Fix CVE-2014-3230
This commit is contained in:
parent
433c71eb66
commit
22acb1b049
@ -0,0 +1,30 @@
|
||||
From 1b924708663f457a4f7c25ed35d7dfb3bb5b334d Mon Sep 17 00:00:00 2001
|
||||
From: Steffen Ullrich <Steffen_Ullrich@genua.de>
|
||||
Date: Sat, 3 May 2014 23:04:36 +0200
|
||||
Subject: [PATCH 1/2] Debian #746576 - don't disale verification if only
|
||||
hostnames should not be verified
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
lib/LWP/Protocol/https.pm | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm
|
||||
index a707917..8c87e81 100644
|
||||
--- a/lib/LWP/Protocol/https.pm
|
||||
+++ b/lib/LWP/Protocol/https.pm
|
||||
@@ -21,7 +21,7 @@ sub _extra_sock_opts
|
||||
$ssl_opts{SSL_verifycn_scheme} = 'www';
|
||||
}
|
||||
else {
|
||||
- $ssl_opts{SSL_verify_mode} = 0;
|
||||
+ $ssl_opts{SSL_verifycn_scheme} = 'none';
|
||||
}
|
||||
if ($ssl_opts{SSL_verify_mode}) {
|
||||
unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) {
|
||||
--
|
||||
1.9.0
|
||||
|
@ -0,0 +1,51 @@
|
||||
From 6b5c876de80451ee54de5d853de37a62e26bf6fe Mon Sep 17 00:00:00 2001
|
||||
From: Steffen Ullrich <Steffen_Ullrich@genua.de>
|
||||
Date: Sun, 4 May 2014 09:14:13 +0200
|
||||
Subject: [PATCH 2/2] Debian #746576 - fix test, make it workable for
|
||||
Crypt::SSLeay/Net::SSL too
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
lib/LWP/Protocol/https.pm | 6 +++++-
|
||||
t/https_proxy.t | 5 ++++-
|
||||
2 files changed, 9 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm
|
||||
index 8c87e81..6223ddf 100644
|
||||
--- a/lib/LWP/Protocol/https.pm
|
||||
+++ b/lib/LWP/Protocol/https.pm
|
||||
@@ -21,7 +21,11 @@ sub _extra_sock_opts
|
||||
$ssl_opts{SSL_verifycn_scheme} = 'www';
|
||||
}
|
||||
else {
|
||||
- $ssl_opts{SSL_verifycn_scheme} = 'none';
|
||||
+ if ( $Net::HTTPS::SSL_SOCKET_CLASS eq 'Net::SSL' ) {
|
||||
+ $ssl_opts{SSL_verifycn_scheme} = '';
|
||||
+ } else {
|
||||
+ $ssl_opts{SSL_verifycn_scheme} = 'none';
|
||||
+ }
|
||||
}
|
||||
if ($ssl_opts{SSL_verify_mode}) {
|
||||
unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) {
|
||||
diff --git a/t/https_proxy.t b/t/https_proxy.t
|
||||
index 5196960..c78345b 100644
|
||||
--- a/t/https_proxy.t
|
||||
+++ b/t/https_proxy.t
|
||||
@@ -66,7 +66,10 @@ my %ua;
|
||||
$ua{noproxy} = LWP::UserAgent->new(
|
||||
keep_alive => 10, # size of connection cache
|
||||
# server does not know the expected name and returns generic certificate
|
||||
- ssl_opts => { verify_hostname => 0 }
|
||||
+ ssl_opts => {
|
||||
+ verify_hostname => 0,
|
||||
+ SSL_ca_file => $cafile,
|
||||
+ }
|
||||
);
|
||||
|
||||
$ua{proxy} = LWP::UserAgent->new(
|
||||
--
|
||||
1.9.0
|
||||
|
@ -1,11 +1,18 @@
|
||||
Name: perl-LWP-Protocol-https
|
||||
Version: 6.06
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: Provide HTTPS support for LWP::UserAgent
|
||||
License: GPL+ or Artistic
|
||||
Group: Development/Libraries
|
||||
URL: http://search.cpan.org/dist/LWP-Protocol-https/
|
||||
Source0: http://www.cpan.org/authors/id/M/MS/MSCHILLI/LWP-Protocol-https-%{version}.tar.gz
|
||||
# Fix CVE-2014-3230, bug #1094442,
|
||||
# proposed in https://github.com/libwww-perl/lwp-protocol-https/pull/14
|
||||
Patch0: LWP-Protocol-https-6.06-Debian-746576-don-t-disale-verification-if-only-host.patch
|
||||
# Fix CVE-2014-3230, bug #1094442,
|
||||
# proposed in https://github.com/libwww-perl/lwp-protocol-https/pull/14
|
||||
Patch1: LWP-Protocol-https-6.06-Debian-746576-fix-test-make-it-workable-for-Crypt-SS.patch
|
||||
|
||||
BuildArch: noarch
|
||||
BuildRequires: perl
|
||||
BuildRequires: perl(ExtUtils::MakeMaker)
|
||||
@ -42,6 +49,8 @@ access sites using HTTP over SSL/TLS.
|
||||
|
||||
%prep
|
||||
%setup -q -n LWP-Protocol-https-%{version}
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
|
||||
%build
|
||||
perl Makefile.PL INSTALLDIRS=vendor
|
||||
@ -61,6 +70,10 @@ make test
|
||||
%{_mandir}/man3/*
|
||||
|
||||
%changelog
|
||||
* Mon May 12 2014 Petr Pisar <ppisar@redhat.com> - 6.06-2
|
||||
- Fix CVE-2014-3230 (incorrect handling of SSL certificate verification if
|
||||
HTTPS_CA_DIR or HTTPS_CA_FILE environment variables are set) (bug #1094442)
|
||||
|
||||
* Wed Apr 23 2014 Petr Pisar <ppisar@redhat.com> - 6.06-1
|
||||
- 6.06 bump
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user