rpms
/
perl-HTTP-Tiny
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c8-beta
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c-stream-5.26
rpms:c8-stream-5.26
rpms:i8c-stream-5.24
rpms:c8-stream-5.24
rpms:i8c
rpms:c8
rpms:i8c-beta-stream-5.32
rpms:c8-beta-stream-5.32
rpms:i8c-beta
rpms:c8-beta
rpms:i9c-beta
rpms:c9-beta
rpms:i8c-stream-5.32
rpms:c8-stream-5.32
rpms:i8c-stream-5.30
rpms:c8-stream-5.30
rpms:i9c
rpms:c9
...
pull from: rpms:c9
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c-stream-5.26
rpms:c8-stream-5.26
rpms:i8c-stream-5.24
rpms:c8-stream-5.24
rpms:i8c
rpms:c8
rpms:i8c-beta-stream-5.32
rpms:c8-beta-stream-5.32
rpms:i8c-beta
rpms:c8-beta
rpms:i9c-beta
rpms:c9-beta
rpms:i8c-stream-5.32
rpms:c8-stream-5.32
rpms:i8c-stream-5.30
rpms:c8-stream-5.30
rpms:i9c
rpms:c9

No commits in common. 'c8-beta' and 'c9' have entirely different histories.
c8-beta ... c9

5 changed files with 75 additions and 65 deletions
Show Stats

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/HTTP-Tiny-0.074.tar.gz
SOURCES/HTTP-Tiny-0.076.tar.gz

2
.perl-HTTP-Tiny.metadata
Unescape View File

@ -1 +1 @@
0f70a1d26a276251407d0beed4848979e8fd29fd SOURCES/HTTP-Tiny-0.074.tar.gz
2e27950c8cc5643649fac3607ba0082711139dd7 SOURCES/HTTP-Tiny-0.076.tar.gz

21
SOURCES/HTTP-Tiny-0.074-Fix-man-page-for-CVE-2023-31486.patch
Unescape View File

@ -1,21 +0,0 @@
diff -up HTTP-Tiny-0.074/lib/HTTP/Tiny.pm.orig HTTP-Tiny-0.074/lib/HTTP/Tiny.pm
--- HTTP-Tiny-0.074/lib/HTTP/Tiny.pm.orig 2024-01-16 12:26:34.204388229 +0100
+++ HTTP-Tiny-0.074/lib/HTTP/Tiny.pm 2024-01-16 12:29:19.282808545 +0100
@@ -1778,12 +1778,16 @@ C<timeout> — Request timeout in second
=item *
-C<verify_SSL> — A boolean that indicates whether to validate the SSL certificate of an C<https> — connection (default is false)
+C<verify_SSL> — A boolean that indicates whether to validate the SSL certificate of an C<https> — connection (default is true). Changed from false to true for CVE-2023-31486.
=item *
C<SSL_options> — A hashref of C<SSL_*> — options to pass through to L<IO::Socket::SSL>
+=item *
+
+C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> — Changes the default certificate verification behavior to not check server identity if set to 1. Only effective if C<verify_SSL> is not set. Added for CVE-2023-31486.
+
=back
Passing an explicit C<undef> for C<proxy>, C<http_proxy> or C<https_proxy> will

60
SOURCES/HTTP-Tiny-0.074-Change-verify_SSL-default-to-1-add-ENV-var-to-enable.patch → SOURCES/HTTP-Tiny-0.076-Change-verify_SSL-default-to-1-add-ENV-var-to-enable.patch
Unescape View File

