Broken dependencies: polymake
by Fedora Koji Build System
polymake has broken dependencies in the rawhide tree:
On x86_64:
polymake-2.13-22.git20141013.fc23.x86_64 requires perl(:MODULE_COMPAT_5.20.2)
polymake-2.13-22.git20141013.fc23.x86_64 requires perl = 4:5.20.2
polymake-2.13-22.git20141013.fc23.x86_64 requires libperl.so.5.20()(64bit)
On i386:
polymake-2.13-22.git20141013.fc23.i686 requires perl(:MODULE_COMPAT_5.20.2)
polymake-2.13-22.git20141013.fc23.i686 requires perl = 4:5.20.2
polymake-2.13-22.git20141013.fc23.i686 requires libperl.so.5.20
On armhfp:
polymake-2.13-22.git20141013.fc23.armv7hl requires perl(:MODULE_COMPAT_5.20.2)
polymake-2.13-22.git20141013.fc23.armv7hl requires perl = 4:5.20.2
polymake-2.13-22.git20141013.fc23.armv7hl requires libperl.so.5.20
Please resolve this as soon as possible.
8 years, 9 months
Broken dependencies: perl-Data-Dump-Streamer
by Fedora Koji Build System
perl-Data-Dump-Streamer has broken dependencies in the rawhide tree:
On x86_64:
perl-Data-Dump-Streamer-2.38-3.fc22.x86_64 requires perl(:MODULE_COMPAT_5.20.0)
perl-Data-Dump-Streamer-2.38-3.fc22.x86_64 requires libperl.so.5.20()(64bit)
On i386:
perl-Data-Dump-Streamer-2.38-3.fc22.i686 requires perl(:MODULE_COMPAT_5.20.0)
perl-Data-Dump-Streamer-2.38-3.fc22.i686 requires libperl.so.5.20
On armhfp:
perl-Data-Dump-Streamer-2.38-3.fc22.armv7hl requires perl(:MODULE_COMPAT_5.20.0)
perl-Data-Dump-Streamer-2.38-3.fc22.armv7hl requires libperl.so.5.20
Please resolve this as soon as possible.
8 years, 9 months
Broken dependencies: perl-Test-AutoBuild
by Fedora Koji Build System
perl-Test-AutoBuild has broken dependencies in the rawhide tree:
On x86_64:
perl-Test-AutoBuild-1.2.4-15.fc22.x86_64 requires perl(:MODULE_COMPAT_5.20.0)
On i386:
perl-Test-AutoBuild-1.2.4-15.fc22.i686 requires perl(:MODULE_COMPAT_5.20.0)
On armhfp:
perl-Test-AutoBuild-1.2.4-15.fc22.armv7hl requires perl(:MODULE_COMPAT_5.20.0)
Please resolve this as soon as possible.
8 years, 9 months
Broken dependencies: perl-Devel-BeginLift
by Fedora Koji Build System
perl-Devel-BeginLift has broken dependencies in the rawhide tree:
On x86_64:
perl-Devel-BeginLift-0.001003-9.fc22.x86_64 requires perl(:MODULE_COMPAT_5.20.0)
perl-Devel-BeginLift-0.001003-9.fc22.x86_64 requires libperl.so.5.20()(64bit)
On i386:
perl-Devel-BeginLift-0.001003-9.fc22.i686 requires perl(:MODULE_COMPAT_5.20.0)
perl-Devel-BeginLift-0.001003-9.fc22.i686 requires libperl.so.5.20
On armhfp:
perl-Devel-BeginLift-0.001003-9.fc22.armv7hl requires perl(:MODULE_COMPAT_5.20.0)
perl-Devel-BeginLift-0.001003-9.fc22.armv7hl requires libperl.so.5.20
Please resolve this as soon as possible.
8 years, 9 months
Broken dependencies: perl-B-Hooks-OP-Check-EntersubForCV
by Fedora Koji Build System
perl-B-Hooks-OP-Check-EntersubForCV has broken dependencies in the rawhide tree:
On x86_64:
perl-B-Hooks-OP-Check-EntersubForCV-0.09-10.fc22.x86_64 requires perl(:MODULE_COMPAT_5.20.0)
perl-B-Hooks-OP-Check-EntersubForCV-0.09-10.fc22.x86_64 requires libperl.so.5.20()(64bit)
On i386:
perl-B-Hooks-OP-Check-EntersubForCV-0.09-10.fc22.i686 requires perl(:MODULE_COMPAT_5.20.0)
perl-B-Hooks-OP-Check-EntersubForCV-0.09-10.fc22.i686 requires libperl.so.5.20
On armhfp:
perl-B-Hooks-OP-Check-EntersubForCV-0.09-10.fc22.armv7hl requires perl(:MODULE_COMPAT_5.20.0)
perl-B-Hooks-OP-Check-EntersubForCV-0.09-10.fc22.armv7hl requires libperl.so.5.20
Please resolve this as soon as possible.
