mirror of
https://git.yoctoproject.org/poky
synced 2026-03-09 16:59:40 +01:00
80ecd63cc8
HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. References: https://nvd.nist.gov/vuln/detail/CVE-2023-31486 Upstream patches:77f557ef84a22785783b(From OE-Core rev: 5819c839e1de92ab7669a0d4997886d0306c4cc1) Signed-off-by: Soumya <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
37 lines
1.3 KiB
Diff
37 lines
1.3 KiB
Diff
From a22785783b17cbaa28afaee4a024d81a1903701d
|
|
From: Stig Palmquist <git@stig.io>
|
|
Date: Sun Jun 18 11:36:05 2023 +0200
|
|
Subject: [PATCH] Fix incorrect env var name for verify_SSL default
|
|
|
|
The variable to override the verify_SSL default differed slightly in the
|
|
documentation from what was checked for in the code.
|
|
|
|
This commit makes the code use `PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT`
|
|
as documented, instead of `PERL_HTTP_TINY_INSECURE_BY_DEFAULT` which was
|
|
missing `SSL_`
|
|
|
|
CVE: CVE-2023-31486
|
|
|
|
Upstream-Status: Backport [https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d]
|
|
|
|
Signed-off-by: Soumya <soumya.sambu@windriver.com>
|
|
---
|
|
cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
|
|
index ebc34a1..65ac8ff 100644
|
|
--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
|
|
+++ b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
|
|
@@ -148,7 +148,7 @@ sub _verify_SSL_default {
|
|
my ($self) = @_;
|
|
# Check if insecure default certificate verification behaviour has been
|
|
# changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1
|
|
- return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1;
|
|
+ return (($ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1;
|
|
}
|
|
|
|
sub _set_proxies {
|
|
--
|
|
2.40.0
|