* [gentoo-commits] repo/gentoo:master commit in: dev-perl/LWP-Protocol-https/, dev-perl/LWP-Protocol-https/files/
@ 2017-03-20 21:41 Kent Fredric
0 siblings, 0 replies; only message in thread
From: Kent Fredric @ 2017-03-20 21:41 UTC (permalink / raw
To: gentoo-commits
commit: 6c66a3fce14344d5819a5f9eb6a875e2bdaeea50
Author: Kent Fredric <kentnl <AT> gentoo <DOT> org>
AuthorDate: Mon Mar 20 21:37:15 2017 +0000
Commit: Kent Fredric <kentnl <AT> gentoo <DOT> org>
CommitDate: Mon Mar 20 21:41:17 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6c66a3fc
dev-perl/LWP-Protocol-https: Bump to version 6.70.0
- EAPI6
- Rehashed patches to git-format to ensure they still apply
Keywords:
- New deps, dropped:
amd64-fbsd mips x86-fbsd
Upstream:
- Explicitly add hostname for SNI to start_SSL
Package-Manager: Portage-2.3.4, Repoman-2.3.2
.../LWP-Protocol-https-6.70.0.ebuild | 36 ++++++++++++++++
dev-perl/LWP-Protocol-https/Manifest | 1 +
.../LWP-Protocol-https-6.70.0-CVE-2014-3230.patch | 36 ++++++++++++++++
.../LWP-Protocol-https-6.70.0-etcsslcerts.patch | 48 ++++++++++++++++++++++
4 files changed, 121 insertions(+)
diff --git a/dev-perl/LWP-Protocol-https/LWP-Protocol-https-6.70.0.ebuild b/dev-perl/LWP-Protocol-https/LWP-Protocol-https-6.70.0.ebuild
new file mode 100644
index 00000000000..7d3edd2f3b0
--- /dev/null
+++ b/dev-perl/LWP-Protocol-https/LWP-Protocol-https-6.70.0.ebuild
@@ -0,0 +1,36 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+DIST_AUTHOR=OALDERS
+DIST_VERSION=6.07
+inherit perl-module
+
+DESCRIPTION="Provide https support for LWP::UserAgent"
+
+SLOT="0"
+IUSE="test"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+
+RDEPEND="
+ app-misc/ca-certificates
+ >=dev-perl/IO-Socket-SSL-1.540.0
+ >=dev-perl/libwww-perl-6.60.0
+ >=dev-perl/Net-HTTP-6
+"
+DEPEND="${RDEPEND}
+ virtual/perl-ExtUtils-MakeMaker
+ test? (
+ virtual/perl-Test-Simple
+ dev-perl/Test-RequiresInternet
+ )
+"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-6.70.0-etcsslcerts.patch
+ "${FILESDIR}"/${PN}-6.70.0-CVE-2014-3230.patch # note: breaks a test, still needed?
