update

OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/perl-LWP-Protocol-https?expand=0&rev=12

CVE-2014-3230.patch

@@ -8,11 +8,11 @@ Subject: [PATCH 1/3] Debian #746576 - don't disale verification if only
  lib/LWP/Protocol/https.pm | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-Index: LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
+Index: LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm
 ===================================================================
---- LWP-Protocol-https-6.04.orig/lib/LWP/Protocol/https.pm	2014-05-15 11:46:54.319643759 +0200
+--- LWP-Protocol-https-6.06.orig/lib/LWP/Protocol/https.pm
-+++ LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm	2014-05-15 11:46:55.856660773 +0200
++++ LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm
-@@ -20,7 +20,11 @@ sub _extra_sock_opts
+@@ -21,7 +21,11 @@ sub _extra_sock_opts
  	$ssl_opts{SSL_verifycn_scheme} = 'www';
      }
      else {
@@ -23,5 +23,18 @@ Index: LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
 +	    $ssl_opts{SSL_verifycn_scheme} = 'none';
 +	}
      }
-     $self->{ssl_opts} = \%ssl_opts;
+     my $suse_allows_mozilla_ca = 0;
-     return (%ssl_opts, $self->SUPER::_extra_sock_opts);
+     if ($suse_allows_mozilla_ca && $ssl_opts{SSL_verify_mode}) {
+Index: LWP-Protocol-https-6.06/t/https_proxy.t
+===================================================================
+--- LWP-Protocol-https-6.06.orig/t/https_proxy.t
++++ LWP-Protocol-https-6.06/t/https_proxy.t
+@@ -66,7 +66,7 @@ my %ua;
+ $ua{noproxy} = LWP::UserAgent->new(
+     keep_alive => 10, # size of connection cache
+     # server does not know the expected name and returns generic certificate
+-    ssl_opts => { verify_hostname => 0 }
++    ssl_opts => { verify_hostname => 0, SSL_ca_file => $cafile, }
+ );
+ 
+ $ua{proxy} = LWP::UserAgent->new(

LWP-Protocol-https-6.04-systemca.diff

@@ -11,37 +11,37 @@ CA-certificates if no options are passed.
  lib/LWP/Protocol/https.pm | 23 -----------------------
  3 files changed, 1 insertion(+), 32 deletions(-)
 
-diff --git a/Makefile.PL b/Makefile.PL
+Index: LWP-Protocol-https-6.06/Makefile.PL
-index 805eac8..3c66fb7 100644
+===================================================================
---- a/Makefile.PL
+--- LWP-Protocol-https-6.06.orig/Makefile.PL
-+++ b/Makefile.PL
++++ LWP-Protocol-https-6.06/Makefile.PL
 @@ -15,7 +15,6 @@ WriteMakefile(
- 	'LWP::UserAgent' => '6.04',
+ 	'LWP::UserAgent' => '6.06',
  	'Net::HTTPS' => 6,
  	'IO::Socket::SSL' => "1.54",
 -	'Mozilla::CA' => "20110101",
      },
      META_MERGE => {
  	resources => {
-diff --git a/README b/README
+Index: LWP-Protocol-https-6.06/README
-index 8e67078..7c4b5e2 100644
+===================================================================
---- a/README
+--- LWP-Protocol-https-6.06.orig/README
-+++ b/README
++++ LWP-Protocol-https-6.06/README
-@@ -13,13 +13,6 @@ DESCRIPTION
+@@ -17,13 +17,6 @@ DESCRIPTION
      you don't use it directly. Once the module is installed LWP is able to
      access sites using HTTP over SSL/TLS.
  
--    If hostname verification is requested by LWP::UserAgent's `ssl_opts',
+-    If hostname verification is requested by LWP::UserAgent's "ssl_opts",
--    and neither `SSL_ca_file' nor `SSL_ca_path' is set, then `SSL_ca_file'
+-    and neither "SSL_ca_file" nor "SSL_ca_path" is set, then "SSL_ca_file"
 -    is implied to be the one provided by Mozilla::CA. If the Mozilla::CA
 -    module isn't available SSL requests will fail. Either install this
--    module, set up an alternative `SSL_ca_file' or disable hostname
+-    module, set up an alternative "SSL_ca_file" or disable hostname
 -    verification.
 -
      This module used to be bundled with the libwww-perl, but it was
      unbundled in v6.02 in order to be able to declare its dependencies
      properly for the CPAN tool-chain. Applications that need https support
-@@ -27,7 +20,7 @@ DESCRIPTION
+@@ -31,7 +24,7 @@ DESCRIPTION
      longer need to know what underlying modules to install.
  
