mirror of
https://git.yoctoproject.org/poky
synced 2026-05-01 06:32:11 +02:00
68b407ff94
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. References: https://nvd.nist.gov/vuln/detail/CVE-2023-31484 https://nvd.nist.gov/vuln/detail/CVE-2023-31486 Upstream patches:9c9837028777f557ef84a22785783b(From OE-Core rev: f4fe9861d6aebd971a3120a0eb43f752c73ce2fb) Signed-off-by: Soumya <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
31 lines
1.2 KiB
Diff
31 lines
1.2 KiB
Diff
commit a22785783b17cbaa28afaee4a024d81a1903701d
|
|
From: Stig Palmquist <git@stig.io>
|
|
Date: Sun Jun 18 11:36:05 2023 +0200
|
|
|
|
Fix incorrect env var name for verify_SSL default
|
|
|
|
The variable to override the verify_SSL default differed slightly in the
|
|
documentation from what was checked for in the code.
|
|
|
|
This commit makes the code use `PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT`
|
|
as documented, instead of `PERL_HTTP_TINY_INSECURE_BY_DEFAULT` which was
|
|
missing `SSL_`
|
|
|
|
Upstream-Status: Backport [https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d]
|
|
|
|
Signed-off-by: Soumya <soumya.sambu@windriver.com>
|
|
---
|
|
diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm
|
|
index bf455b6..7240b65 100644
|
|
--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
|
|
+++ b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
|
|
@@ -149,7 +149,7 @@ sub _verify_SSL_default {
|
|
my ($self) = @_;
|
|
# Check if insecure default certificate verification behaviour has been
|
|
# changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1
|
|
- return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1;
|
|
+ return (($ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1;
|
|
}
|
|
|
|
sub _set_proxies {
|