Bug 191351 - perl-Net-SSLeay (1.26 and 1.30) and CVE-2005-0106
perl-Net-SSLeay (1.26 and 1.30) and CVE-2005-0106
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: perl-Net-SSLeay (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jose Pedro Oliveira
Fedora Extras Quality Assurance
http://cve.mitre.org/cgi-bin/cvename....
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-10 22:10 EDT by Jose Pedro Oliveira
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-12-17 12:58:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jose Pedro Oliveira 2006-05-10 22:10:00 EDT
Description of problem:

I believe versions 1.26 and 1.30 are still vulnerable:

  * version 1.26 is an unofficial release (doesn't exist in CPAN)
    - version 1.26 Fedora.us release date predates the advisory

    From the package changelog:
......
* Tue Oct 12 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:1.26-0.fdr.1
- Update to unofficial 1.26 from Peter Behroozi, adds get1_session(),
  enables session caching with IO::Socket::SSL (bug 1859, bug 1860).
- Bring outdated test14 up to date (bug 1859, test suite still not enabled).
......

  * version 1.30
    - no mention of the security alert in the changelog
    - no tickets (opened or closed) in 
      http://rt.cpan.org/Public/Dist/Display.html?Name=Net_SSLeay.pm 
    - patch from the Mandriva advisory applies cleanly

FE-5 and devel:
  - At the time I applied the patch to the devel branch (and it was
    also automatically copied to the FC-5 branch when it was created)

......
* Fri Jan 27 2006 Jose Pedro Oliveira <jpo at di.uminho.pt> - 1.30-2
- CVE-2005-0106: patch from Mandriva
  http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:023
......


Additional info:
* CVE-2005-0106
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0106

* Mandrake advisory (2006-01)
  http://www.mandriva.com/security/advisories?name=MDKSA-2006:023

* Ubuntu advisory (2005-05)
  http://www.ubuntu.com/usn/usn-113-1

* Net::SSLeay (CPAN)
  http://search.cpan.org/~flora/Net_SSLeay.pm-1.30/
  Changelog
  http://search.cpan.org/src/FLORA/Net_SSLeay.pm-1.30/Changes
Comment 1 Jose Pedro Oliveira 2006-05-11 15:27:59 EDT
Patch applied to the FC-3 and FC-4 branches:
  * new FC-3 release --> perl-Net-SSLeay-1.26-2.fc3
  * new FC-4 release --> perl-Net-SSLeay-1.26-3.fc4
Comment 2 Jose Pedro Oliveira 2006-07-10 16:08:19 EDT
Upstream query about version 1.30:

* RT ticket 19218: Security problem: CVE-2005-0106
  http://rt.cpan.org/Public/Bug/Display.html?id=19218

Note You need to log in before you can comment on or make changes to this bug.