  SEE ALSO
@@ -50,40 +50,17 @@ index 8e67078..7c4b5e2 100644
  
  COPYRIGHT
      Copyright 1997-2011 Gisle Aas.
-diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm
+Index: LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm
-index f7230e2..e210049 100644
+===================================================================
---- a/lib/LWP/Protocol/https.pm
+--- LWP-Protocol-https-6.06.orig/lib/LWP/Protocol/https.pm
-+++ b/lib/LWP/Protocol/https.pm
++++ LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm
-@@ -22,29 +22,6 @@ sub _extra_sock_opts
+@@ -23,7 +23,8 @@ sub _extra_sock_opts
      else {
  	$ssl_opts{SSL_verify_mode} = 0;
      }
 -    if ($ssl_opts{SSL_verify_mode}) {
--	unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) {
++    my $suse_allows_mozilla_ca = 0;
--	    eval {
++    if ($suse_allows_mozilla_ca && $ssl_opts{SSL_verify_mode}) {
--		require Mozilla::CA;
+ 	unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) {
--	    };
+ 	    eval {
--	    if ($@) {
+ 		require Mozilla::CA;
--		if ($@ =! /^Can't locate Mozilla\/CA\.pm/) {
--		    $@ = <<'EOT';
--Can't verify SSL peers without knowing which Certificate Authorities to trust
--
--This problem can be fixed by either setting the PERL_LWP_SSL_CA_FILE
--envirionment variable or by installing the Mozilla::CA module.
--
--To disable verification of SSL peers set the PERL_LWP_SSL_VERIFY_HOSTNAME
--envirionment variable to 0.  If you do this you can't be sure that you
--communicate with the expected peer.
--EOT
--		}
--		die $@;
--	    }
--	    $ssl_opts{SSL_ca_file} = Mozilla::CA::SSL_ca_file();
--	}
--    }
-     $self->{ssl_opts} = \%ssl_opts;
-     return (%ssl_opts, $self->SUPER::_extra_sock_opts);
- }
--- 
-1.8.1.4
-

LWP-Protocol-https-6.04.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1ef67750ee363525cf729b59afde805ac4dc80eaf8d36ca01082a4d78a7af629
-size 4035

LWP-Protocol-https-6.06.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b86c83cc1dcf4a6f84e2fbe32f9c39591a36e6e418af00533505f3452496adef
+size 8376

cpanspec.yml

@@ -0,0 +1,23 @@
+---
+#description_paragraphs: 3
+#no_testing: broken upstream
+#sources:
+#  - source1
+#  - source2
+patches:
+ # patch for using system certificates
+ "%{cpan_name}-6.04-systemca.diff": -p1
+ # see https://github.com/libwww-perl/lwp-protocol-https/pull/14
+ CVE-2014-3230.patch: -p1
+#preamble: |-
+# BuildRequires:  gcc-c++
+#post_prep: |-
+# hunspell=`pkg-config --libs hunspell | sed -e 's,-l,,; s,  *,,g'`
+# sed -i -e "s,hunspell-X,$hunspell," t/00-prereq.t Makefile.PL 
+#post_install: |-
+# sed on %{name}.files
+#license: SUSE-NonFree
+#skip_noarch: 1
+#custom_build: -
+#./Build build flags=%{?_smp_mflags} --myflag
+ignore_requires: Mozilla::CA

perl-LWP-Protocol-https.changes

@@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Thu Apr 23 06:00:03 UTC 2015 - coolo@suse.com
+
+- updated to 6.06
+   see /usr/share/doc/packages/perl-LWP-Protocol-https/Changes
+
+  2014-04-18 LWP-Protocol-https 6.06
+  
+  Mike Schilli (3):
+        Merge pull request #12 from drieux/subjectAltName
+        Merge pull request #9 from chorny/master
+        Updated libwww requirement to 6.06 to fix failing t/proxy.t test cases.
+  
+  Gisle Aas (2):
+        Getopt::Long isn't actually used
+        Merge pull request #7 from noxxi/master
+  
+  Alexandr Ciornii (1):
+        better diagnostics in case of failures in apache.t
+  
+  Karen Etheridge (1):
+        Merge pull request #8 from cpansprout/patch-1
+  
+  Steffen Ullrich (1):
+        correct behavior for https_proxy, this goes together with change to 
+        libwww-perl cb80c2ddb7, new method _upgrade_sock in LWP::Protocol::https
+  
+  cpansprout (1):
+        Typo fix: envirionment =~ s/io/o/
+  
+  drieux (1):
+        support for subjectAltName
+  
+  
+  _______________________________________________________________________________
+
 -------------------------------------------------------------------
 Thu May 15 09:39:07 UTC 2014 - vcizek@suse.com
 

perl-LWP-Protocol-https.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package perl-LWP-Protocol-https
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,15 +17,15 @@
 
 
 Name:           perl-LWP-Protocol-https
-Version:        6.04
+Version:        6.06
 Release:        0
 %define cpan_name LWP-Protocol-https
 Summary:        Provide https support for LWP::UserAgent
 License:        Artistic-1.0 or GPL-1.0+
 Group:          Development/Libraries/Perl
 Url:            http://search.cpan.org/dist/LWP-Protocol-https/
-Source:         http://www.cpan.org/authors/id/G/GA/GAAS/%{cpan_name}-%{version}.tar.gz
+Source0:        http://www.cpan.org/authors/id/M/MS/MSCHILLI/%{cpan_name}-%{version}.tar.gz
-# patch for using system certificates
+Source1:        cpanspec.yml
 Patch0:         %{cpan_name}-6.04-systemca.diff
 Patch1:         CVE-2014-3230.patch
 BuildArch:      noarch
@@ -33,14 +33,14 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  perl
 BuildRequires:  perl-macros
 BuildRequires:  perl(IO::Socket::SSL) >= 1.54
-BuildRequires:  perl(LWP::UserAgent) >= 6.04
+BuildRequires:  perl(LWP::UserAgent) >= 6.06
 #BuildRequires:  perl(Mozilla::CA) >= 20110101
 BuildRequires:  perl(Net::HTTPS) >= 6
-#BuildRequires: perl(LWP::Protocol::http)
 Requires:       perl(IO::Socket::SSL) >= 1.54
-Requires:       perl(LWP::UserAgent) >= 6.04
+Requires:       perl(LWP::UserAgent) >= 6.06
 #Requires:       perl(Mozilla::CA) >= 20110101
 Requires:       perl(Net::HTTPS) >= 6
+BuildRequires:  ca-certificates
 %{perl_requires}
 
 %description