Summary: | <dev-lang/perl-5.36.1-r2: HTTP::Tiny certificate verification off by default | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | perl |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.openwall.com/lists/oss-security/2023/04/18/14 | ||
See Also: |
https://gitlab.alpinelinux.org/alpine/aports/-/issues/14951 https://github.com/chansen/p5-http-tiny/pull/153 |
||
Whiteboard: | B4 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 908983 | ||
Bug Blocks: |
Description
John Helmert III
2023-04-29 16:47:55 UTC
Alpine is doing https://git.alpinelinux.org/aports/tree/main/perl/default-https-perl-http-tiny.patch?id=fc21c0f7930ae3a9e2f50bacc305fb167a456ded. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=587d4dee588525f616e38657ec601cc9447c942e commit 587d4dee588525f616e38657ec601cc9447c942e Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2023-05-01 21:54:19 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2023-05-01 21:56:16 +0000 dev-lang/perl: Enable verify_SSL by default in HTTP::Tiny Trivial patch from alpine Bug: https://bugs.gentoo.org/905296 See-also: https://github.com/chansen/p5-http-tiny/pull/151 See-also: https://github.com/chansen/p5-http-tiny/issues/152 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> dev-lang/perl/files/perl-5.36.1-http-tiny.patch | 25 + dev-lang/perl/perl-5.36.1-r1.ebuild | 826 ++++++++++++++++++++++++ 2 files changed, 851 insertions(+) I'm pleased to see this being decisively dealt with here, without the years of aimless drifting and tiresome yap that appears to characterise the upstream development process. SawyerX knew what was up ("getting better, not getting by"). Thanks. Hi! The fix for CVE-2023-31486 from Alpine did not fix the vulnerability, they have updated with a new patch: Issue aports#14951 on Alpine's gitlab Commit 0371bb10383aa1268e1d1ee5461f29a831cba29c in aports (Unable to post URLs since I just created an account). (In reply to Stig from comment #4) > Hi! > > The fix for CVE-2023-31486 from Alpine did not fix the vulnerability, they > have updated with a new patch: > > Issue aports#14951 on Alpine's gitlab > > Commit 0371bb10383aa1268e1d1ee5461f29a831cba29c in aports > > (Unable to post URLs since I just created an account). Thanks, I'll take a look later today! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ea685044d49945fffc7b62f82a6d3fb9d7ba37a commit 3ea685044d49945fffc7b62f82a6d3fb9d7ba37a Author: Sam James <sam@gentoo.org> AuthorDate: 2023-05-25 08:16:44 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-25 21:52:07 +0000 dev-lang/perl: update HTTP::Tiny SSL-verify-by-default patch Thanks to Stig for pointing this out! Pull in the fixed version from nixpkgs, like Alpine has done. Bug: https://bugs.gentoo.org/905296 Signed-off-by: Sam James <sam@gentoo.org> dev-lang/perl/files/perl-5.36.1-http-tiny.patch | 71 +++++++++++++++++++--- ...perl-5.36.1-r1.ebuild => perl-5.36.1-r2.ebuild} | 0 2 files changed, 63 insertions(+), 8 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=06b1665a387d4d7cb73b9b91b99b6ed644d013ed commit 06b1665a387d4d7cb73b9b91b99b6ed644d013ed Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-11-17 09:51:20 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-11-17 09:51:58 +0000 [ GLSA 202411-09 ] Perl: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/807307 Bug: https://bugs.gentoo.org/905296 Bug: https://bugs.gentoo.org/918612 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202411-09.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) |