Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 191351 - perl-Net-SSLeay (1.26 and 1.30) and CVE-2005-0106
perl-Net-SSLeay (1.26 and 1.30) and CVE-2005-0106
Product: Fedora
Classification: Fedora
Component: perl-Net-SSLeay (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jose Pedro Oliveira
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2006-05-10 22:10 EDT by Jose Pedro Oliveira
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-12-17 12:58:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jose Pedro Oliveira 2006-05-10 22:10:00 EDT
Description of problem:

I believe versions 1.26 and 1.30 are still vulnerable:

  * version 1.26 is an unofficial release (doesn't exist in CPAN)
    - version 1.26 Fedora.us release date predates the advisory

    From the package changelog:
* Tue Oct 12 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:1.26-0.fdr.1
- Update to unofficial 1.26 from Peter Behroozi, adds get1_session(),
  enables session caching with IO::Socket::SSL (bug 1859, bug 1860).
- Bring outdated test14 up to date (bug 1859, test suite still not enabled).

  * version 1.30
    - no mention of the security alert in the changelog
    - no tickets (opened or closed) in 
    - patch from the Mandriva advisory applies cleanly

FE-5 and devel:
  - At the time I applied the patch to the devel branch (and it was
    also automatically copied to the FC-5 branch when it was created)

* Fri Jan 27 2006 Jose Pedro Oliveira <jpo at di.uminho.pt> - 1.30-2
- CVE-2005-0106: patch from Mandriva

Additional info:
* CVE-2005-0106

* Mandrake advisory (2006-01)

* Ubuntu advisory (2005-05)

* Net::SSLeay (CPAN)
Comment 1 Jose Pedro Oliveira 2006-05-11 15:27:59 EDT
Patch applied to the FC-3 and FC-4 branches:
  * new FC-3 release --> perl-Net-SSLeay-1.26-2.fc3
  * new FC-4 release --> perl-Net-SSLeay-1.26-3.fc4
Comment 2 Jose Pedro Oliveira 2006-07-10 16:08:19 EDT
Upstream query about version 1.30:

* RT ticket 19218: Security problem: CVE-2005-0106

Note You need to log in before you can comment on or make changes to this bug.