From afa4d48c4e8a16843b352f6d559ce5fa40e46826 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Wed, 17 May 2023 15:14:19 +0200 Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 perl-LWP-Protocol-https revision 5963c22d584a7d0af26ee13f0f8115f1 --- .gitattributes | 23 +++++ CVE-2014-3230.patch | 40 +++++++++ LWP-Protocol-https-6.09-systemca.diff | 24 +++++ LWP-Protocol-https-6.10.tar.gz | 3 + cpanspec.yml | 23 +++++ perl-LWP-Protocol-https.changes | 123 ++++++++++++++++++++++++++ perl-LWP-Protocol-https.spec | 90 +++++++++++++++++++ 7 files changed, 326 insertions(+) create mode 100644 .gitattributes create mode 100644 CVE-2014-3230.patch create mode 100644 LWP-Protocol-https-6.09-systemca.diff create mode 100644 LWP-Protocol-https-6.10.tar.gz create mode 100644 cpanspec.yml create mode 100644 perl-LWP-Protocol-https.changes create mode 100644 perl-LWP-Protocol-https.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..fecc750 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/CVE-2014-3230.patch b/CVE-2014-3230.patch new file mode 100644 index 0000000..dd7bc18 --- /dev/null +++ b/CVE-2014-3230.patch @@ -0,0 +1,40 @@ +From 1b924708663f457a4f7c25ed35d7dfb3bb5b334d Mon Sep 17 00:00:00 2001 +From: Steffen Ullrich +Date: Sat, 3 May 2014 23:04:36 +0200 +Subject: [PATCH 1/3] Debian #746576 - don't disale verification if only + hostnames should not be verified + +--- + lib/LWP/Protocol/https.pm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm +=================================================================== +--- LWP-Protocol-https-6.06.orig/lib/LWP/Protocol/https.pm ++++ LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm +@@ -21,7 +21,11 @@ sub _extra_sock_opts + $ssl_opts{SSL_verifycn_scheme} = 'www'; + } + else { +- $ssl_opts{SSL_verify_mode} = 0; ++ if ( $Net::HTTPS::SSL_SOCKET_CLASS eq 'Net::SSL' ) { ++ $ssl_opts{SSL_verifycn_scheme} = ''; ++ } else { ++ $ssl_opts{SSL_verifycn_scheme} = 'none'; ++ } + } + my $suse_allows_mozilla_ca = 0; + if ($suse_allows_mozilla_ca && $ssl_opts{SSL_verify_mode}) { +Index: LWP-Protocol-https-6.06/t/https_proxy.t +=================================================================== +--- LWP-Protocol-https-6.06.orig/t/https_proxy.t ++++ LWP-Protocol-https-6.06/t/https_proxy.t +@@ -66,7 +66,7 @@ my %ua; + $ua{noproxy} = LWP::UserAgent->new( + keep_alive => 10, # size of connection cache + # server does not know the expected name and returns generic certificate +- ssl_opts => { verify_hostname => 0 } ++ ssl_opts => { verify_hostname => 0, SSL_ca_file => $cafile, } + ); + + $ua{proxy} = LWP::UserAgent->new( diff --git a/LWP-Protocol-https-6.09-systemca.diff b/LWP-Protocol-https-6.09-systemca.diff new file mode 100644 index 0000000..4cdd21b --- /dev/null +++ b/LWP-Protocol-https-6.09-systemca.diff @@ -0,0 +1,24 @@ +diff -ur LWP-Protocol-https-6.09/lib/LWP/Protocol/https.pm LWP-Protocol-https-6.09_fix/lib/LWP/Protocol/https.pm +--- LWP-Protocol-https-6.09/lib/LWP/Protocol/https.pm 2020-07-16 15:33:07.000000000 +0200 ++++ LWP-Protocol-https-6.09_fix/lib/LWP/Protocol/https.pm 2020-10-15 15:56:49.380284037 +0200 +@@ -22,7 +22,8 @@ + else { + $ssl_opts{SSL_verify_mode} = 0; + } +- if ($ssl_opts{SSL_verify_mode}) { ++ my $suse_allows_mozilla_ca = 0; ++ if ($suse_allows_mozilla_ca && $ssl_opts{SSL_verify_mode}) { + unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) { + eval { + require Mozilla::CA; +diff -ur LWP-Protocol-https-6.09/Makefile.PL LWP-Protocol-https-6.09_fix/Makefile.PL +--- LWP-Protocol-https-6.09/Makefile.PL 2020-07-16 15:33:07.000000000 +0200 ++++ LWP-Protocol-https-6.09_fix/Makefile.PL 2020-10-15 15:56:08.235630479 +0200 +@@ -22,7 +22,6 @@ + "IO::Socket::SSL" => "1.54", + "LWP::Protocol::http" => 0, + "LWP::UserAgent" => "6.06", +- "Mozilla::CA" => 20180117, + "Net::HTTPS" => 6, + "base" => 0, + "strict" => 0 diff --git a/LWP-Protocol-https-6.10.tar.gz b/LWP-Protocol-https-6.10.tar.gz new file mode 100644 index 0000000..25a8f77 --- /dev/null +++ b/LWP-Protocol-https-6.10.