From 05e6cf04b6255abd2b4f27a16b8edc3452227385 Mon Sep 17 00:00:00 2001
From: MSVSphere Packaging Team <packager@msvsphere-os.ru>
Date: Wed, 8 Nov 2023 16:26:31 +0300
Subject: [PATCH] import perl-CPAN-2.29-3.el9

---
 SOURCES/CPAN-2.35-Add-verify-SSL.patch | 13 +++++++++++++
 SPECS/perl-CPAN.spec                   |  8 +++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/CPAN-2.35-Add-verify-SSL.patch

diff --git a/SOURCES/CPAN-2.35-Add-verify-SSL.patch b/SOURCES/CPAN-2.35-Add-verify-SSL.patch
new file mode 100644
index 0000000..ee5e47a
--- /dev/null
+++ b/SOURCES/CPAN-2.35-Add-verify-SSL.patch
@@ -0,0 +1,13 @@
+Add verify_SSL=>1 to HTTP::Tiny to verify https server identity (Stig Palmquist)
+
+diff -u -r CPAN-2.29.orig/lib/CPAN/HTTP/Client.pm CPAN-2.29/lib/CPAN/HTTP/Client.pm
+--- CPAN-2.29.orig/lib/CPAN/HTTP/Client.pm	2023-08-01 16:19:19.216625710 +0200
++++ CPAN-2.29/lib/CPAN/HTTP/Client.pm	2023-08-01 16:28:29.323221118 +0200
+@@ -32,6 +32,7 @@
+ 
+     my $want_proxy = $self->_want_proxy($uri);
+     my $http = HTTP::Tiny->new(
++        verify_SSL => 1,
+         $want_proxy ? (proxy => $self->{proxy}) : ()
+     );
+ 
diff --git a/SPECS/perl-CPAN.spec b/SPECS/perl-CPAN.spec
index e88d925..dd9c58f 100644
--- a/SPECS/perl-CPAN.spec
+++ b/SPECS/perl-CPAN.spec
@@ -10,7 +10,7 @@
 
 Name:           perl-CPAN
 Version:        2.29
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Query, download and build perl modules from CPAN sites
 License:        GPL+ or Artistic
 URL:            https://metacpan.org/release/CPAN
@@ -22,6 +22,8 @@ Patch1:         CPAN-2.18-Replace-configuration-directory-string-with-a-marke.pa
 # Some syntax fixes
 Patch2:         CPAN-2.32-s-gpg-gpg-in-system-add-quotes-where-needed.patch
 Patch3:         CPAN-2.32-s-dev-null-devnull.patch
+# CVE-2023-31484 - Add verify_SSL => 1
+Patch4:         CPAN-2.35-Add-verify-SSL.patch
 BuildArch:      noarch
 BuildRequires:  coreutils
 BuildRequires:  findutils
@@ -264,6 +266,7 @@ with "%{_libexecdir}/%{name}/test".
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 # Change configuration name
 find -type f -exec perl -i -pe 's/XCPANCONFIGNAMEX/cpan/g' {} \;
 # Remove bundled modules
@@ -333,6 +336,9 @@ make test
 %{_libexecdir}/%{name}
 
 %changelog
+* Tue Aug 01 2023 Michal Josef Špaček <mspacek@redhat.com> - 2.29-3
+- Resolves: rhbz#2218907 - Fix CVE-2023-31484
+
 * Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 2.29-2
 - Rebuilt for MSVSphere 9.1.