pool/perl-LWP-Protocol-https
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 234145 from home:vitezslav_cizek:branches:devel:languages:perl

Browse Source 
- fix for CVE-2014-3230 (bnc#876862)
  * perl-LWP-Protocol-https: Environment variables HTTPS_CA_DIR or
    HTTPS_CA_FILE disable hostname verification
  * added CVE-2014-3230.patch

OBS-URL: https://build.opensuse.org/request/show/234145
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/perl-LWP-Protocol-https?expand=0&rev=10
This commit is contained in:
Stephan Barth 2014-05-15 10:43:41 +00:00 committed by Git OBS Bridge
parent cc6100c017
commit 800fff5522
3 changed files with 38 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
CVE-2014-3230.patch Normal file
View File

@ -0,0 +1,27 @@
From 1b924708663f457a4f7c25ed35d7dfb3bb5b334d Mon Sep 17 00:00:00 2001
From: Steffen Ullrich <Steffen_Ullrich@genua.de>
Date: Sat, 3 May 2014 23:04:36 +0200
Subject: [PATCH 1/3] Debian #746576 - don't disale verification if only
hostnames should not be verified
---
lib/LWP/Protocol/https.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
===================================================================
--- LWP-Protocol-https-6.04.orig/lib/LWP/Protocol/https.pm 2014-05-15 11:46:54.319643759 +0200
+++ LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm 2014-05-15 11:46:55.856660773 +0200
@@ -20,7 +20,11 @@ sub _extra_sock_opts
$ssl_opts{SSL_verifycn_scheme} = 'www';
}
else {
- $ssl_opts{SSL_verify_mode} = 0;
+ if ( $Net::HTTPS::SSL_SOCKET_CLASS eq 'Net::SSL' ) {
+ $ssl_opts{SSL_verifycn_scheme} = '';
+ } else {
+ $ssl_opts{SSL_verifycn_scheme} = 'none';
+ }
}
$self->{ssl_opts} = \%ssl_opts;
return (%ssl_opts, $self->SUPER::_extra_sock_opts);

8
perl-LWP-Protocol-https.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Thu May 15 09:39:07 UTC 2014 - vcizek@suse.com
- fix for CVE-2014-3230 (bnc#876862)
* perl-LWP-Protocol-https: Environment variables HTTPS_CA_DIR or
HTTPS_CA_FILE disable hostname verification
* added CVE-2014-3230.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Apr 30 17:23:34 UTC 2014 - lchiquitto@suse.com Wed Apr 30 17:23:34 UTC 2014 - lchiquitto@suse.com

4
perl-LWP-Protocol-https.spec
View File

@ -25,8 +25,9 @@ License: Artistic-1.0 or GPL-1.0+
Group: Development/Libraries/Perl Group: Development/Libraries/Perl
Url: http://search.cpan.org/dist/LWP-Protocol-https/ Url: http://search.cpan.org/dist/LWP-Protocol-https/
Source: http://www.cpan.org/authors/id/G/GA/GAAS/%{cpan_name}-%{version}.tar.gz Source: http://www.cpan.org/authors/id/G/GA/GAAS/%{cpan_name}-%{version}.tar.gz
# patch for using system certificates # patch for using system certificates
Patch0: %{cpan_name}-6.04-systemca.diff Patch0: %{cpan_name}-6.04-systemca.diff
Patch1: CVE-2014-3230.patch
BuildArch: noarch BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: perl BuildRequires: perl
@ -63,6 +64,7 @@ what underlying modules to install.
%prep %prep
%setup -q -n %{cpan_name}-%{version} %setup -q -n %{cpan_name}-%{version}
%patch0 -p1 %patch0 -p1
%patch1 -p1
%build %build
%{__perl} Makefile.PL INSTALLDIRS=vendor %{__perl} Makefile.PL INSTALLDIRS=vendor