8 years, 9 months
pghmcfc pushed to perl-IO-Socket-SSL (perl-IO-Socket-SSL-2.018-1.fc23). "Update to 2.018 (..more)"
by notifications@fedoraproject.org
From 6f9741cacda504506b9c6e27698cf2f56bfe4212 Mon Sep 17 00:00:00 2001
From: Paul Howarth <paul(a)city-fan.org>
Date: Tue, 1 Sep 2015 09:44:25 +0100
Subject: Update to 2.018
- New upstream release 2.018
- Checks for readability of files/dirs for certificates and CA no longer use
-r because this is not safe when ACLs are used (CPAN RT#106295)
- New method sock_certificate similar to peer_certificate (CPAN RT#105733)
- get_fingerprint can now take optional certificate as argument and compute
the fingerprint of it; useful in connection with sock_certificate
- Check for both EWOULDBLOCK and EAGAIN since these codes are different on
some platforms (CPAN RT#106573)
- Enforce default verification scheme if nothing was specified, i.e. no
longer just warn but accept; if really no verification is wanted, a scheme
of 'none' must be explicitly specified
- Support different cipher suites per SNI hosts
- startssl.t failed on darwin with old openssl since server requested client
certificate but offered also anon ciphers (CPAN RT#106687)
- Update patches as needed
diff --git a/IO-Socket-SSL-2.016-use-system-default-SSL-version.patch b/IO-Socket-SSL-2.016-use-system-default-SSL-version.patch
deleted file mode 100644
index 9cebdef..0000000
--- a/IO-Socket-SSL-2.016-use-system-default-SSL-version.patch
+++ /dev/null
@@ -1,36 +0,0 @@
---- lib/IO/Socket/SSL.pm
-+++ lib/IO/Socket/SSL.pm
-@@ -85,7 +85,7 @@ my $algo2digest = do {
- # global defaults
- my %DEFAULT_SSL_ARGS = (
- SSL_check_crl => 0,
-- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken
-+ SSL_version => '',
- SSL_verify_callback => undef,
- SSL_verifycn_scheme => undef, # fallback cn verification
- SSL_verifycn_publicsuffix => undef, # fallback default list verification
-@@ -2133,7 +2133,7 @@ WARN
- $ssl_op |= &Net::SSLeay::OP_SINGLE_DH_USE;
- $ssl_op |= &Net::SSLeay::OP_SINGLE_ECDH_USE if $can_ecdh;
-
-- my $ver;
-+ my $ver = '';
- for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
- m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i
- or croak("invalid SSL_version specified");
---- lib/IO/Socket/SSL.pod
-+++ lib/IO/Socket/SSL.pod
-@@ -932,11 +932,12 @@ protocol to the specified version.
- All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can
- also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires
- recent versions of Net::SSLeay and openssl.
-+The default SSL_version is defined by the underlying cryptographic library.
-
- Independent from the handshake format you can limit to set of accepted SSL
- versions by adding !version separated by ':'.
-
--The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the
-+For example, 'SSLv23:!SSLv3:!SSLv2' means that the
- handshake format is compatible to SSL2.0 and higher, but that the successful
- handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because
- both of these versions have serious security issues and should not be used
diff --git a/IO-Socket-SSL-2.016-use-system-default-cipher-list.patch b/IO-Socket-SSL-2.016-use-system-default-cipher-list.patch
deleted file mode 100644
index f6b94f2..0000000
--- a/IO-Socket-SSL-2.016-use-system-default-cipher-list.patch
+++ /dev/null
@@ -1,73 +0,0 @@
---- lib/IO/Socket/SSL.pm
-+++ lib/IO/Socket/SSL.pm
-@@ -92,9 +92,7 @@ my %DEFAULT_SSL_ARGS = (
- #SSL_verifycn_name => undef, # use from PeerAddr/PeerHost - do not override in set_args_filter_hack 'use_defaults'
- SSL_npn_protocols => undef, # meaning depends whether on server or client side
- SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1']
-- SSL_cipher_list =>
-- 'EECDH+AESGCM+ECDSA EECDH+AESGCM EECDH+ECDSA +AES256 EECDH EDH+AESGCM '.
