[Secure-testing-team] Bug#818081: opam: Please apply upstream patch: remove insecure / no-check-certificate flags
Ximin Luo
infinity0 at debian.org
Fri Mar 11 16:51:53 UTC 2016
Package: opam
Version: 1.2.2-4.1
Severity: grave
Tags: patch security
Justification: user security hole
Dear Maintainer,
Currently opam forces curl/wget to not check the certificate, allowing a MITM
to inject arbitrary code to users using opam, which eventually will likely be
run by them. This has been fixed upstream:
https://github.com/ocaml/opam/commit/3d43295df3bb9e67e60801d319bf82c2c8a84d24
I have backported the patch to the current version of opam in Debian; see the
attached file. I've also built this myself:
https://people.debian.org/~infinity0/apt/pool/contrib/o/opam
and installed it, ran it, and checked that things still work.
X
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'stable'), (300, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages opam depends on:
ii build-essential 11.7
ii curl 7.47.0-1
ii libbz2-1.0 1.0.6-8
ii libc6 2.21-9
ii opam-docs 1.2.2-4.1
ii tar 1.28-2.1
ii unzip 6.0-20
ii wget 1.17.1-1+b1
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages opam recommends:
ii aspcud 1:1.9.1-2
ii darcs 2.10.2-1
ii git 1:2.7.0-1
ii mercurial 3.5.2-2
ii ocaml 4.02.3-6
ii rsync 3.1.1-3
opam suggests no packages.
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: no-insecure.patch
Type: text/x-diff
Size: 925 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20160311/c537fcf2/attachment.patch>
More information about the Secure-testing-team
mailing list