Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 905296 (CVE-2023-31486) - <dev-lang/perl-5.36.1-r2: HTTP::Tiny certificate verification off by default
Summary: <dev-lang/perl-5.36.1-r2: HTTP::Tiny certificate verification off by default
Status: RESOLVED FIXED
Alias: CVE-2023-31486
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B4 [glsa+]
Keywords:
Depends on: 908983
Blocks:
  Show dependency tree
 
Reported: 2023-04-29 16:47 UTC by John Helmert III
Modified: 2024-11-17 09:52 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-29 16:47:55 UTC
CVE-2023-31486 (https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/):

HTTP::Tiny 0.082, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.

Anything we should do here? Seems there's some discussion upstream
(according to the blogpost), but there's backwards compatibility
concerns with changing the defaults?
Comment 2 Larry the Git Cow gentoo-dev 2023-05-01 21:56:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=587d4dee588525f616e38657ec601cc9447c942e

commit 587d4dee588525f616e38657ec601cc9447c942e
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2023-05-01 21:54:19 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2023-05-01 21:56:16 +0000

    dev-lang/perl: Enable verify_SSL by default in HTTP::Tiny
    
    Trivial patch from alpine
    
    Bug: https://bugs.gentoo.org/905296
    See-also: https://github.com/chansen/p5-http-tiny/pull/151
    See-also: https://github.com/chansen/p5-http-tiny/issues/152
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 dev-lang/perl/files/perl-5.36.1-http-tiny.patch |  25 +
 dev-lang/perl/perl-5.36.1-r1.ebuild             | 826 ++++++++++++++++++++++++
 2 files changed, 851 insertions(+)
Comment 3 kfm 2023-05-12 05:55:56 UTC
I'm pleased to see this being decisively dealt with here, without the years of aimless drifting and tiresome yap that appears to characterise the upstream development process. SawyerX knew what was up ("getting better, not getting by"). Thanks.
Comment 4 Stig 2023-05-23 13:31:06 UTC
Hi!

The fix for CVE-2023-31486 from Alpine did not fix the vulnerability, they have updated with a new patch:

Issue aports#14951 on Alpine's gitlab

Commit 0371bb10383aa1268e1d1ee5461f29a831cba29c in aports

(Unable to post URLs since I just created an account).
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-05-23 13:36:33 UTC
(In reply to Stig from comment #4)
> Hi!
> 
> The fix for CVE-2023-31486 from Alpine did not fix the vulnerability, they
> have updated with a new patch:
> 
> Issue aports#14951 on Alpine's gitlab
> 
> Commit 0371bb10383aa1268e1d1ee5461f29a831cba29c in aports
> 
> (Unable to post URLs since I just created an account).

Thanks, I'll take a look later today!
Comment 6 Larry the Git Cow gentoo-dev 2023-05-25 21:52:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ea685044d49945fffc7b62f82a6d3fb9d7ba37a

commit 3ea685044d49945fffc7b62f82a6d3fb9d7ba37a
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-05-25 08:16:44 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-25 21:52:07 +0000

    dev-lang/perl: update HTTP::Tiny SSL-verify-by-default patch
    
    Thanks to Stig for pointing this out! Pull in the fixed version from nixpkgs,
    like Alpine has done.
    
    Bug: https://bugs.gentoo.org/905296
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-lang/perl/files/perl-5.36.1-http-tiny.patch    | 71 +++++++++++++++++++---
 ...perl-5.36.1-r1.ebuild => perl-5.36.1-r2.ebuild} |  0
 2 files changed, 63 insertions(+), 8 deletions(-)
Comment 7 Larry the Git Cow gentoo-dev 2024-11-17 09:52:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=06b1665a387d4d7cb73b9b91b99b6ed644d013ed

commit 06b1665a387d4d7cb73b9b91b99b6ed644d013ed
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-11-17 09:51:20 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-11-17 09:51:58 +0000

    [ GLSA 202411-09 ] Perl: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/807307
    Bug: https://bugs.gentoo.org/905296
    Bug: https://bugs.gentoo.org/918612
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202411-09.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)