-- 'EDH ALL +SHA +3DES !RC4 !LOW !EXP !eNULL !aNULL !DES !MD5 !PSK !SRP',
-+ SSL_cipher_list => 'DEFAULT',
- );
-
- my %DEFAULT_SSL_CLIENT_ARGS = (
-@@ -104,42 +102,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
- SSL_ca_file => undef,
- SSL_ca_path => undef,
-
-- # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes
-- # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html
-- # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771
-- # Debian works around this by disabling TLSv1_2 on the client side
-- # Chrome and IE11 use TLSv1_2 but use only a few ciphers, so that packet
-- # stays small enough
-- # The following list is taken from IE11, except that we don't do RC4-MD5,
-- # RC4-SHA is already bad enough. Also, we have a different sort order
-- # compared to IE11, because we put ciphers supporting forward secrecy on top
--
-- SSL_cipher_list => join(" ",
-- qw(
-- ECDHE-ECDSA-AES128-GCM-SHA256
-- ECDHE-ECDSA-AES128-SHA256
-- ECDHE-ECDSA-AES256-GCM-SHA384
-- ECDHE-ECDSA-AES256-SHA384
-- ECDHE-ECDSA-AES128-SHA
-- ECDHE-ECDSA-AES256-SHA
-- ECDHE-RSA-AES128-SHA256
-- ECDHE-RSA-AES128-SHA
-- ECDHE-RSA-AES256-SHA
-- DHE-DSS-AES128-SHA256
-- DHE-DSS-AES128-SHA
-- DHE-DSS-AES256-SHA256
-- DHE-DSS-AES256-SHA
-- AES128-SHA256
-- AES128-SHA
-- AES256-SHA256
-- AES256-SHA
-- EDH-DSS-DES-CBC3-SHA
-- DES-CBC3-SHA
-- RC4-SHA
-- ),
-- # just to make sure, that we don't accidentely add bad ciphers above
-- "!EXP !LOW !eNULL !aNULL !DES !MD5 !PSK !SRP"
-- )
- );
-
- # set values inside _init to work with perlcc, RT#95452
---- lib/IO/Socket/SSL.pod
-+++ lib/IO/Socket/SSL.pod
-@@ -958,12 +958,8 @@ documentation (L<http://www.openssl.org/
- for more details.
-
- Unless you fail to contact your peer because of no shared ciphers it is
--recommended to leave this option at the default setting. The default setting
--prefers ciphers with forward secrecy, disables anonymous authentication and
--disables known insecure ciphers like MD5, DES etc. This gives a grade A result
--at the tests of SSL Labs.
--To use the less secure OpenSSL builtin default (whatever this is) set
--SSL_cipher_list to ''.
-+recommended to leave this option at the default setting, which honors the
-+system-wide DEFAULT cipher list.
-
- =item SSL_honor_cipher_order
-
diff --git a/IO-Socket-SSL-2.018-use-system-default-SSL-version.patch b/IO-Socket-SSL-2.018-use-system-default-SSL-version.patch
new file mode 100644
index 0000000..e1b2784
--- /dev/null
+++ b/IO-Socket-SSL-2.018-use-system-default-SSL-version.patch
@@ -0,0 +1,36 @@
+--- lib/IO/Socket/SSL.pm
++++ lib/IO/Socket/SSL.pm
+@@ -85,7 +85,7 @@ my $algo2digest = do {
+ # global defaults
+ my %DEFAULT_SSL_ARGS = (
+ SSL_check_crl => 0,
+- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken
++ SSL_version => '',
+ SSL_verify_callback => undef,
+ SSL_verifycn_scheme => undef, # fallback cn verification
+ SSL_verifycn_publicsuffix => undef, # fallback default list verification
+@@ -2135,7 +2135,7 @@ sub new {
+ $ssl_op |= &Net::SSLeay::OP_SINGLE_DH_USE;
+ $ssl_op |= &Net::SSLeay::OP_SINGLE_ECDH_USE if $can_ecdh;
+
+- my $ver;
++ my $ver = '';
+ for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
+ m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i
+ or croak("invalid SSL_version specified");
+--- lib/IO/Socket/SSL.pod
++++ lib/IO/Socket/SSL.pod
+@@ -934,11 +934,12 @@ protocol to the specified version.
+ All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can
+ also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires
+ recent versions of Net::SSLeay and openssl.
++The default SSL_version is defined by the underlying cryptographic library.
+
+ Independent from the handshake format you can limit to set of accepted SSL
+ versions by adding !version separated by ':'.
