CVE-2023-31486 (https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/): HTTP::Tiny 0.082, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. Anything we should do here? Seems there's some discussion upstream (according to the blogpost), but there's backwards compatibility concerns with changing the defaults?
Alpine is doing https://git.alpinelinux.org/aports/tree/main/perl/default-https-perl-http-tiny.patch?id=fc21c0f7930ae3a9e2f50bacc305fb167a456ded.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=587d4dee588525f616e38657ec601cc9447c942e commit 587d4dee588525f616e38657ec601cc9447c942e Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2023-05-01 21:54:19 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2023-05-01 21:56:16 +0000 dev-lang/perl: Enable verify_SSL by default in HTTP::Tiny Trivial patch from alpine Bug: https://bugs.gentoo.org/905296 See-also: https://github.com/chansen/p5-http-tiny/pull/151 See-also: https://github.com/chansen/p5-http-tiny/issues/152 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> dev-lang/perl/files/perl-5.36.1-http-tiny.patch | 25 + dev-lang/perl/perl-5.36.1-r1.ebuild | 826 ++++++++++++++++++++++++ 2 files changed, 851 insertions(+)
I'm pleased to see this being decisively dealt with here, without the years of aimless drifting and tiresome yap that appears to characterise the upstream development process. SawyerX knew what was up ("getting better, not getting by"). Thanks.
Hi! The fix for CVE-2023-31486 from Alpine did not fix the vulnerability, they have updated with a new patch: Issue aports#14951 on Alpine's gitlab Commit 0371bb10383aa1268e1d1ee5461f29a831cba29c in aports (Unable to post URLs since I just created an account).
(In reply to Stig from comment #4) > Hi! > > The fix for CVE-2023-31486 from Alpine did not fix the vulnerability, they > have updated with a new patch: > > Issue aports#14951 on Alpine's gitlab > > Commit 0371bb10383aa1268e1d1ee5461f29a831cba29c in aports > > (Unable to post URLs since I just created an account). Thanks, I'll take a look later today!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ea685044d49945fffc7b62f82a6d3fb9d7ba37a commit 3ea685044d49945fffc7b62f82a6d3fb9d7ba37a Author: Sam James <sam@gentoo.org> AuthorDate: 2023-05-25 08:16:44 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-25 21:52:07 +0000 dev-lang/perl: update HTTP::Tiny SSL-verify-by-default patch Thanks to Stig for pointing this out! Pull in the fixed version from nixpkgs, like Alpine has done. Bug: https://bugs.gentoo.org/905296 Signed-off-by: Sam James <sam@gentoo.org> dev-lang/perl/files/perl-5.36.1-http-tiny.patch | 71 +++++++++++++++++++--- ...perl-5.36.1-r1.ebuild => perl-5.36.1-r2.ebuild} | 0 2 files changed, 63 insertions(+), 8 deletions(-)
