import perl-HTTP-Tiny-0.074-2.el8_9.1

SOURCES/HTTP-Tiny-0.074-Change-verify_SSL-default-to-1-add-ENV-var-to-enable.patch

@@ -104,7 +104,7 @@ index 2ece5ca..58be640 100644
 +    my ($self) = @_;
 +    # Check if insecure default certificate verification behaviour has been
 +    # changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1
-+    return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1;
++    return (($ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1;
 +}
 +
  sub _set_proxies {
@@ -248,7 +248,7 @@ index 0000000..d6bc412
 +
 +use HTTP::Tiny;
 +
-+delete $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT};
++delete $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT};
 +
 +{
 +    my $ht = HTTP::Tiny->new();
@@ -294,54 +294,54 @@ index 0000000..d6bc412
 +}
 +
 +{
-+    local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "1";
++    local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "1";
 +    my $ht = HTTP::Tiny->new();
-+    is($ht->verify_SSL, 0, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=1 changes verify_SSL default to 0");
++    is($ht->verify_SSL, 0, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 changes verify_SSL default to 0");
 +}
 +
 +{
-+    local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "0";
++    local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "0";
 +    my $ht = HTTP::Tiny->new();
-+    is($ht->verify_SSL, 1, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=0 keeps verify_SSL default at 1");
++    is($ht->verify_SSL, 1, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=0 keeps verify_SSL default at 1");
 +}
 +
 +{
-+    local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "False";
++    local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "False";
 +    my $ht = HTTP::Tiny->new();
-+    is($ht->verify_SSL, 1, "Unsupported PERL_HTTP_TINY_INSECURE_BY_DEFAULT=False keeps verify_SSL default at 1");
++    is($ht->verify_SSL, 1, "Unsupported PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=False keeps verify_SSL default at 1");
 +}
 +
 +{
-+    local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "1";
++    local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "1";
 +    my $ht = HTTP::Tiny->new(verify_SSL=>1);
-+    is($ht->verify_SSL, 1, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=1 does not override verify_SSL attribute set to 1");
++    is($ht->verify_SSL, 1, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 does not override verify_SSL attribute set to 1");
 +}
 +
 +{
-+    local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "1";
++    local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "1";
 +    my $ht = HTTP::Tiny->new(
 +        verify_SSL => 1,
 +        verify_ssl => 1
 +    );
-+    is($ht->verify_SSL, 1, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=1, verify_SSL=>1 and verify_ssl=>1 sets 1");
++    is($ht->verify_SSL, 1, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1, verify_SSL=>1 and verify_ssl=>1 sets 1");
 +}
 +
 +{
-+    local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "1";
++    local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "1";
 +    my $ht = HTTP::Tiny->new(
 +        verify_SSL => 1,
 +        verify_ssl => 0
 +    );
-+    is($ht->verify_SSL, 1, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=1, verify_SSL=>1 and verify_ssl=>0 sets 1");
++    is($ht->verify_SSL, 1, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1, verify_SSL=>1 and verify_ssl=>0 sets 1");
 +}
 +
 +{
-+    local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "1";
++    local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "1";
 +    my $ht = HTTP::Tiny->new(
 +        verify_SSL => 0,
 +        verify_ssl => 0
 +    );
-+    is($ht->verify_SSL, 0, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=1, verify_SSL=>0 and verify_ssl=>0 sets 0");
++    is($ht->verify_SSL, 0, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1, verify_SSL=>0 and verify_ssl=>0 sets 0");
 +}
 +
 +
@@ -356,7 +356,7 @@ index 6f80e51..7b84f93 100644
  }
  use HTTP::Tiny;
  
-+delete $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT};
++delete $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT};
 +
  plan skip_all => 'Only run for $ENV{AUTOMATED_TESTING}'
    unless $ENV{AUTOMATED_TESTING};
@@ -428,7 +428,7 @@ index 6f80e51..7b84f93 100644
 +});
 +
 +{
-+    local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = 1;
++    local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = 1;
 +    test_ssl('https://wrong.host.badssl.com/' => {
 +        host => 'wrong.host.badssl.com',
 +        pass => { verify_SSL => 0 },

SOURCES/HTTP-Tiny-0.074-Fix-man-page-for-CVE-2023-31486.patch

@@ -0,0 +1,21 @@
+diff -up HTTP-Tiny-0.074/lib/HTTP/Tiny.pm.orig HTTP-Tiny-0.074/lib/HTTP/Tiny.pm
+--- HTTP-Tiny-0.074/lib/HTTP/Tiny.pm.orig	2024-01-16 12:26:34.204388229 +0100
++++ HTTP-Tiny-0.074/lib/HTTP/Tiny.pm	2024-01-16 12:29:19.282808545 +0100
+@@ -1778,12 +1778,16 @@ C<timeout> — Request timeout in second
+ 
+ =item *
+ 
+-C<verify_SSL> — A boolean that indicates whether to validate the SSL certificate of an C<https> — connection (default is false)
++C<verify_SSL> — A boolean that indicates whether to validate the SSL certificate of an C<https> — connection (default is true). Changed from false to true for CVE-2023-31486.
+ 
+ =item *
+ 
+ C<SSL_options> — A hashref of C<SSL_*> — options to pass through to L<IO::Socket::SSL>
+ 
++=item *
++
++C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> — Changes the default certificate verification behavior to not check server identity if set to 1. Only effective if C<verify_SSL> is not set. Added for CVE-2023-31486.
++
+ =back
+ 
+ Passing an explicit C<undef> for C<proxy>, C<http_proxy> or C<https_proxy> will

SPECS/perl-HTTP-Tiny.spec

@@ -3,7 +3,7 @@
 
 Name:           perl-HTTP-Tiny
 Version:        0.074
-Release:        2%{?dist}
+Release:        2%{?dist}.1
 Summary:        Small, simple, correct HTTP/1.1 client
 License:        GPL+ or Artistic
 URL:            https://metacpan.org/release/HTTP-Tiny
@@ -14,6 +14,8 @@ Patch0:         HTTP-Tiny-0.070-Croak-on-failed-write-into-a-file.patch
 # Change verify_SSL default to 1, add ENV var to enable insecure default
 # Fix rhbz#2228409 - CVE-2023-31486
 Patch1:         HTTP-Tiny-0.074-Change-verify_SSL-default-to-1-add-ENV-var-to-enable.patch
+# Fix man page for CVE-2023-31486
+Patch2:         HTTP-Tiny-0.074-Fix-man-page-for-CVE-2023-31486.patch
 BuildArch:      noarch
 BuildRequires:  coreutils
 BuildRequires:  make
@@ -103,6 +105,7 @@ with "%{_libexecdir}/%{name}/test".
 %setup -q -n HTTP-Tiny-%{version}
 %patch -P0 -p1
 %patch -P1 -p1
+%patch -P2 -p1
 
 # Help generators to recognize Perl scripts
 for F in t/*.t; do
@@ -141,6 +144,9 @@ make test
 %{_libexecdir}/%{name}
 
 %changelog
+* Tue Jan 16 2024 Jitka Plesnikova <jplesnik@redhat.com> - 0.074-2.1
+- Update man page for CVE-2023-31486
+
 * Mon Aug 07 2023 Jitka Plesnikova <jplesnik@redhat.com> - 0.074-2
 - Changes the verify_SSL default parameter from 0 to 1 - CVE-2023-31486
 - Resolves: rhbz#2228409