+
+-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the
++For example, 'SSLv23:!SSLv3:!SSLv2' means that the
+ handshake format is compatible to SSL2.0 and higher, but that the successful
+ handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because
+ both of these versions have serious security issues and should not be used
diff --git a/IO-Socket-SSL-2.018-use-system-default-cipher-list.patch b/IO-Socket-SSL-2.018-use-system-default-cipher-list.patch
new file mode 100644
index 0000000..8468bc9
--- /dev/null
+++ b/IO-Socket-SSL-2.018-use-system-default-cipher-list.patch
@@ -0,0 +1,73 @@
+--- lib/IO/Socket/SSL.pm
++++ lib/IO/Socket/SSL.pm
+@@ -92,9 +92,7 @@ my %DEFAULT_SSL_ARGS = (
+ #SSL_verifycn_name => undef, # use from PeerAddr/PeerHost - do not override in set_args_filter_hack 'use_defaults'
+ SSL_npn_protocols => undef, # meaning depends whether on server or client side
+ SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1']
+- SSL_cipher_list =>
+- 'EECDH+AESGCM+ECDSA EECDH+AESGCM EECDH+ECDSA +AES256 EECDH EDH+AESGCM '.
+- 'EDH ALL +SHA +3DES !RC4 !LOW !EXP !eNULL !aNULL !DES !MD5 !PSK !SRP',
++ SSL_cipher_list => 'DEFAULT',
+ );
+
+ my %DEFAULT_SSL_CLIENT_ARGS = (
+@@ -104,42 +102,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
+ SSL_ca_file => undef,
+ SSL_ca_path => undef,
+
+- # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes
+- # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html
+- # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771
+- # Debian works around this by disabling TLSv1_2 on the client side
+- # Chrome and IE11 use TLSv1_2 but use only a few ciphers, so that packet
+- # stays small enough
+- # The following list is taken from IE11, except that we don't do RC4-MD5,
+- # RC4-SHA is already bad enough. Also, we have a different sort order
+- # compared to IE11, because we put ciphers supporting forward secrecy on top
+-
+- SSL_cipher_list => join(" ",
+- qw(
+- ECDHE-ECDSA-AES128-GCM-SHA256
+- ECDHE-ECDSA-AES128-SHA256
+- ECDHE-ECDSA-AES256-GCM-SHA384
+- ECDHE-ECDSA-AES256-SHA384
+- ECDHE-ECDSA-AES128-SHA
+- ECDHE-ECDSA-AES256-SHA
+- ECDHE-RSA-AES128-SHA256
+- ECDHE-RSA-AES128-SHA
+- ECDHE-RSA-AES256-SHA
+- DHE-DSS-AES128-SHA256
+- DHE-DSS-AES128-SHA
+- DHE-DSS-AES256-SHA256
+- DHE-DSS-AES256-SHA
+- AES128-SHA256
+- AES128-SHA
+- AES256-SHA256
+- AES256-SHA
+- EDH-DSS-DES-CBC3-SHA
+- DES-CBC3-SHA
+- RC4-SHA
+- ),
+- # just to make sure, that we don't accidentely add bad ciphers above
+- "!EXP !LOW !eNULL !aNULL !DES !MD5 !PSK !SRP"
+- )
+ );
+
+ # set values inside _init to work with perlcc, RT#95452
+--- lib/IO/Socket/SSL.pod
++++ lib/IO/Socket/SSL.pod
+@@ -960,12 +960,8 @@ documentation (L<http://www.openssl.org/
+ for more details.
+
+ Unless you fail to contact your peer because of no shared ciphers it is
+-recommended to leave this option at the default setting. The default setting
+-prefers ciphers with forward secrecy, disables anonymous authentication and
+-disables known insecure ciphers like MD5, DES etc. This gives a grade A result
+-at the tests of SSL Labs.
+-To use the less secure OpenSSL builtin default (whatever this is) set
+-SSL_cipher_list to ''.
++recommended to leave this option at the default setting, which honors the
++system-wide DEFAULT cipher list.
+
+ In case different cipher lists are needed for different SNI hosts a hash can be
+ given with the host as key and the cipher suite as value, similar to
diff --git a/perl-IO-Socket-SSL.spec b/perl-IO-Socket-SSL.spec
index 9892154..266a9a7 100644
--- a/perl-IO-Socket-SSL.spec
+++ b/perl-IO-Socket-SSL.spec
@@ -1,16 +1,19 @@
Name: perl-IO-Socket-SSL
-Version: 2.016
-Release: 3%{?dist}
+Version: 2.018
+Release: 1%{?dist}
Summary: Perl library for transparent SSL
Group: Development/Libraries
License: GPL+ or Artistic
URL: http://search.cpan.org/dist/IO-Socket-SSL/
Source0: http://search.cpan.org/CPAN/authors/id/S/SU/SULLR/IO-Socket-SSL-%{version...
