0.064 bump

2016-09-02 09:24:00 +02:00 · 2016-09-02 09:24:00 +02:00 · 45aa9596a7
commit 45aa9596a7
parent 39c5f847a1
4 changed files with 8 additions and 46 deletions
--- a/.gitignore
+++ b/.gitignore
@ -22,3 +22,4 @@
 /HTTP-Tiny-0.054.tar.gz
 /HTTP-Tiny-0.056.tar.gz
 /HTTP-Tiny-0.058.tar.gz
+/HTTP-Tiny-0.064.tar.gz
--- a/HTTP-Tiny-0.058-CVE-2016-1238-avoid-loading-optional-modules-from.patch
+++ b/HTTP-Tiny-0.058-CVE-2016-1238-avoid-loading-optional-modules-from.patch
@ -1,39 +0,0 @@
-From b239c95ea7a256cfee9b8848f1bd4d1df6e66444 Mon Sep 17 00:00:00 2001
-From: Tony Cook <tony@develop-help.com>
-Date: Wed, 27 Jul 2016 16:06:32 +1000
-Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default .
-
-The final . perl adds to @INC can be used by an attacker to fake
-an optional module in a world writable directory for a process
-using HTTP::Tiny when run from that directory.
-
-Remove the default . from the end of @INC when loading optional
-modules.
-
-Closes #90
---
- lib/HTTP/Tiny.pm | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm
-index f8059b7..ea6db53 100644
--- a/lib/HTTP/Tiny.pm
-+++ b/lib/HTTP/Tiny.pm
-@@ -504,6 +504,8 @@ sub can_ssl {
-     my($ok, $reason) = (1, '');
- 
-     # Need IO::Socket::SSL 1.42 for SSL_create_ctx_callback
-+    local @INC = @INC;
-+    pop @INC if $INC[-1] eq '.';
-     unless (eval {require IO::Socket::SSL; IO::Socket::SSL->VERSION(1.42)}) {
-         $ok = 0;
-         $reason .= qq/IO::Socket::SSL 1.42 must be installed for https support\n/;
-@@ -1568,6 +1570,8 @@ sub _find_CA_file {
-         return $ca_file;
-     }
- 
-+    local @INC = @INC;
-+    pop @INC if $INC[-1] eq '.';
-     return Mozilla::CA::SSL_ca_file()
-         if eval { require Mozilla::CA; 1 };
- 
--- a/perl-HTTP-Tiny.spec
+++ b/perl-HTTP-Tiny.spec
@ -1,6 +1,6 @@
 Name:           perl-HTTP-Tiny
-Version:        0.058
-Release:        3%{?dist}
+Version:        0.064
+Release:        1%{?dist}
 Summary:        Small, simple, correct HTTP/1.1 client
 License:        GPL+ or Artistic
 Group:          Development/Libraries
@ -9,9 +9,6 @@ Source0:        http://www.cpan.org/authors/id/D/DA/DAGOLDEN/HTTP-Tiny-%{version
 # Check for write failure, bug #1031096, refused by upstream,
 # <https://github.com/chansen/p5-http-tiny/issues/32>
 Patch0:         HTTP-Tiny-0.058-Croak-on-failed-write-into-a-file.patch
-# Avoid loading optional modules from default . (CVE-2016-1238)
-# in upstream after 0.059
-Patch1:         HTTP-Tiny-0.058-CVE-2016-1238-avoid-loading-optional-modules-from.patch
 BuildArch:      noarch
 BuildRequires:  findutils
 BuildRequires:  make
@ -44,6 +41,7 @@ BuildRequires:  perl(IO::File)
 BuildRequires:  perl(IO::Socket::INET)
 # IO::Socket::SSL 1.56 not needed
 BuildRequires:  perl(IPC::Cmd)
+BuildRequires:  perl(lib)
 # Mozilla::CA not needed
 # Net::SSLeay 1.49 not needed
 BuildRequires:  perl(open)
@ -68,7 +66,6 @@ resumes after EINTR.
 %prep
 %setup -q -n HTTP-Tiny-%{version}
 %patch0 -p1
-%patch1 -p1

 %build
 perl Makefile.PL INSTALLDIRS=vendor
@ -89,6 +86,9 @@ make test
 %{_mandir}/man3/*

 %changelog
+* Fri Sep 02 2016 Petr Pisar <ppisar@redhat.com> - 0.064-1
+- 0.064 bump
+
 * Tue Aug 02 2016 Jitka Plesnikova <jplesnik@redhat.com> - 0.058-3
 - Avoid loading optional modules from default . (CVE-2016-1238)

--- a/2
+++ b/2
@ -1 +1 @@
-2cef09fbfc897c14547f3774d14824eb  HTTP-Tiny-0.058.tar.gz
+4673143f2e400c8c7cc972b37a249e14  HTTP-Tiny-0.064.tar.gz