Hello community,

here is the log from the commit of package perl-LWP-Protocol-https for 
openSUSE:Factory checked in at 2014-05-17 06:43:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-LWP-Protocol-https (Old)
 and      /work/SRC/openSUSE:Factory/.perl-LWP-Protocol-https.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "perl-LWP-Protocol-https"

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/perl-LWP-Protocol-https/perl-LWP-Protocol-https.changes
  2014-05-02 20:52:22.000000000 +0200
+++ 
/work/SRC/openSUSE:Factory/.perl-LWP-Protocol-https.new/perl-LWP-Protocol-https.changes
     2014-05-17 06:43:04.000000000 +0200
@@ -1,0 +2,8 @@
+Thu May 15 09:39:07 UTC 2014 - vci...@suse.com
+
+- fix for CVE-2014-3230 (bnc#876862)
+  * perl-LWP-Protocol-https: Environment variables HTTPS_CA_DIR or
+    HTTPS_CA_FILE disable hostname verification
+  * added CVE-2014-3230.patch
+
+-------------------------------------------------------------------

New:
----
  CVE-2014-3230.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ perl-LWP-Protocol-https.spec ++++++
--- /var/tmp/diff_new_pack.xevbxe/_old  2014-05-17 06:43:05.000000000 +0200
+++ /var/tmp/diff_new_pack.xevbxe/_new  2014-05-17 06:43:05.000000000 +0200
@@ -27,6 +27,7 @@
 Source:         
http://www.cpan.org/authors/id/G/GA/GAAS/%{cpan_name}-%{version}.tar.gz
 # patch for using system certificates                                          
                                                                             
 Patch0:         %{cpan_name}-6.04-systemca.diff
+Patch1:         CVE-2014-3230.patch
 BuildArch:      noarch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  perl
@@ -63,6 +64,7 @@
 %prep
 %setup -q -n %{cpan_name}-%{version}
 %patch0 -p1
+%patch1 -p1
 
 %build
 %{__perl} Makefile.PL INSTALLDIRS=vendor

++++++ CVE-2014-3230.patch ++++++
>From 1b924708663f457a4f7c25ed35d7dfb3bb5b334d Mon Sep 17 00:00:00 2001
From: Steffen Ullrich <steffen_ullr...@genua.de>
Date: Sat, 3 May 2014 23:04:36 +0200
Subject: [PATCH 1/3] Debian #746576 - don't disale verification if only
 hostnames should not be verified

---
 lib/LWP/Protocol/https.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
===================================================================
--- LWP-Protocol-https-6.04.orig/lib/LWP/Protocol/https.pm      2014-05-15 
11:46:54.319643759 +0200
+++ LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm   2014-05-15 
11:46:55.856660773 +0200
@@ -20,7 +20,11 @@ sub _extra_sock_opts
        $ssl_opts{SSL_verifycn_scheme} = 'www';
     }
     else {
-       $ssl_opts{SSL_verify_mode} = 0;
+       if ( $Net::HTTPS::SSL_SOCKET_CLASS eq 'Net::SSL' ) {
+           $ssl_opts{SSL_verifycn_scheme} = '';
+       } else {
+           $ssl_opts{SSL_verifycn_scheme} = 'none';
+       }
     }
     $self->{ssl_opts} = \%ssl_opts;
     return (%ssl_opts, $self->SUPER::_extra_sock_opts);
-- 
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org

Reply via email to