-Patch0: IO-Socket-SSL-2.016-use-system-default-cipher-list.patch
-Patch1: IO-Socket-SSL-2.016-use-system-default-SSL-version.patch
+Patch0: IO-Socket-SSL-2.018-use-system-default-cipher-list.patch
+Patch1: IO-Socket-SSL-2.018-use-system-default-SSL-version.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
BuildArch: noarch
# Module Build
+BuildRequires: coreutils
+BuildRequires: findutils
+BuildRequires: make
BuildRequires: perl
BuildRequires: perl(ExtUtils::MakeMaker)
# Module Runtime
@@ -112,6 +115,23 @@ rm -rf %{buildroot}
%{_mandir}/man3/IO::Socket::SSL::Utils.3*
%changelog
+* Mon Aug 31 2015 Paul Howarth <paul(a)city-fan.org> - 2.018-1
+- Update to 2.018
+ - Checks for readability of files/dirs for certificates and CA no longer use
+ -r because this is not safe when ACLs are used (CPAN RT#106295)
+ - New method sock_certificate similar to peer_certificate (CPAN RT#105733)
+ - get_fingerprint can now take optional certificate as argument and compute
+ the fingerprint of it; useful in connection with sock_certificate
+ - Check for both EWOULDBLOCK and EAGAIN since these codes are different on
+ some platforms (CPAN RT#106573)
+ - Enforce default verification scheme if nothing was specified, i.e. no
+ longer just warn but accept; if really no verification is wanted, a scheme
+ of 'none' must be explicitly specified
+ - Support different cipher suites per SNI hosts
+ - startssl.t failed on darwin with old openssl since server requested client
+ certificate but offered also anon ciphers (CPAN RT#106687)
+- Update patches as needed
+
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng(a)lists.fedoraproject.org> - 2.016-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
diff --git a/sources b/sources
index c4c64f6..fefc0b8 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-a71e9f0f76c7a15a11fef14ca8ef8aa8 IO-Socket-SSL-2.016.tar.gz
+817adc9e0cd6817998fd49dea3fe0349 IO-Socket-SSL-2.018.tar.gz
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/perl-IO-Socket-SSL.git/commit/?h=perl-...
8 years, 9 months
pghmcfc pushed to perl-IO-Socket-SSL (f23). "Update to 2.018 (..more)"
by notifications@fedoraproject.org
From 6f9741cacda504506b9c6e27698cf2f56bfe4212 Mon Sep 17 00:00:00 2001
From: Paul Howarth <paul(a)city-fan.org>
Date: Tue, 1 Sep 2015 09:44:25 +0100
Subject: Update to 2.018
- New upstream release 2.018
- Checks for readability of files/dirs for certificates and CA no longer use
-r because this is not safe when ACLs are used (CPAN RT#106295)
- New method sock_certificate similar to peer_certificate (CPAN RT#105733)
- get_fingerprint can now take optional certificate as argument and compute
the fingerprint of it; useful in connection with sock_certificate
- Check for both EWOULDBLOCK and EAGAIN since these codes are different on
some platforms (CPAN RT#106573)
- Enforce default verification scheme if nothing was specified, i.e. no
longer just warn but accept; if really no verification is wanted, a scheme
of 'none' must be explicitly specified
- Support different cipher suites per SNI hosts
- startssl.t failed on darwin with old openssl since server requested client
certificate but offered also anon ciphers (CPAN RT#106687)
- Update patches as needed
diff --git a/IO-Socket-SSL-2.016-use-system-default-SSL-version.patch b/IO-Socket-SSL-2.016-use-system-default-SSL-version.patch
deleted file mode 100644
index 9cebdef..0000000
--- a/IO-Socket-SSL-2.016-use-system-default-SSL-version.patch
+++ /dev/null
@@ -1,36 +0,0 @@
---- lib/IO/Socket/SSL.pm
-+++ lib/IO/Socket/SSL.pm
-@@ -85,7 +85,7 @@ my $algo2digest = do {
- # global defaults
- my %DEFAULT_SSL_ARGS = (
- SSL_check_crl => 0,
-- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken
-+ SSL_version => '',
- SSL_verify_callback => undef,
- SSL_verifycn_scheme => undef, # fallback cn verification
- SSL_verifycn_publicsuffix => undef, # fallback default list verification
-@@ -2133,7 +2133,7 @@ WARN
- $ssl_op |= &Net::SSLeay::OP_SINGLE_DH_USE;
- $ssl_op |= &Net::SSLeay::OP_SINGLE_ECDH_USE if $can_ecdh;
-
-- my $ver;
-+ my $ver = '';
- for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
- m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i
- or croak("invalid SSL_version specified");
---- lib/IO/Socket/SSL.pod
-+++ lib/IO/Socket/SSL.pod
-@@ -932,11 +932,12 @@ protocol to the specified version.
