Version in base suite: 1.24-4

Base version: libxml-stream-perl_1.24-4
Target version: libxml-stream-perl_1.24-4+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libx/libxml-stream-perl/libxml-stream-perl_1.24-4.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libx/libxml-stream-perl/libxml-stream-perl_1.24-4+deb12u1.dsc

 changelog                                                                  |   10 +
 patches/Set_SSL_verifycn_name_parameter_to_fix_hostname_verification.patch |   85 ++++++++++
 patches/series                                                             |    1 
 3 files changed, 96 insertions(+)

diff -Nru libxml-stream-perl-1.24/debian/changelog libxml-stream-perl-1.24/debian/changelog
--- libxml-stream-perl-1.24/debian/changelog	2021-01-20 17:34:25.000000000 +0000
+++ libxml-stream-perl-1.24/debian/changelog	2024-03-03 15:02:42.000000000 +0000
@@ -1,3 +1,13 @@
+libxml-stream-perl (1.24-4+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * Add Set_SSL_verifycn_name_parameter_to_fix_hostname_verification.patch
+    to adjust to IO::Socket::SSL >= 2.078.
+    Thanks to Manfred Stock for the bug report and the patch.
+    (Closes: #1064058)
+
+ -- gregor herrmann <gregoa@debian.org>  Sun, 03 Mar 2024 16:02:42 +0100
+
 libxml-stream-perl (1.24-4) unstable; urgency=medium
 
   * Team upload.
diff -Nru libxml-stream-perl-1.24/debian/patches/Set_SSL_verifycn_name_parameter_to_fix_hostname_verification.patch libxml-stream-perl-1.24/debian/patches/Set_SSL_verifycn_name_parameter_to_fix_hostname_verification.patch
--- libxml-stream-perl-1.24/debian/patches/Set_SSL_verifycn_name_parameter_to_fix_hostname_verification.patch	1970-01-01 00:00:00.000000000 +0000
+++ libxml-stream-perl-1.24/debian/patches/Set_SSL_verifycn_name_parameter_to_fix_hostname_verification.patch	2024-03-03 15:02:42.000000000 +0000
@@ -0,0 +1,85 @@
+From 7d3de1e8afe7eb46d7bda336fb1f54d3b75f4e6d Mon Sep 17 00:00:00 2001
+From: Manfred Stock <m-cpan@nfred.ch>
+Date: Fri, 16 Feb 2024 10:45:43 +0100
+Subject: [PATCH] Set SSL_verifycn_name parameter to fix hostname verification
+
+IO-Socket-SSL 2.078 reverted a "decision from 2014 to not verify
+hostname by default if hostname is IP address but no explicit
+verification scheme given" [1]. Since start_SSL uses SSL_verifycn_name
+or SSL_hostname when verifying the hostname and falls back to the IP
+address of the peer if neither of them are set, the hostname
+verification failed with newer versions of IO-Socket-SSL even if the
+certificate presented by the peer was valid.
+
+Passing SSL_verifycn_name to start_SSL fixes this issue. The logic to
+determine the parameter value is based on my current understanding of
+[2] and thus uses the same logic that is also used in OpenStream to
+determine the 'to' address in the initial stream header.
+
+[1]: https://github.com/noxxi/p5-io-socket-ssl/commit/c0a063b70f0a3ad033da0a51923c65bd2ff118a0
+[2]: https://datatracker.ietf.org/doc/html/rfc6120#section-13.7.2.1
+
+
+Bug: https://github.com/dap/XML-Stream/pull/28
+Bug-Debian: https://bugs.debian.org/1064058
+
+---
+ lib/XML/Stream.pm |  3 +++
+ t/tcpip2ssl.t     | 21 +++++++++++++++++----
+ 2 files changed, 20 insertions(+), 4 deletions(-)
+
+--- a/lib/XML/Stream.pm
++++ b/lib/XML/Stream.pm
+@@ -632,6 +632,9 @@
+     {
+         my %ssl_params = (
+             SSL_verify_mode => $self->{SIDS}->{newconnection}->{ssl_verify},
++            SSL_verifycn_name => $self->{SIDS}->{newconnection}->{to}
++                ? $self->{SIDS}->{newconnection}->{to}
++                : $self->{SIDS}->{newconnection}->{hostname},
+         );
+ 
+         if ( 0x00 != $self->{SIDS}->{newconnection}->{ssl_verify} )
+--- a/t/tcpip2ssl.t
++++ b/t/tcpip2ssl.t
+@@ -1,13 +1,13 @@
+ use strict;
+ use warnings;
+ 
+-use Test::More tests=>3;
++use Test::More tests=>5;
+ 
+ SKIP:
+ {
+     eval("use IO::Socket::SSL 0.81;");
+-    skip "IO::Socket::SSL not installed", 2 if $@;
+-    skip "No network communication allowed", 2 if ($ENV{NO_NETWORK});
++    skip "IO::Socket::SSL not installed", 4 if $@;
++    skip "No network communication allowed", 4 if ($ENV{NO_NETWORK});
+ 
+     BEGIN{ use_ok( "XML::Stream","Tree", "Node" ); }
+ 
+@@ -28,9 +28,22 @@
+                                       ssl=>1,
+                                       ssl_verify=>0x00,
+                                       timeout=>10);
++        is( $stream->{SIDS}->{newconnection}->{ssl_params}->{SSL_verifycn_name},
++            'jabber.org', 'SSL_verifycn_name set' );
+ 
+-        skip "Cannot create initial socket", 1 unless $stream;
++        skip "Cannot create initial socket", 2 unless $stream;
+         
+         ok( $stream, "converted" );
++
++        $stream->Connect(hostname=>"jabber.org",
++                         to=>'example.com',
++                         port=>5223,
++                         namespace=>"jabber:client",
++                         connectiontype=>"tcpip",
++                         ssl=>1,
++                         ssl_verify=>0x00,
++                         timeout=>10);
++        is( $stream->{SIDS}->{newconnection}->{ssl_params}->{SSL_verifycn_name},
++            'example.com', 'SSL_verifycn_name set to "to" value' );
+     }
+ }
diff -Nru libxml-stream-perl-1.24/debian/patches/series libxml-stream-perl-1.24/debian/patches/series
--- libxml-stream-perl-1.24/debian/patches/series	2021-01-20 17:34:25.000000000 +0000
+++ libxml-stream-perl-1.24/debian/patches/series	2024-03-03 15:02:42.000000000 +0000
@@ -1,3 +1,4 @@
 t_upstream_uninitialized_value.diff
 default-ca-path.patch
 0001-Do-not-die-when-hostname-cannot-be-resolved.patch
+Set_SSL_verifycn_name_parameter_to_fix_hostname_verification.patch