Bug 191351

Summary: perl-Net-SSLeay (1.26 and 1.30) and CVE-2005-0106
Product: [Fedora] Fedora Reporter: Jose Pedro Oliveira <jose.p.oliveira.oss>
Component: perl-Net-SSLeayAssignee: Jose Pedro Oliveira <jose.p.oliveira.oss>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: extras-qa
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0106
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-12-17 17:58:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jose Pedro Oliveira 2006-05-11 02:10:00 UTC 
Description of problem:

I believe versions 1.26 and 1.30 are still vulnerable:

  * version 1.26 is an unofficial release (doesn't exist in CPAN)
    - version 1.26 Fedora.us release date predates the advisory

    From the package changelog:
......
* Tue Oct 12 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:1.26-0.fdr.1
- Update to unofficial 1.26 from Peter Behroozi, adds get1_session(),
  enables session caching with IO::Socket::SSL (bug 1859, bug 1860).
- Bring outdated test14 up to date (bug 1859, test suite still not enabled).
......

  * version 1.30
    - no mention of the security alert in the changelog
    - no tickets (opened or closed) in 
      http://rt.cpan.org/Public/Dist/Display.html?Name=Net_SSLeay.pm 
    - patch from the Mandriva advisory applies cleanly

FE-5 and devel:
  - At the time I applied the patch to the devel branch (and it was
    also automatically copied to the FC-5 branch when it was created)

......
* Fri Jan 27 2006 Jose Pedro Oliveira <jpo at di.uminho.pt> - 1.30-2
- CVE-2005-0106: patch from Mandriva
  http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:023
......


Additional info:
* CVE-2005-0106
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0106

* Mandrake advisory (2006-01)
  http://www.mandriva.com/security/advisories?name=MDKSA-2006:023

* Ubuntu advisory (2005-05)
  http://www.ubuntu.com/usn/usn-113-1

* Net::SSLeay (CPAN)
  http://search.cpan.org/~flora/Net_SSLeay.pm-1.30/
  Changelog
  http://search.cpan.org/src/FLORA/Net_SSLeay.pm-1.30/Changes
Comment 1 Jose Pedro Oliveira 2006-05-11 19:27:59 UTC 
Patch applied to the FC-3 and FC-4 branches:
  * new FC-3 release --> perl-Net-SSLeay-1.26-2.fc3
  * new FC-4 release --> perl-Net-SSLeay-1.26-3.fc4
Comment 2 Jose Pedro Oliveira 2006-07-10 20:08:19 UTC 
Upstream query about version 1.30:

* RT ticket 19218: Security problem: CVE-2005-0106
  http://rt.cpan.org/Public/Bug/Display.html?id=19218