- All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can
- also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires
- recent versions of Net::SSLeay and openssl.
-+The default SSL_version is defined by the underlying cryptographic library.
-
- Independent from the handshake format you can limit to set of accepted SSL
- versions by adding !version separated by ':'.
-
--The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the
-+For example, 'SSLv23:!SSLv3:!SSLv2' means that the
- handshake format is compatible to SSL2.0 and higher, but that the successful
- handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because
- both of these versions have serious security issues and should not be used
diff --git a/IO-Socket-SSL-2.016-use-system-default-cipher-list.patch b/IO-Socket-SSL-2.016-use-system-default-cipher-list.patch
deleted file mode 100644
index f6b94f2..0000000
--- a/IO-Socket-SSL-2.016-use-system-default-cipher-list.patch
+++ /dev/null
@@ -1,73 +0,0 @@
---- lib/IO/Socket/SSL.pm
-+++ lib/IO/Socket/SSL.pm
-@@ -92,9 +92,7 @@ my %DEFAULT_SSL_ARGS = (
- #SSL_verifycn_name => undef, # use from PeerAddr/PeerHost - do not override in set_args_filter_hack 'use_defaults'
- SSL_npn_protocols => undef, # meaning depends whether on server or client side
- SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1']
-- SSL_cipher_list =>
-- 'EECDH+AESGCM+ECDSA EECDH+AESGCM EECDH+ECDSA +AES256 EECDH EDH+AESGCM '.
-- 'EDH ALL +SHA +3DES !RC4 !LOW !EXP !eNULL !aNULL !DES !MD5 !PSK !SRP',
-+ SSL_cipher_list => 'DEFAULT',
- );
-
- my %DEFAULT_SSL_CLIENT_ARGS = (
-@@ -104,42 +102,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
- SSL_ca_file => undef,
- SSL_ca_path => undef,
-
-- # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes
-- # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html
-- # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771
-- # Debian works around this by disabling TLSv1_2 on the client side
-- # Chrome and IE11 use TLSv1_2 but use only a few ciphers, so that packet
-- # stays small enough
-- # The following list is taken from IE11, except that we don't do RC4-MD5,
-- # RC4-SHA is already bad enough. Also, we have a different sort order
-- # compared to IE11, because we put ciphers supporting forward secrecy on top
--
-- SSL_cipher_list => join(" ",
-- qw(
-- ECDHE-ECDSA-AES128-GCM-SHA256
-- ECDHE-ECDSA-AES128-SHA256
-- ECDHE-ECDSA-AES256-GCM-SHA384
-- ECDHE-ECDSA-AES256-SHA384
-- ECDHE-ECDSA-AES128-SHA
-- ECDHE-ECDSA-AES256-SHA
-- ECDHE-RSA-AES128-SHA256
-- ECDHE-RSA-AES128-SHA
-- ECDHE-RSA-AES256-SHA
-- DHE-DSS-AES128-SHA256
-- DHE-DSS-AES128-SHA
-- DHE-DSS-AES256-SHA256
-- DHE-DSS-AES256-SHA
-- AES128-SHA256
-- AES128-SHA
-- AES256-SHA256
-- AES256-SHA
-- EDH-DSS-DES-CBC3-SHA
-- DES-CBC3-SHA
-- RC4-SHA
-- ),
-- # just to make sure, that we don't accidentely add bad ciphers above
-- "!EXP !LOW !eNULL !aNULL !DES !MD5 !PSK !SRP"
-- )
- );
-
- # set values inside _init to work with perlcc, RT#95452
---- lib/IO/Socket/SSL.pod
-+++ lib/IO/Socket/SSL.pod
-@@ -958,12 +958,8 @@ documentation (L<http://www.openssl.org/
- for more details.
-
- Unless you fail to contact your peer because of no shared ciphers it is
--recommended to leave this option at the default setting. The default setting
--prefers ciphers with forward secrecy, disables anonymous authentication and
--disables known insecure ciphers like MD5, DES etc. This gives a grade A result
--at the tests of SSL Labs.
--To use the less secure OpenSSL builtin default (whatever this is) set
--SSL_cipher_list to ''.
-+recommended to leave this option at the default setting, which honors the
-+system-wide DEFAULT cipher list.
