diff --git a/SOURCES/perl-ldap-0.56-Do-not-set-SSL_ciphers-to-ALL-by-default.patch b/SOURCES/perl-ldap-0.56-Do-not-set-SSL_ciphers-to-ALL-by-default.patch new file mode 100644 index 0000000..9abdebd --- /dev/null +++ b/SOURCES/perl-ldap-0.56-Do-not-set-SSL_ciphers-to-ALL-by-default.patch @@ -0,0 +1,60 @@ +From 9a0188335ea83a5e0078d21624e8bb134ef21687 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Thu, 24 Apr 2014 15:51:01 +0200 +Subject: [PATCH 1/2] Do not set SSL_ciphers to ALL by default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +'ALL' cipher list is not the same as OpenSSL default. The 'ALL' +contains more ciphers. Some of them are too weak, some of them +prevents from using SSLv3 protocol. Then used SSLv2 protocol does not +support elliptic curve parameter negotion which can cause +interoperability issues when server picks a curve not supported by the +client. + +IO-Socket-SSL-1.955 supports special value '' (empty string) to +designed the OpenSSL default. However older IO-Socket-SSL recommends +not to set the option at all. + +Thus this patch sets SSL_ciphers only if Net::LDAP application passes +the ciphers option. + +Signed-off-by: Petr Písař +--- + lib/Net/LDAP.pm | 3 ++- + lib/Net/LDAP.pod | 4 ++-- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/lib/Net/LDAP.pm b/lib/Net/LDAP.pm +index 03eb23f..99d227a 100644 +--- a/lib/Net/LDAP.pm ++++ b/lib/Net/LDAP.pm +@@ -243,7 +243,8 @@ sub _SSL_context_init_args { + } + + ( +- SSL_cipher_list => defined $arg->{ciphers} ? $arg->{ciphers} : 'ALL', ++ defined $arg->{ciphers} ? ++ ( SSL_cipher_list => defined $arg->{ciphers}) : (), + SSL_ca_file => exists $arg->{cafile} ? $arg->{cafile} : '', + SSL_ca_path => exists $arg->{capath} ? $arg->{capath} : '', + SSL_key_file => $clientcert ? $clientkey : undef, +diff --git a/lib/Net/LDAP.pod b/lib/Net/LDAP.pod +index 77a8400..c35508a 100644 +--- a/lib/Net/LDAP.pod ++++ b/lib/Net/LDAP.pod +@@ -779,8 +779,8 @@ B<'tlsv1'>. + + Specify which subset of cipher suites are permissible for this + connection, using the standard OpenSSL string format. The default +-value is B<'ALL'>, which permits all ciphers, even those that don't +-encrypt. ++behavior is to keep the decision on the underlying cryptographic ++library. + + =item clientcert =E '/path/to/cert.pem' + +-- +1.9.3 + diff --git a/SOURCES/perl-ldap-0.56-LDAP.pm-set-SSL_cipher_list-to-correct-value.patch b/SOURCES/perl-ldap-0.56-LDAP.pm-set-SSL_cipher_list-to-correct-value.patch new file mode 100644 index 0000000..27b4198 --- /dev/null +++ b/SOURCES/perl-ldap-0.56-LDAP.pm-set-SSL_cipher_list-to-correct-value.patch @@ -0,0 +1,34 @@ +From ce1c5f1d136c637544a434323ddb5afc27b29449 Mon Sep 17 00:00:00 2001 +From: Peter Marschall +Date: Tue, 17 Jun 2014 19:32:28 +0200 +Subject: [PATCH 2/2] LDAP.pm: set SSL_cipher_list to correct value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix commit 11fe2a9 which contains a superfluous defined and thus +set SSL_cipher_list to true instead of the value of the ciphers arg. + +Thanks to THOMAS GUEVIN for reporting the bug. + +Signed-off-by: Petr Písař +--- + lib/Net/LDAP.pm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/Net/LDAP.pm b/lib/Net/LDAP.pm +index 99d227a..2f873ad 100644 +--- a/lib/Net/LDAP.pm ++++ b/lib/Net/LDAP.pm +@@ -244,7 +244,7 @@ sub _SSL_context_init_args { + + ( + defined $arg->{ciphers} ? +- ( SSL_cipher_list => defined $arg->{ciphers}) : (), ++ ( SSL_cipher_list => $arg->{ciphers} ) : (), + SSL_ca_file => exists $arg->{cafile} ? $arg->{cafile} : '', + SSL_ca_path => exists $arg->{capath} ? $arg->{capath} : '', + SSL_key_file => $clientcert ? $clientkey : undef, +-- +1.9.3 + diff --git a/SOURCES/perl-ldap-0.56-RT-96203-LDAP.pm-use-correct-length-for-syswrite.patch b/SOURCES/perl-ldap-0.56-RT-96203-LDAP.pm-use-correct-length-for-syswrite.patch new file mode 100644 index 0000000..1a4421b --- /dev/null +++ b/SOURCES/perl-ldap-0.56-RT-96203-LDAP.pm-use-correct-length-for-syswrite.patch @@ -0,0 +1,40 @@ +From 93a1f2fd26cfef95c22530be07ca0e211f7e44d0 Mon Sep 17 00:00:00 2001 +From: Peter Marschall +Date: Sat, 7 Jun 2014 15:38:36 +0200 +Subject: [PATCH] RT#96203: LDAP.pm: use correct length for syswrite +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Use correct length of bytes to write with syswrite() instead of default 15000 +in _sendmesg(). + +According to the bug reporter, it may cause error in case that the function +WRITE was redefined (e.g. Authen-SASL RT#85294) and did not handle this case +properly. + +It should not change anything in Net::LDAP but help other modules not covering +all WRITE cases. + +Signed-off-by: Petr Písař +--- + lib/Net/LDAP.pm | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/Net/LDAP.pm b/lib/Net/LDAP.pm +index 2f873ad..6505276 100644 +--- a/lib/Net/LDAP.pm ++++ b/lib/Net/LDAP.pm +@@ -842,7 +842,8 @@ sub _sendmesg { + my $to_send = \( $mesg->pdu ); + my $offset = 0; + while ($offset < length($$to_send)) { +- my $n = syswrite($socket, substr($$to_send, $offset, 15000), 15000) ++ my $s = substr($$to_send, $offset, 15000); ++ my $n = syswrite($socket, $s, length($s)) + or return _error($ldap, $mesg, LDAP_LOCAL_ERROR, "$!"); + $offset += $n; + } +-- +1.9.3 + diff --git a/SPECS/perl-LDAP.spec b/SPECS/perl-LDAP.spec index 0405e5d..183f70f 100644 --- a/SPECS/perl-LDAP.spec +++ b/SPECS/perl-LDAP.spec @@ -1,12 +1,21 @@ Name: perl-LDAP Version: 0.56 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 1 Summary: LDAP Perl module Group: Development/Libraries License: GPL+ or Artistic URL: http://search.cpan.org/dist/perl-ldap/ Source0: http://www.cpan.org/authors/id/M/MA/MARSCHAP/perl-ldap-%{version}.tar.gz +# Do not set SSL ciphers at all by default, bug #1091316, CPAN RT#95001, +# in upstream 0.63 +Patch0: perl-ldap-0.56-Do-not-set-SSL_ciphers-to-ALL-by-default.patch +# Correct Do-not-set-SSL_ciphers-to-ALL-by-default patch, bug #1091316, +# in upstream 0.64 +Patch1: perl-ldap-0.56-LDAP.pm-set-SSL_cipher_list-to-correct-value.patch +# Pass actual length to syswrite() instead of default 1500 B, bug #1104243, +# CPAN RT#96203, in upstream 0.64 +Patch2: perl-ldap-0.56-RT-96203-LDAP.pm-use-correct-length-for-syswrite.patch BuildArch: noarch BuildRequires: perl BuildRequires: perl(inc::Module::Install) @@ -68,6 +77,9 @@ maintenance functions such as adding, deleting or modifying entries. %prep %setup -q -n perl-ldap-%{version} +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 chmod -c 644 bin/* contrib/* lib/Net/LDAP/DSML.pm perl -pi -e 's|^#!/usr/local/bin/perl\b|#!%{__perl}|' contrib/* # Remove bundled libraries @@ -96,6 +108,10 @@ make test %{_mandir}/man3/*.3pm* %changelog +* Wed Aug 06 2014 Petr Pisar - 1:0.56-3 +- Do not set SSL ciphers at all by default (bug #1091316) +- Pass actual length to syswrite() instead of default 1500 B (bug #1104243) + * Fri Dec 27 2013 Daniel Mach - 1:0.56-2 - Mass rebuild 2013-12-27