@ -48,11 +48,11 @@ Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable
Backported from HTTP::Tiny 0.083
---
lib/HTTP/Tiny.pm | 86 ++++++++++++++++++----------
lib/HTTP/Tiny.pm | 72 ++++++++++++++----------
t/180_verify_SSL.t | 109 ++++++++++++++++++++++++++++++++++++
t/210_live_ssl.t | 136 ++++++++++++++++++++++++++++++---------------
t/snake-oil.crt | 33 +++++++++++
4 files changed, 291 insertions(+), 73 deletions(-)
4 files changed, 277 insertions(+), 73 deletions(-)
create mode 100644 t/180_verify_SSL.t
create mode 100644 t/snake-oil.crt
@ -68,12 +68,12 @@ index 2ece5ca..58be640 100644
-#pod certificate of an C<https> — connection (default is false)
+#pod * C<verify_SSL> — A boolean that indicates whether to validate the TLS/SSL
+#pod certificate of an C<https> ? connection (default is true). Changed from false
+#pod to true for CVE-2023-31486.
+#pod to true for RHBZ#2228412.
#pod * C<SSL_options> — A hashref of C<SSL_*> — options to pass through to
#pod L<IO::Socket::SSL>
+#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default
+#pod certificate verification behavior to not check server identity if set to 1.
+#pod Only effective if C<verify_SSL> is not set. Added for CVE-2023-31486.
+#pod Only effective if C<verify_SSL> is not set. Added for RHBZ#2228412.
#pod
#pod Passing an explicit C<undef> for C<proxy>, C<http_proxy> or C<https_proxy> will
#pod prevent getting the corresponding proxies from the environment.
@ -104,13 +104,13 @@ index 2ece5ca..58be640 100644
+ my ($self) = @_;
+ # Check if insecure default certificate verification behaviour has been
+ # changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1
+ return (($ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1;
+ return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1;
+}
+
sub _set_proxies {
my ($self) = @_;
@@ -1034,7 +1051,7 @@ sub new {
@@ -1041,7 +1058,7 @@ sub new {
timeout => 60,
max_line_size => 16384,
max_header_lines => 64,
@ -119,7 +119,7 @@ index 2ece5ca..58be640 100644
SSL_options => {},
%args
}, $class;
@@ -2005,11 +2022,11 @@ proxy
@@ -2012,11 +2029,11 @@ proxy
timeout
verify_SSL
@ -133,7 +133,7 @@ index 2ece5ca..58be640 100644
encryption fails. You can also use C<HTTP::Tiny::can_ssl()> utility function
that returns boolean to see if the required modules are installed.
@@ -2017,7 +2034,7 @@ An C<https> connection may be made via a
@@ -2024,7 +2041,7 @@ An C<https> connection may be made via a
command (i.e. RFC 2817). You may not proxy C<https> via a proxy that itself
requires C<https> to communicate.
@ -142,7 +142,7 @@ index 2ece5ca..58be640 100644
=over 4
@@ -2031,24 +2048,17 @@ Verification of server identity
@@ -2038,24 +2055,17 @@ Verification of server identity
=back
@ -165,7 +165,7 @@ index 2ece5ca..58be640 100644
-Assuming you trust the CA, this will protect against a L<man-in-the-middle
-attack|http://en.wikipedia.org/wiki/Man-in-the-middle_attack>. If you are
-concerned about security, you should enable this option.
+This was changed for CVE-2023-31486 due to security concerns. The previous default
+This was changed for RHBZ#2228412 due to security concerns. The previous default
+behavior can be enabled by setting C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}>
+to 1.
+
@ -177,7 +177,7 @@ index 2ece5ca..58be640 100644
Certificate verification requires a file containing trusted CA certificates.
@@ -2056,9 +2066,7 @@ If the environment variable C<SSL_CERT_F
@@ -2063,9 +2073,7 @@ If the environment variable C<SSL_CERT_F
will try to find a CA certificate file in that location.
If the L<Mozilla::CA> module is installed, HTTP::Tiny will use the CA file
@ -188,7 +188,7 @@ index 2ece5ca..58be640 100644
If that module is not available, then HTTP::Tiny will search several
system-specific default locations for a CA certificate file:
@@ -2077,13 +2085,33 @@ system-specific default locations for a
@@ -2084,13 +2092,33 @@ system-specific default locations for a
/etc/ssl/ca-bundle.pem
@ -224,7 +224,7 @@ index 2ece5ca..58be640 100644
C<IO::Socket::SSL::start_SSL()>, overriding any options set by HTTP::Tiny. For
example, to provide your own trusted CA file:
@@ -2093,7 +2121,7 @@ example, to provide your own trusted CA
@@ -2100,7 +2128,7 @@ example, to provide your own trusted CA
The C<SSL_options> attribute could also be used for such things as providing a
client certificate for authentication to a server or controlling the choice of
@ -248,7 +248,7 @@ index 0000000..d6bc412
+
+use HTTP::Tiny;
+
+delete $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT};
+delete $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT};
+
+{
+ my $ht = HTTP::Tiny->new();
@ -294,54 +294,54 @@ index 0000000..d6bc412
+}
+
+{
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "1";
+ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "1";
+ my $ht = HTTP::Tiny->new();
+ is($ht->verify_SSL, 0, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 changes verify_SSL default to 0");
+ is($ht->verify_SSL, 0, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=1 changes verify_SSL default to 0");
+}
+
+{
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "0";
+ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "0";
+ my $ht = HTTP::Tiny->new();
+ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=0 keeps verify_SSL default at 1");
+ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=0 keeps verify_SSL default at 1");
+}
+
+{
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "False";
+ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "False";
+ my $ht = HTTP::Tiny->new();
+ is($ht->verify_SSL, 1, "Unsupported PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=False keeps verify_SSL default at 1");
+ is($ht->verify_SSL, 1, "Unsupported PERL_HTTP_TINY_INSECURE_BY_DEFAULT=False keeps verify_SSL default at 1");
+}
+
+{
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "1";
+ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "1";
+ my $ht = HTTP::Tiny->new(verify_SSL=>1);
+ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 does not override verify_SSL attribute set to 1");
+ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=1 does not override verify_SSL attribute set to 1");
+}
+
+{
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "1";
+ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "1";
+ my $ht = HTTP::Tiny->new(
+ verify_SSL => 1,
+ verify_ssl => 1
+ );
+ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1, verify_SSL=>1 and verify_ssl=>1 sets 1");
+ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=1, verify_SSL=>1 and verify_ssl=>1 sets 1");
+}
+
+{
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "1";
+ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "1";
+ my $ht = HTTP::Tiny->new(
+ verify_SSL => 1,
+ verify_ssl => 0
+ );
+ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1, verify_SSL=>1 and verify_ssl=>0 sets 1");
+ is($ht->verify_SSL, 1, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=1, verify_SSL=>1 and verify_ssl=>0 sets 1");
+}
+
+{
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = "1";
+ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = "1";
+ my $ht = HTTP::Tiny->new(
+ verify_SSL => 0,
+ verify_ssl => 0
+ );
+ is($ht->verify_SSL, 0, "PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1, verify_SSL=>0 and verify_ssl=>0 sets 0");
+ is($ht->verify_SSL, 0, "PERL_HTTP_TINY_INSECURE_BY_DEFAULT=1, verify_SSL=>0 and verify_ssl=>0 sets 0");
+}
+
+
@ -356,7 +356,7 @@ index 6f80e51..7b84f93 100644
}
use HTTP::Tiny;
+delete $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT};
+delete $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT};
+
plan skip_all => 'Only run for $ENV{AUTOMATED_TESTING}'
unless $ENV{AUTOMATED_TESTING};
@ -428,7 +428,7 @@ index 6f80e51..7b84f93 100644
+});
+
+{
+ local $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} = 1;
+ local $ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} = 1;
+ test_ssl('https://wrong.host.badssl.com/' => {
+ host => 'wrong.host.badssl.com',
+ pass => { verify_SSL => 0 },

