl_0.73.04-1.dsc 17722f5343e8474cb7098691b63ef5b27fbfe82d 129261 libcrypt-ssleay-perl_0.73.04.orig.tar.gz 31c1e837038f139eb4714c5fec79f758a07c2163 7568 libcrypt-ssleay-perl_0.73.04-1.debian.tar.xz Checksums-Sha256: 489583669b3113047eed64b2e894a93877a3987101a6b6ff2501278196a90ead 2469 libcrypt-ssleay-perl_0.73.04-1.dsc b7098d14d3db4a089eee765440b27c2838e204b61297c062c4feb50eb75aee10 129261 libcrypt-ssleay-perl_0.73.04.orig.tar.gz 16e24712a7f93b3ebd1af168ec3c113ad6a39f188a89c10c3d17bd7dec22e1d0 7568 libcrypt-ssleay-perl_0.73.04-1.debian.tar.xz Files: aa284c28d2f2bfc08c70dd812552e885 2469 perl optional libcrypt-ssleay-perl_0.73.04-1.dsc 7508b2a34da2202cc0c78deb59e36526 129261 perl optional libcrypt-ssleay-perl_0.73.04.orig.tar.gz 283327b3bc317a387848985b2eff6206 7568 perl optional libcrypt-ssleay-perl_0.73.04-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJWPT4AXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMUUxMzE2RTkzQTc2MEE4MTA0RDg1RkFC QjNBNjgwMTg2NDlBQTA2AAoJELs6aAGGSaoGQVgP/iGLdpW6bSJ7sCBWJjQklE/s DATUlV0aLTazFndeEfBWkO8F0KQvwNUbTjraOsNyiWwQPF4Wnlc7iMf+VIuPS9tE uWstQo84FWBjpDUOz/EXKIn284PwAGGMmMg6iK5odPsQdUWEW0A2RScGT1IDtkAd rgXFI/9sDWk5NuzNoAcNGWONFOkxNueAdqYsKNx3XJKUViwxVwLYa4lpVsaeTW/1 PyEQ1Pz+3mNZTrKF1c0Pm3z4CxASG7d4mAUu3vftD48nJknK9As6ekLSysEohEG1 ZT3nHRpg2G/PYt2glVmhD/+aAOlNgWh/ZTZtkHfFbo2ktb/ff6mzEQJ/eXiAPQAN stnMtmhVkQylyUUu4GzxsWkKGe70Vc6D4VjM7fZl+zDiKd6EZmosBwzVgAKW8o+L VBY7fzRzbJTUTOYwBk3tvQb2k9Uo2bWH5IuQeO9yUQtknOuuOpzVxjcnwzxLrn1T etqdGzgV6i/2PyH1qEQstkdiF37Ko/tU/rwIkZgZQp0of04L+SrEDgqlivhcrHTr zorDLtny3TTAKs0EzzGhsr3o3td8l1cLQjmyJE35oGGWTR1UnKOqltZpdbKzJyqR f4JchQLPRPIVKd52KZuttqBXHnEey1AbyLj04xhIuxypSG1hrlL3WyzlJro2co+v 7CqPsoK07U7jjxBL1/Gp =2rna -----END PGP SIGNATURE-----
--- End Message ---

