import perl-CPAN-2.29-3.el9

SOURCES/CPAN-2.35-Add-verify-SSL.patch

@@ -0,0 +1,13 @@
+Add verify_SSL=>1 to HTTP::Tiny to verify https server identity (Stig Palmquist)
+
+diff -u -r CPAN-2.29.orig/lib/CPAN/HTTP/Client.pm CPAN-2.29/lib/CPAN/HTTP/Client.pm
+--- CPAN-2.29.orig/lib/CPAN/HTTP/Client.pm	2023-08-01 16:19:19.216625710 +0200
++++ CPAN-2.29/lib/CPAN/HTTP/Client.pm	2023-08-01 16:28:29.323221118 +0200
+@@ -32,6 +32,7 @@
+ 
+     my $want_proxy = $self->_want_proxy($uri);
+     my $http = HTTP::Tiny->new(
++        verify_SSL => 1,
+         $want_proxy ? (proxy => $self->{proxy}) : ()
+     );
+ 

SPECS/perl-CPAN.spec

@@ -10,7 +10,7 @@
 
 Name:           perl-CPAN
 Version:        2.29
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Query, download and build perl modules from CPAN sites
 License:        GPL+ or Artistic
 URL:            https://metacpan.org/release/CPAN
@@ -22,6 +22,8 @@ Patch1:         CPAN-2.18-Replace-configuration-directory-string-with-a-marke.pa
 # Some syntax fixes
 Patch2:         CPAN-2.32-s-gpg-gpg-in-system-add-quotes-where-needed.patch
 Patch3:         CPAN-2.32-s-dev-null-devnull.patch
+# CVE-2023-31484 - Add verify_SSL => 1
+Patch4:         CPAN-2.35-Add-verify-SSL.patch
 BuildArch:      noarch
 BuildRequires:  coreutils
 BuildRequires:  findutils
@@ -264,6 +266,7 @@ with "%{_libexecdir}/%{name}/test".
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 # Change configuration name
 find -type f -exec perl -i -pe 's/XCPANCONFIGNAMEX/cpan/g' {} \;
 # Remove bundled modules
@@ -333,6 +336,9 @@ make test
 %{_libexecdir}/%{name}
 
 %changelog
+* Tue Aug 01 2023 Michal Josef Špaček <mspacek@redhat.com> - 2.29-3
+- Resolves: rhbz#2218907 - Fix CVE-2023-31484
+
 * Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 2.29-2
 - Rebuilt for MSVSphere 9.1.