[Bug 2230255] perl-HTTP-Tiny: a ton of new dependencies all of a sudden?

Wed, 09 Aug 2023 03:53:31 -0700 

https://bugzilla.redhat.com/show_bug.cgi?id=2230255



--- Comment #6 from Petr Pisar <ppi...@redhat.com> ---
>    - Changes the `verify_SSL` default parameter from `0` to `1`.
>      Fixes CVE-2023-31486.

This does not mean that IO::Socket::SSL is now required. This only means that
if IO::Socket::SSL is used, then a certificate is verified. If an https URL is
passed to HTTP::Tiny, and IO::Socket::SSL is unavailable, then HTTP::Tiny
graciously fails. From HTTP::Tiny POD:

TLS/SSL SUPPORT
    Direct "https" connections are supported only if IO::Socket::SSL 1.56 or
    greater and Net::SSLeay 1.49 or greater are installed. An error will
    occur if new enough versions of these modules are not installed or if
    the TLS encryption fails. You can also use HTTP::Tiny::can_ssl() utility
    function that returns boolean to see if the required modules are
    installed.

Changing the dependency from Recommends to Requires has no influence on
CVE-2023-31486.


Maybe we could use the same approach as with LWP (perl-LWP-Protocol-https):
Keep HTTP::Tiny free from IO::Socket::SSL and instead introduce a new RPM
dependency symbol meaning "I want HTTP::Tiny with TLS support". That new
dependency symbol would pull HTTP::Tiny with IO::Socket::SSL. That new
dependency symbol would be imposed on packages which are required to process
HTTPS connections, like perl-CPAN now.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2230255

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202230255%23c6
_______________________________________________
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to