55
SPECS/perl-HTTP-Tiny.spec
Unescape View File

@ -2,8 +2,8 @@
%bcond_without perl_HTTP_Tiny_enables_optional_deps
Name: perl-HTTP-Tiny
Version: 0.074
Release: 3%{?dist}
Version: 0.076
Release: 461%{?dist}
Summary: Small, simple, correct HTTP/1.1 client
License: GPL+ or Artistic
URL: https://metacpan.org/release/HTTP-Tiny
@ -12,10 +12,8 @@ Source0: https://cpan.metacpan.org/authors/id/D/DA/DAGOLDEN/HTTP-Tiny-%{v
# <https://github.com/chansen/p5-http-tiny/issues/32>
Patch0: HTTP-Tiny-0.070-Croak-on-failed-write-into-a-file.patch
# Change verify_SSL default to 1, add ENV var to enable insecure default
# Fix rhbz#2228409 - CVE-2023-31486
Patch1: HTTP-Tiny-0.074-Change-verify_SSL-default-to-1-add-ENV-var-to-enable.patch
# Fix man page for CVE-2023-31486
Patch2: HTTP-Tiny-0.074-Fix-man-page-for-CVE-2023-31486.patch
# Fix rhbz#2228412 - CVE-2023-31486
Patch1: HTTP-Tiny-0.076-Change-verify_SSL-default-to-1-add-ENV-var-to-enable.patch
BuildArch: noarch
BuildRequires: coreutils
BuildRequires: make
@ -105,7 +103,6 @@ with "%{_libexecdir}/%{name}/test".
%setup -q -n HTTP-Tiny-%{version}
%patch -P0 -p1
%patch -P1 -p1
%patch -P2 -p1
# Help generators to recognize Perl scripts
for F in t/*.t; do
@ -144,16 +141,50 @@ make test
%{_libexecdir}/%{name}
%changelog
* Tue Jan 16 2024 Jitka Plesnikova <jplesnik@redhat.com> - 0.074-3
- Update man page for CVE-2023-31486
* Mon Aug 07 2023 Jitka Plesnikova <jplesnik@redhat.com> - 0.074-2
* Fri Aug 04 2023 Jitka Plesnikova <jplesnik@redhat.com> - 0.076-461
- Changes the verify_SSL default parameter from 0 to 1 - CVE-2023-31486
- Resolves: rhbz#2228409
- Resolves: rhbz#2228412
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.076-460
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.076-459
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.076-458
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.076-457
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jun 22 2020 Jitka Plesnikova <jplesnik@redhat.com> - 0.076-456
- Increase release to favour standalone package
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.076-440
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.076-439
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu May 30 2019 Jitka Plesnikova <jplesnik@redhat.com> - 0.076-438
- Increase release to favour standalone package
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.076-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Aug 06 2018 Petr Pisar <ppisar@redhat.com> - 0.076-1
- 0.076 bump
* Tue Jul 31 2018 Petr Pisar <ppisar@redhat.com> - 0.074-1
- 0.074 bump
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.070-417
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Jun 27 2018 Jitka Plesnikova <jplesnik@redhat.com> - 0.070-416
- Increase release to favour standalone package
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.070-395
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

Write Preview
Loading…
Cancel
Save