From bd51d54ad18f2d2885db01ad121a93f499daadcbfe90c4b3dff2d40089633d9e Mon Sep 17 00:00:00 2001 From: Dirk Stoecker Date: Mon, 14 Aug 2023 15:50:24 +0000 Subject: [PATCH] Accepting request 1103525 from devel:languages:perl:autoupdate - new version format, see https://github.com/openSUSE/cpanspec/issues/47 - Remove CVE-2014-3230.patch, upstream was fixed. CVE-2014-3230, Debian #746576 - Update LWP-Protocol-https-6.09-systemca.diff - updated to 6.11 see /usr/share/doc/packages/perl-LWP-Protocol-https/Changes 6.11 2023-07-09 15:10:30Z - Remove Authority section from dist.ini (GH#64) (Olaf Alders) - Add very basic diagnostic information via test (GH#73) (Olaf Alders) - CVE-2014-3230 - don't disable verification if only hostnames should not (GH#14) (Steffen Ullrich) - Make explicit requirement of Mozilla::CA obsolete (GH#72) (Steffen Ullrich and Olaf Alders) - Remove _in_san and _cn_match. Empty out the _check_sock hook (GH#71) (Chase Whitener) - Use warnings (GH#69) (Pete Houston) OBS-URL: https://build.opensuse.org/request/show/1103525 OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/perl-LWP-Protocol-https?expand=0&rev=21 --- CVE-2014-3230.patch | 40 --------------------------- LWP-Protocol-https-6.09-systemca.diff | 30 +++++++------------- LWP-Protocol-https-6.10.tar.gz | 3 -- LWP-Protocol-https-6.11.tar.gz | 3 ++ cpanspec.yml | 1 - perl-LWP-Protocol-https.changes | 27 ++++++++++++++++++ perl-LWP-Protocol-https.spec | 33 ++++++++++------------ 7 files changed, 55 insertions(+), 82 deletions(-) delete mode 100644 CVE-2014-3230.patch delete mode 100644 LWP-Protocol-https-6.10.tar.gz create mode 100644 LWP-Protocol-https-6.11.tar.gz diff --git a/CVE-2014-3230.patch b/CVE-2014-3230.patch deleted file mode 100644 index 3de0ab5..0000000 --- a/CVE-2014-3230.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 1b924708663f457a4f7c25ed35d7dfb3bb5b334d Mon Sep 17 00:00:00 2001 -From: Steffen Ullrich -Date: Sat, 3 May 2014 23:04:36 +0200 -Subject: [PATCH 1/3] Debian #746576 - don't disale verification if only - hostnames should not be verified - ---- - lib/LWP/Protocol/https.pm | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm -=================================================================== ---- LWP-Protocol-https-6.06.orig/lib/LWP/Protocol/https.pm -+++ LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm -@@ -21,7 +21,11 @@ sub _extra_sock_opts - $ssl_opts{SSL_verifycn_scheme} = 'www'; - } - else { -- $ssl_opts{SSL_verify_mode} = 0; -+ if ( $Net::HTTPS::SSL_SOCKET_CLASS eq 'Net::SSL' ) { -+ $ssl_opts{SSL_verifycn_scheme} = ''; -+ } else { -+ $ssl_opts{SSL_verifycn_scheme} = 'none'; -+ } - } - my $suse_allows_mozilla_ca = 0; - if ($suse_allows_mozilla_ca && $ssl_opts{SSL_verify_mode}) { -Index: LWP-Protocol-https-6.06/t/https_proxy.t -=================================================================== ---- LWP-Protocol-https-6.06.orig/t/https_proxy.t -+++ LWP-Protocol-https-6.06/t/https_proxy.t -@@ -66,7 +66,7 @@ my %ua; - $ua{noproxy} = LWP::UserAgent->new( - keep_alive => 10, # size of connection cache - # server does not know the expected name and returns generic certificate -- ssl_opts => { verify_hostname => 0 } -+ ssl_opts => { verify_hostname => 0, SSL_ca_file => $cafile, } - ); - - $ua{proxy} = LWP::UserAgent->new( diff --git a/LWP-Protocol-https-6.09-systemca.diff b/LWP-Protocol-https-6.09-systemca.diff index 0a1a4f1..686de03 100644 --- a/LWP-Protocol-https-6.09-systemca.diff +++ b/LWP-Protocol-https-6.09-systemca.diff @@ -1,24 +1,14 @@ -diff -ur LWP-Protocol-https-6.09/lib/LWP/Protocol/https.pm LWP-Protocol-https-6.09_fix/lib/LWP/Protocol/https.pm ---- LWP-Protocol-https-6.09/lib/LWP/Protocol/https.pm 2020-07-16 15:33:07.000000000 +0200 -+++ LWP-Protocol-https-6.09_fix/lib/LWP/Protocol/https.pm 2020-10-15 15:56:49.380284037 +0200 -@@ -22,7 +22,8 @@ - else { - $ssl_opts{SSL_verify_mode} = 0; +diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm +index 16fce19..b1a18df 100644 +--- a/lib/LWP/Protocol/https.pm ++++ b/lib/LWP/Protocol/https.pm +@@ -28,7 +28,8 @@ sub _extra_sock_opts + $ssl_opts{SSL_verifycn_scheme} = 'none'; + } } - if ($ssl_opts{SSL_verify_mode}) { + my $suse_allows_mozilla_ca = 0; + if ($suse_allows_mozilla_ca && $ssl_opts{SSL_verify_mode}) { - unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) { - eval { - require Mozilla::CA; -diff -ur LWP-Protocol-https-6.09/Makefile.PL LWP-Protocol-https-6.09_fix/Makefile.PL ---- LWP-Protocol-https-6.09/Makefile.PL 2020-07-16 15:33:07.000000000 +0200 -+++ LWP-Protocol-https-6.09_fix/Makefile.PL 2020-10-15 15:56:08.235630479 +0200 -@@ -22,7 +22,6 @@ - "IO::Socket::SSL" => "1.54", - "LWP::Protocol::http" => 0, - "LWP::UserAgent" => "6.06", -- "Mozilla::CA" => 20180117, - "Net::HTTPS" => 6, - "base" => 0, - "strict" => 0 + unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) { + if ($Net::HTTPS::SSL_SOCKET_CLASS eq 'IO::Socket::SSL' + && defined &IO::Socket::SSL::default_ca diff --git a/LWP-Protocol-https-6.10.tar.gz b/LWP-Protocol-https-6.10.tar.gz deleted file mode 100644 index 5799d48..0000000 --- a/LWP-Protocol-https-6.10.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:cecfc31fe2d4fc854cac47fce13d3a502e8fdfe60c5bc1c09535743185f2a86c -size 33691 diff --git a/LWP-Protocol-https-6.11.tar.gz b/LWP-Protocol-https-6.11.tar.gz new file mode 100644 index 0000000..d88caaa --- /dev/null +++ b/LWP-Protocol-https-6.11.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0132ddbf03661565ca85050f2a5094fb9263cbbc3ccb1a4d9c41ac9bb083b917 +size 32599 diff --git a/cpanspec.yml b/cpanspec.yml index 5bcd97f..85456e0 100644 --- a/cpanspec.yml +++ b/cpanspec.yml @@ -8,7 +8,6 @@ patches: # patch for using system certificates "%{cpan_name}-6.09-systemca.diff": -p1 # see https://github.com/libwww-perl/lwp-protocol-https/pull/14 - CVE-2014-3230.patch: -p1 #preamble: |- # BuildRequires: gcc-c++ #post_prep: |- diff --git a/perl-LWP-Protocol-https.changes b/perl-LWP-Protocol-https.changes index 2f7f262..ec2f0dd 100644 --- a/perl-LWP-Protocol-https.changes +++ b/perl-LWP-Protocol-https.changes @@ -1,3 +1,30 @@ +------------------------------------------------------------------- +Fri Aug 11 16:36:32 UTC 2023 - Tina Müller + +- Remove CVE-2014-3230.patch, upstream was fixed. CVE-2014-3230, Debian #746576 + +------------------------------------------------------------------- +Fri Aug 11 16:30:24 UTC 2023 - Tina Müller + +- Update LWP-Protocol-https-6.09-systemca.diff + +------------------------------------------------------------------- +Mon Jul 10 03:06:48 UTC 2023 - Tina Müller + +- updated to 6.11 + see /usr/share/doc/packages/perl-LWP-Protocol-https/Changes + + 6.11 2023-07-09 15:10:30Z + - Remove Authority section from dist.ini (GH#64) (Olaf Alders) + - Add very basic diagnostic information via test (GH#73) (Olaf Alders) + - CVE-2014-3230 - don't disable verification if only hostnames should not + (GH#14) (Steffen Ullrich) + - Make explicit requirement of Mozilla::CA obsolete (GH#72) (Steffen + Ullrich and Olaf Alders) + - Remove _in_san and _cn_match. Empty out the _check_sock hook (GH#71) + (Chase Whitener) + - Use warnings (GH#69) (Pete Houston) + ------------------------------------------------------------------- Fri Dec 18 03:07:41 UTC 2020 - Tina Müller diff --git a/perl-LWP-Protocol-https.spec b/perl-LWP-Protocol-https.spec index 9941981..ceca3c8 100644 --- a/perl-LWP-Protocol-https.spec +++ b/perl-LWP-Protocol-https.spec @@ -1,7 +1,7 @@ # # spec file for package perl-LWP-Protocol-https # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,35 +16,35 @@ # -Name: perl-LWP-Protocol-https -Version: 6.10 -Release: 0 %define cpan_name LWP-Protocol-https -Summary: Provide https support for LWP::UserAgent +Name: perl-LWP-Protocol-https +Version: 6.110.0 +Release: 0 +%define cpan_version 6.11 License: Artistic-1.0 OR GPL-1.0-or-later -Group: Development/Libraries/Perl +Summary: Provide https support for LWP::UserAgent URL: https://metacpan.org/release/%{cpan_name} -Source0: https://cpan.metacpan.org/authors/id/O/OA/OALDERS/%{cpan_name}-%{version}.tar.gz +Source0: https://cpan.metacpan.org/authors/id/O/OA/OALDERS/%{cpan_name}-%{cpan_version}.tar.gz Source1: cpanspec.yml Patch0: %{cpan_name}-6.09-systemca.diff -Patch1: CVE-2014-3230.patch BuildArch: noarch -BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: perl BuildRequires: perl-macros -BuildRequires: perl(IO::Socket::SSL) >= 1.54 +BuildRequires: perl(IO::Socket::SSL) >= 1.970 BuildRequires: perl(IO::Socket::SSL::Utils) BuildRequires: perl(LWP::Protocol::http) BuildRequires: perl(LWP::UserAgent) >= 6.06 -#BuildRequires: perl(Mozilla::CA) >= 20180117 BuildRequires: perl(Net::HTTPS) >= 6 BuildRequires: perl(Test::More) >= 0.96 +BuildRequires: perl(Test::Needs) >= 0.002010 BuildRequires: perl(Test::RequiresInternet) -Requires: perl(IO::Socket::SSL) >= 1.54 +Requires: perl(IO::Socket::SSL) >= 1.970 Requires: perl(LWP::Protocol::http) Requires: perl(LWP::UserAgent) >= 6.06 -#Requires: perl(Mozilla::CA) >= 20180117 Requires: perl(Net::HTTPS) >= 6 +Provides: perl(LWP::Protocol::https) = 6.110.0 +Provides: perl(LWP::Protocol::https::Socket) = 6.110.0 +%define __perllib_provides /bin/true %{perl_requires} %description @@ -66,13 +66,11 @@ their dependency on LWP::Protocol::https and will no longer need to know what underlying modules to install. %prep -%setup -q -n %{cpan_name}-%{version} -%patch0 -p1 -%patch1 -p1 +%autosetup -n %{cpan_name}-%{cpan_version} -p1 %build perl Makefile.PL INSTALLDIRS=vendor -make %{?_smp_mflags} +%make_build %check make test @@ -83,7 +81,6 @@ make test %perl_gen_filelist %files -f %{name}.files -%defattr(-,root,root,755) %doc Changes CONTRIBUTING.md %license LICENSE