Hello community, here is the log from the commit of package perl-LWP-Protocol-https for openSUSE:Factory checked in at 2014-05-17 06:43:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/perl-LWP-Protocol-https (Old) and /work/SRC/openSUSE:Factory/.perl-LWP-Protocol-https.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-LWP-Protocol-https" Changes: -------- --- /work/SRC/openSUSE:Factory/perl-LWP-Protocol-https/perl-LWP-Protocol-https.changes 2014-05-02 20:52:22.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.perl-LWP-Protocol-https.new/perl-LWP-Protocol-https.changes 2014-05-17 06:43:04.000000000 +0200 @@ -1,0 +2,8 @@ +Thu May 15 09:39:07 UTC 2014 - vci...@suse.com + +- fix for CVE-2014-3230 (bnc#876862) + * perl-LWP-Protocol-https: Environment variables HTTPS_CA_DIR or + HTTPS_CA_FILE disable hostname verification + * added CVE-2014-3230.patch + +------------------------------------------------------------------- New: ---- CVE-2014-3230.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-LWP-Protocol-https.spec ++++++ --- /var/tmp/diff_new_pack.xevbxe/_old 2014-05-17 06:43:05.000000000 +0200 +++ /var/tmp/diff_new_pack.xevbxe/_new 2014-05-17 06:43:05.000000000 +0200 @@ -27,6 +27,7 @@ Source: http://www.cpan.org/authors/id/G/GA/GAAS/%{cpan_name}-%{version}.tar.gz # patch for using system certificates Patch0: %{cpan_name}-6.04-systemca.diff +Patch1: CVE-2014-3230.patch BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: perl @@ -63,6 +64,7 @@ %prep %setup -q -n %{cpan_name}-%{version} %patch0 -p1 +%patch1 -p1 %build %{__perl} Makefile.PL INSTALLDIRS=vendor ++++++ CVE-2014-3230.patch ++++++ >From 1b924708663f457a4f7c25ed35d7dfb3bb5b334d Mon Sep 17 00:00:00 2001 From: Steffen Ullrich <steffen_ullr...@genua.de> Date: Sat, 3 May 2014 23:04:36 +0200 Subject: [PATCH 1/3] Debian #746576 - don't disale verification if only hostnames should not be verified --- lib/LWP/Protocol/https.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm =================================================================== --- LWP-Protocol-https-6.04.orig/lib/LWP/Protocol/https.pm 2014-05-15 11:46:54.319643759 +0200 +++ LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm 2014-05-15 11:46:55.856660773 +0200 @@ -20,7 +20,11 @@ sub _extra_sock_opts $ssl_opts{SSL_verifycn_scheme} = 'www'; } else { - $ssl_opts{SSL_verify_mode} = 0; + if ( $Net::HTTPS::SSL_SOCKET_CLASS eq 'Net::SSL' ) { + $ssl_opts{SSL_verifycn_scheme} = ''; + } else { + $ssl_opts{SSL_verifycn_scheme} = 'none'; + } } $self->{ssl_opts} = \%ssl_opts; return (%ssl_opts, $self->SUPER::_extra_sock_opts); -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org