-
- =item SSL_honor_cipher_order
-
diff --git a/IO-Socket-SSL-2.018-use-system-default-SSL-version.patch b/IO-Socket-SSL-2.018-use-system-default-SSL-version.patch
new file mode 100644
index 0000000..e1b2784
--- /dev/null
+++ b/IO-Socket-SSL-2.018-use-system-default-SSL-version.patch
@@ -0,0 +1,36 @@
+--- lib/IO/Socket/SSL.pm
++++ lib/IO/Socket/SSL.pm
+@@ -85,7 +85,7 @@ my $algo2digest = do {
+ # global defaults
+ my %DEFAULT_SSL_ARGS = (
+ SSL_check_crl => 0,
+- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken
++ SSL_version => '',
+ SSL_verify_callback => undef,
+ SSL_verifycn_scheme => undef, # fallback cn verification
+ SSL_verifycn_publicsuffix => undef, # fallback default list verification
+@@ -2135,7 +2135,7 @@ sub new {
+ $ssl_op |= &Net::SSLeay::OP_SINGLE_DH_USE;
+ $ssl_op |= &Net::SSLeay::OP_SINGLE_ECDH_USE if $can_ecdh;
+
+- my $ver;
++ my $ver = '';
+ for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
+ m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i
+ or croak("invalid SSL_version specified");
+--- lib/IO/Socket/SSL.pod
++++ lib/IO/Socket/SSL.pod
+@@ -934,11 +934,12 @@ protocol to the specified version.
+ All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can
+ also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires
+ recent versions of Net::SSLeay and openssl.
++The default SSL_version is defined by the underlying cryptographic library.
+
+ Independent from the handshake format you can limit to set of accepted SSL
+ versions by adding !version separated by ':'.
+
+-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the
++For example, 'SSLv23:!SSLv3:!SSLv2' means that the
+ handshake format is compatible to SSL2.0 and higher, but that the successful
+ handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because
+ both of these versions have serious security issues and should not be used
diff --git a/IO-Socket-SSL-2.018-use-system-default-cipher-list.patch b/IO-Socket-SSL-2.018-use-system-default-cipher-list.patch
new file mode 100644
index 0000000..8468bc9
--- /dev/null
+++ b/IO-Socket-SSL-2.018-use-system-default-cipher-list.patch
@@ -0,0 +1,73 @@
+--- lib/IO/Socket/SSL.pm
++++ lib/IO/Socket/SSL.pm
+@@ -92,9 +92,7 @@ my %DEFAULT_SSL_ARGS = (
+ #SSL_verifycn_name => undef, # use from PeerAddr/PeerHost - do not override in set_args_filter_hack 'use_defaults'
+ SSL_npn_protocols => undef, # meaning depends whether on server or client side
+ SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1']
+- SSL_cipher_list =>
+- 'EECDH+AESGCM+ECDSA EECDH+AESGCM EECDH+ECDSA +AES256 EECDH EDH+AESGCM '.
+- 'EDH ALL +SHA +3DES !RC4 !LOW !EXP !eNULL !aNULL !DES !MD5 !PSK !SRP',
++ SSL_cipher_list => 'DEFAULT',
+ );
+
+ my %DEFAULT_SSL_CLIENT_ARGS = (
+@@ -104,42 +102,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
+ SSL_ca_file => undef,
+ SSL_ca_path => undef,
+
+- # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes
+- # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html
+- # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771
+- # Debian works around this by disabling TLSv1_2 on the client side
+- # Chrome and IE11 use TLSv1_2 but use only a few ciphers, so that packet
+- # stays small enough
+- # The following list is taken from IE11, except that we don't do RC4-MD5,
+- # RC4-SHA is already bad enough. Also, we have a different sort order
+- # compared to IE11, because we put ciphers supporting forward secrecy on top
+-
+- SSL_cipher_list => join(" ",
+- qw(
+- ECDHE-ECDSA-AES128-GCM-SHA256
+- ECDHE-ECDSA-AES128-SHA256
+- ECDHE-ECDSA-AES256-GCM-SHA384
+- ECDHE-ECDSA-AES256-SHA384
+- ECDHE-ECDSA-AES128-SHA
+- ECDHE-ECDSA-AES256-SHA
+- ECDHE-RSA-AES128-SHA256
+- ECDHE-RSA-AES128-SHA
+- ECDHE-RSA-AES256-SHA
+- DHE-DSS-AES128-SHA256
+- DHE-DSS-AES128-SHA
+- DHE-DSS-AES256-SHA256
+- DHE-DSS-AES256-SHA
+- AES128-SHA256
+- AES128-SHA
+- AES256-SHA256
+- AES256-SHA
+- EDH-DSS-DES-CBC3-SHA
+- DES-CBC3-SHA
+- RC4-SHA
+- ),
+- # just to make sure, that we don't accidentely add bad ciphers above
+- "!EXP !LOW !eNULL !aNULL !DES !MD5 !PSK !SRP"
+- )
+ );
+
+ # set values inside _init to work with perlcc, RT#95452
+--- lib/IO/Socket/SSL.pod
++++ lib/IO/Socket/SSL.pod
+@@ -960,12 +960,8 @@ documentation (L<http://www.openssl.org/
+ for more details.