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cecfc31fe2d4fc854cac47fce13d3a502e8fdfe60c5bc1c09535743185f2a86c +size 33691 diff --git a/cpanspec.yml b/cpanspec.yml new file mode 100644 index 0000000..318e8b3 --- /dev/null +++ b/cpanspec.yml @@ -0,0 +1,23 @@ +--- +#description_paragraphs: 3 +#no_testing: broken upstream +#sources: +# - source1 +# - source2 +patches: + # patch for using system certificates + "%{cpan_name}-6.09-systemca.diff": -p1 + # see https://github.com/libwww-perl/lwp-protocol-https/pull/14 + CVE-2014-3230.patch: -p1 +#preamble: |- +# BuildRequires: gcc-c++ +#post_prep: |- +# hunspell=`pkg-config --libs hunspell | sed -e 's,-l,,; s, *,,g'` +# sed -i -e "s,hunspell-X,$hunspell," t/00-prereq.t Makefile.PL +#post_install: |- +# sed on %{name}.files +#license: SUSE-NonFree +#skip_noarch: 1 +#custom_build: - +#./Build build flags=%{?_smp_mflags} --myflag +ignore_requires: Mozilla::CA diff --git a/perl-LWP-Protocol-https.changes b/perl-LWP-Protocol-https.changes new file mode 100644 index 0000000..eb18399 --- /dev/null +++ b/perl-LWP-Protocol-https.changes @@ -0,0 +1,123 @@ +------------------------------------------------------------------- +Fri Dec 18 03:07:41 UTC 2020 - Tina Müller + +- updated to 6.10 + see /usr/share/doc/packages/perl-LWP-Protocol-https/Changes + + 6.10 2020-12-17 15:42:06Z + - Fix #39 - prevent user env from breaking the test (GH#63) (Gianni + Ceccarelli) + - Include Net::SSLeay in reported prereqs (GH#60) (Olaf Alders) + - Use GitHub as a bug tracker (GH#59) (Olaf Alders) + +------------------------------------------------------------------- +Thu Oct 15 13:58:08 UTC 2020 - Dirk Stoecker + +- updated to 6.09 + see /usr/share/doc/packages/perl-LWP-Protocol-https/Changes + + 6.09 2020-07-16 13:33:05Z + - Make available the version of SSL/TLS protocol used in the connection + (GH#56) (Jon Jensen) + + 6.08 2020-03-23 20:19:22Z (TRIAL RELEASE) + - Add defined check (GH#53) (Mohammad S Anwar) + - Fix copyright year (GH#55) (Olaf Alders) + - Upgrade Mozilla::CA dependency; originally #26 by dolmen (GH#54) (Shoichi Kaji) + - Adds coverage tests (GH#51) (Juan Julin Merelo Guervs) + - Migrated to DZil (GH PR#30) + - Moved bug tracking from RT to GitHub (GH#48) (Olaf Alders) + +Rebase patch LWP-Protocol-https-6.04-systemca.diff to LWP-Protocol-https-6.09-systemca.diff + +------------------------------------------------------------------- +Thu Sep 13 15:42:12 UTC 2018 - pmonrealgonzalez@suse.com + +- 6.07 2017-02-19 + - Cleaned up the Changes log + - Explicitly add hostname for SNI to start_SSL (GH PR#17) + - Fix the license name + - Update some documentation on SSL args + - Fix bug when checking for Mozilla::CA (GH PR#29) + +- Refreshed patch LWP-Protocol-https-6.04-systemca.diff + +- Cleaned spec file with spec-cleaner + +------------------------------------------------------------------- +Thu Apr 23 06:00:03 UTC 2015 - coolo@suse.com + +- updated to 6.06 + see /usr/share/doc/packages/perl-LWP-Protocol-https/Changes + + 2014-04-18 LWP-Protocol-https 6.06 + + Mike Schilli (3): + Merge pull request #12 from drieux/subjectAltName + Merge pull request #9 from chorny/master + Updated libwww requirement to 6.06 to fix failing t/proxy.t test cases. + + Gisle Aas (2): + Getopt::Long isn't actually used + Merge pull request #7 from noxxi/master + + Alexandr Ciornii (1): + better diagnostics in case of failures in apache.t + + Karen Etheridge (1): + Merge pull request #8 from cpansprout/patch-1 + + Steffen Ullrich (1): + correct behavior for https_proxy, this goes together with change to + libwww-perl cb80c2ddb7, new method _upgrade_sock in LWP::Protocol::https + + cpansprout (1): + Typo fix: envirionment =~ s/io/o/ + + drieux (1): + support for subjectAltName + + + _______________________________________________________________________________ + +------------------------------------------------------------------- +Thu May 15 09:39:07 UTC 2014 - vcizek@suse.com + +- fix for CVE-2014-3230 (bnc#876862) + * perl-LWP-Protocol-https: Environment variables HTTPS_CA_DIR or + HTTPS_CA_FILE