[pkg-ntp-maintainers] Bug#851096: update-leap tries to fetch https:// using a module without HTTPS support
Bernhard Schmidt
berni at debian.org
Fri Mar 31 21:58:51 UTC 2017
Control: tag -1 + confirmed
On Wed, Jan 11, 2017 at 06:23:58PM -0500, Anthony DeRobertis wrote:
> Package: ntp
> Version: 1:4.2.8p9+dfsg-2
> Severity: normal
> File: /usr/bin/update-leap
>
> It seems update-leap is just broken, with the default options, because
> it attempts to use File::Fetch to grab an https:// URL, but File::Fetch
> doesn't support https:// URLs.
>
> Note that newer version of File::Fetch (apparently, starting in 0.50,
> from August 2016) supports https:// but Debian doesn't have that
> version, at least in testing.
True, won't be in Stretch either.
Looking at /usr/bin/update-leap you find this particular code
| # Where to get the file
| # Choices:
| # https://www.ietf.org/timezones/data/leap-seconds.list
| # ftp://time.nist.gov/pub/leap-seconds.list
| my $LEAPSRC="https://www.ietf.org/timezones/data/leap-seconds.list";
You can override this on the command line using -s, so
/usr/bin/update-leap -s \
http://www.ietf.org/timezones/data/leap-seconds.list
is a viable workaround.
I guess the only possible fix for Stretch would be to downgrade to http
by default, but I'm not sure about the security consequences of getting
a leap file from an unauthenticated URL. Kurt, what do you think?
Bernhard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-ntp-maintainers/attachments/20170331/21546532/attachment.sig>
More information about the pkg-ntp-maintainers
mailing list