+
+ Unless you fail to contact your peer because of no shared ciphers it is
+-recommended to leave this option at the default setting. The default setting
+-prefers ciphers with forward secrecy, disables anonymous authentication and
+-disables known insecure ciphers like MD5, DES etc. This gives a grade A result
+-at the tests of SSL Labs.
+-To use the less secure OpenSSL builtin default (whatever this is) set
+-SSL_cipher_list to ''.
++recommended to leave this option at the default setting, which honors the
++system-wide DEFAULT cipher list.
+
+ In case different cipher lists are needed for different SNI hosts a hash can be
+ given with the host as key and the cipher suite as value, similar to
diff --git a/perl-IO-Socket-SSL.spec b/perl-IO-Socket-SSL.spec
index 9892154..266a9a7 100644
--- a/perl-IO-Socket-SSL.spec
+++ b/perl-IO-Socket-SSL.spec
@@ -1,16 +1,19 @@
Name: perl-IO-Socket-SSL
-Version: 2.016
-Release: 3%{?dist}
+Version: 2.018
+Release: 1%{?dist}
Summary: Perl library for transparent SSL
Group: Development/Libraries
License: GPL+ or Artistic
URL: http://search.cpan.org/dist/IO-Socket-SSL/
Source0: http://search.cpan.org/CPAN/authors/id/S/SU/SULLR/IO-Socket-SSL-%{version...
-Patch0: IO-Socket-SSL-2.016-use-system-default-cipher-list.patch
-Patch1: IO-Socket-SSL-2.016-use-system-default-SSL-version.patch
+Patch0: IO-Socket-SSL-2.018-use-system-default-cipher-list.patch
+Patch1: IO-Socket-SSL-2.018-use-system-default-SSL-version.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
BuildArch: noarch
# Module Build
+BuildRequires: coreutils
+BuildRequires: findutils
+BuildRequires: make
BuildRequires: perl
BuildRequires: perl(ExtUtils::MakeMaker)
# Module Runtime
@@ -112,6 +115,23 @@ rm -rf %{buildroot}
%{_mandir}/man3/IO::Socket::SSL::Utils.3*
%changelog
+* Mon Aug 31 2015 Paul Howarth <paul(a)city-fan.org> - 2.018-1
+- Update to 2.018
+ - Checks for readability of files/dirs for certificates and CA no longer use
+ -r because this is not safe when ACLs are used (CPAN RT#106295)
+ - New method sock_certificate similar to peer_certificate (CPAN RT#105733)
+ - get_fingerprint can now take optional certificate as argument and compute
+ the fingerprint of it; useful in connection with sock_certificate
+ - Check for both EWOULDBLOCK and EAGAIN since these codes are different on
+ some platforms (CPAN RT#106573)
+ - Enforce default verification scheme if nothing was specified, i.e. no
+ longer just warn but accept; if really no verification is wanted, a scheme
+ of 'none' must be explicitly specified
+ - Support different cipher suites per SNI hosts
+ - startssl.t failed on darwin with old openssl since server requested client
+ certificate but offered also anon ciphers (CPAN RT#106687)
+- Update patches as needed
+
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng(a)lists.fedoraproject.org> - 2.016-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
diff --git a/sources b/sources
index c4c64f6..fefc0b8 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-a71e9f0f76c7a15a11fef14ca8ef8aa8 IO-Socket-SSL-2.016.tar.gz
+817adc9e0cd6817998fd49dea3fe0349 IO-Socket-SSL-2.018.tar.gz
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/perl-IO-Socket-SSL.git/commit/?h=f23&i...
8 years, 9 months
[Bug 1258665] New: perl-ExtUtils-MakeMaker-7.06 is available
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1258665
Bug ID: 1258665
Summary: perl-ExtUtils-MakeMaker-7.06 is available
Product: Fedora
Version: rawhide
Component: perl-ExtUtils-MakeMaker
Keywords: FutureFeature, Triaged
Assignee: ppisar(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: mmaslano(a)redhat.com,
perl-devel(a)lists.fedoraproject.org, ppisar(a)redhat.com
Latest upstream release: 7.06
Current version/release in rawhide: 7.04-346.fc23
URL: http://search.cpan.org/dist/ExtUtils-MakeMaker/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 9 months