disable hostname verification + * added CVE-2014-3230.patch + +------------------------------------------------------------------- +Wed Apr 30 17:23:34 UTC 2014 - lchiquitto@suse.com + +- Remove old tarball (6.03). + +------------------------------------------------------------------- +Wed Jul 3 09:32:03 UTC 2013 - lnussel@suse.de + +- Version 6.04 + * Fix IO::Socket::SSL warnings when not verifying hostname. + * Doc spelling fix. +- Remove usage of Mozilla::CA entirely. IO::Socket::SSL will do the + right thing instead. + +------------------------------------------------------------------- +Tue Feb 21 11:26:38 UTC 2012 - coolo@suse.com + +- updated to 6.03 + * Skip test if offline [RT#74163] + * Typo fixes + * Restore perl-5.8.1 compatibility. + +------------------------------------------------------------------- +Tue Mar 29 12:06:43 UTC 2011 - vcizek@novell.com + +- initial package 6.02 + * created by cpanspec 1.78.03 + + This module used to be bundled with the libwww-perl, but it was unbundled in + v6.02 in order to be able to declare its dependencies properly for the CPAN + tool-chain. Applications that need https support can just declare their + dependency on LWP::Protocol::https and will no longer need to know what + underlying modules to install. diff --git a/perl-LWP-Protocol-https.spec b/perl-LWP-Protocol-https.spec new file mode 100644 index 0000000..733d5cb --- /dev/null +++ b/perl-LWP-Protocol-https.spec @@ -0,0 +1,90 @@ +# +# spec file for package perl-LWP-Protocol-https +# +# Copyright (c) 2020 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: perl-LWP-Protocol-https +Version: 6.10 +Release: 0 +%define cpan_name LWP-Protocol-https +Summary: Provide https support for LWP::UserAgent +License: Artistic-1.0 OR GPL-1.0-or-later +Group: Development/Libraries/Perl +URL: https://metacpan.org/release/%{cpan_name} +Source0: https://cpan.metacpan.org/authors/id/O/OA/OALDERS/%{cpan_name}-%{version}.tar.gz +Source1: cpanspec.yml +Patch0: %{cpan_name}-6.09-systemca.diff +Patch1: CVE-2014-3230.patch +BuildArch: noarch +BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildRequires: perl +BuildRequires: perl-macros +BuildRequires: perl(IO::Socket::SSL) >= 1.54 +BuildRequires: perl(IO::Socket::SSL::Utils) +BuildRequires: perl(LWP::Protocol::http) +BuildRequires: perl(LWP::UserAgent) >= 6.06 +#BuildRequires: perl(Mozilla::CA) >= 20180117 +BuildRequires: perl(Net::HTTPS) >= 6 +BuildRequires: perl(Test::More) >= 0.96 +BuildRequires: perl(Test::RequiresInternet) +Requires: perl(IO::Socket::SSL) >= 1.54 +Requires: perl(LWP::Protocol::http) +Requires: perl(LWP::UserAgent) >= 6.06 +#Requires: perl(Mozilla::CA) >= 20180117 +Requires: perl(Net::HTTPS) >= 6 +%{perl_requires} + +%description +The LWP::Protocol::https module provides support for using https schemed +URLs with LWP. This module is a plug-in to the LWP protocol handling, so +you don't use it directly. Once the module is installed LWP is able to +access sites using HTTP over SSL/TLS. + +If hostname verification is requested by LWP::UserAgent's 'ssl_opts', and +neither 'SSL_ca_file' nor 'SSL_ca_path' is set, then 'SSL_ca_file' is +implied to be the one provided by Mozilla::CA. If the Mozilla::CA module +isn't available SSL requests will fail. Either install this module, set up +an alternative 'SSL_ca_file' or disable hostname verification. + +This module used to be bundled with the libwww-perl, but it was unbundled +in v6.02 in order to be able to declare its dependencies properly for the +CPAN tool-chain. Applications that need https support can just declare +their dependency on LWP::Protocol::https and will no longer need to know +what underlying modules to install. + +%prep +%setup -q -n %{cpan_name}-%{version} +%patch0 -p1 +%patch1 -p1 + +%build +perl Makefile.PL INSTALLDIRS=vendor +make %{?_smp_mflags} + +%check +make test + +%install +%perl_make_install +%perl_process_packlist +%perl_gen_filelist + +%files -f %{name}.files +%defattr(-,root,root,755) +%doc Changes CONTRIBUTING.md +%license LICENSE + +%changelog