Monday 11th November 2013
Fedora Project
Updated perl-IO-Socket-SSL to 1.958 in Rawhide:
- Lots of behaviour changes for more secure defaults:
Behaviour change: make default cipher list more secure, especially:
- No longer support MD5 by default (broken)
- No longer support anonymous authentication by default (vulnerable to man in the middle attacks)
Prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so that it uses by default forward secrecy, if underlying Net::SSLeay/openssl supports it
- Move RC4 to the end, i.e. 3DES is preferred (BEAST attack should hopefully have been fixed and now RC4 is considered less safe than 3DES)
Default SSL_honor_cipher_order to 1, e.g. when used as server it tries to get the best cipher even if the client prefers other ciphers; please note that this might break connections with older, less secure implementations, in which case revert to 'ALL:!LOW:!EXP:!aNULL' or so
Behaviour change: SSL_cipher_list now gets set on context, not SSL object, and thus gets reused if context gets reused; please note that using SSL_cipher_list together with SSL_reuse_ctx no longer has any effect on the ciphers of the context
- Rework hostname verification schemes:
Add RFC names as scheme (e.g. 'rfc2818', ...)
- Add SIP, SNMP, syslog, netconf, GIST
Behaviour change: fix SMTP - now accept wildcards in CN and subjectAltName
Behaviour change: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN
Behaviour change: anywhere wildcards like www* now match only 'www1', 'www2' etc. but not 'www'
Anywhere wildcards like x* are no longer applied to IDNA names (which start with 'xn--')
Fix crash of Utils::CERT_free
- Support TLSv11, TLSv12 as handshake protocols
Fixed t/core.t: test used cipher_list of HIGH, which includes anonymous authorization; with the DH param given by default since 1.956, old versions of openssl (like 0.9.8k) used cipher ADH-AES256-SHA (e.g. anonymous authorization) instead of AES256-SHA and thus the check for the peer certificate failed (because ADH does not exchange certificates) - fixed by explicitly specifying HIGH:!aNULL as cipher (CPAN RT#90221)
- Cleaned up tests:
Remove ssl_settings.req and 02settings.t, because all tests now create a simple socket at 127.0.0.1 and thus global settings are no longer needed
Some tests did not have use strict(!); fixed it
Removed special handling for older Net::SSLeay versions that are less than our minimum requirement
Some syntax enhancements: removed some SSL_version and SSL_cipher_list options where they were not really needed
Clean-up: remove workaround for old IO::Socket::INET6 but instead require at least version 2.55, which is now 5 years old
Fix t/session.t to work with older openssl versions (CPAN RT#90240)
Local Packages
Updated perl-Archive-Zip to 1.33:
- Experimental Unicode in file/dir names
- Add decryption support
Updated Perl dependency to 5.006 to reflect implicit dependencies in the code exposed by Perl::MinimumVersion xt test
Set compressed size and uncompressed size of an entry to 0 if either of them is 0 (CPAN RT#68446)
Added $VERSION to crc32
Unlink temporary files generated by tempFile (CPAN RT#89777)
- Various minor bug fixes
Typo fixes (CPAN RT#59102, CPAN RT#86600)
Updated perl-IO-Socket-SSL to 1.958 as per the Fedora version
Updated perl-Path-FindDev to 0.4.2:
Minimum perl declared is now 5.8, and tested to work on 5.8; however, the version scheme is x.y.z still, which means if you want to depend on a specific version in Perl code, you'll need a recent enough version.pm to make it work
Updated perl-Text-CSV_XS to 1.02:
- Add example for reading only a single column
Don't store NULL in _ERROR_INPUT (CPAN RT#86217)
- Prevent double-decode in csv-check
Add decode_utf8 attribute (default is true)
Updated the python-twisted stack to 13.2.0 (see NEWS for details)