+)
+PERL_RM_FILES=(
+ "t/https_proxy.t" # see above
+)
diff --git a/dev-perl/LWP-Protocol-https/Manifest b/dev-perl/LWP-Protocol-https/Manifest
index 39b4a0d26b3..ba48c7323df 100644
--- a/dev-perl/LWP-Protocol-https/Manifest
+++ b/dev-perl/LWP-Protocol-https/Manifest
@@ -1,2 +1,3 @@
DIST LWP-Protocol-https-6.06.tar.gz 8376 SHA256 b86c83cc1dcf4a6f84e2fbe32f9c39591a36e6e418af00533505f3452496adef SHA512 acc65d63da858f25cf9cc1e11d074f035e8ead4c1ffea22bac930f61100ff98f2bf0bb4ede12219d6c22bd5fe4d99532a45fe5cbc9a4b863dd16b0c379f8d2ea WHIRLPOOL a7baea45b51a4646ca014eb63684ea21a86d89b53e6ee551276b9b94fe4508b102c20e6e1f5fc6507ccedd1f4fa4cf38888dfb3e68d7982e5c3c1822631f4883
+DIST LWP-Protocol-https-6.07.tar.gz 9184 SHA256 522cc946cf84a1776304a5737a54b8822ec9e79b264d0ba0722a70473dbfb9e7 SHA512 4a07cd8a1c44e31781069a632a77f3af43747933420e831b4fd4a12faac7dc04f0c6b10ea773c3e14ecb66209a547b3587c0e3f481a55b9929db65f7b10343aa WHIRLPOOL a6e1a3d38b522721fdedcbb86b2df53346d68ba9f1777e91fbda3e7ba5b9ba9523e52c89257e8933c4df93e6735fd5155f2dde2a0cf6b74a71c46366c3bbe47b
DIST LWP-Protocol-https_ca-cert-r1.patch.gz 597 SHA256 c8eee81eb55537aa47637b3e218a6c1fec13ca362a9d397b085eb8703fbee851 SHA512 9cc73a042e8c8a9e6bcd377d70978063d3da4c263da35097306b916990845d19580c7cb9fbf7b63efa280366969fcda38a9ac8c2b443891dcf6ac522edab6c0c WHIRLPOOL 743d272adbd4ce461ce50072ba443557a4eb9cf4cf1f0d4d867a19515e4d8bd85bf3bcfa0bd6f1657d758cef3ba24022aafca6cd029d352aa02651f6bdbfc05f
diff --git a/dev-perl/LWP-Protocol-https/files/LWP-Protocol-https-6.70.0-CVE-2014-3230.patch b/dev-perl/LWP-Protocol-https/files/LWP-Protocol-https-6.70.0-CVE-2014-3230.patch
new file mode 100644
index 00000000000..781d72ee03e
--- /dev/null
+++ b/dev-perl/LWP-Protocol-https/files/LWP-Protocol-https-6.70.0-CVE-2014-3230.patch
@@ -0,0 +1,36 @@
+From 67de137e737e4fa92d0cb746bdc8474d7bb5e000 Mon Sep 17 00:00:00 2001
+From: Kent Fredric <kentnl@gentoo.org>
+Date: Tue, 21 Mar 2017 10:11:32 +1300
+Subject: Use SSL_verifycn_scheme instead of disabling SSL_verify_mode
+
+Re: CVE-2014-3230
+
+Redhat Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1094440
+
+Combines: https://bugzilla.redhat.com/attachment.cgi?id=894747
+ https://bugzilla.redhat.com/attachment.cgi?id=894748
+---
+ lib/LWP/Protocol/https.pm | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm
+index f8ab398..ba69966 100644
+--- a/lib/LWP/Protocol/https.pm
++++ b/lib/LWP/Protocol/https.pm
+@@ -21,7 +21,12 @@ sub _extra_sock_opts
+ $ssl_opts{SSL_verifycn_scheme} = 'www';
+ }
+ else {
+- $ssl_opts{SSL_verify_mode} = 0;
++ if ( $Net::HTTPS::SSL_SOCKET_CLASS eq 'Net::SSL' ) {
++ $ssl_opts{SSL_verifycn_scheme} = '';
++ }
++ else {
++ $ssl_opts{SSL_verifycn_scheme} = 'none';
++ }
+ }
+ if ($ssl_opts{SSL_verify_mode}) {
+ unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) {
+--
+2.12.0
+
diff --git a/dev-perl/LWP-Protocol-https/files/LWP-Protocol-https-6.70.0-etcsslcerts.patch b/dev-perl/LWP-Protocol-https/files/LWP-Protocol-https-6.70.0-etcsslcerts.patch
new file mode 100644
index 00000000000..2553c7949af
--- /dev/null
+++ b/dev-perl/LWP-Protocol-https/files/LWP-Protocol-https-6.70.0-etcsslcerts.patch
@@ -0,0 +1,48 @@
+From 9baa19987f93284be254415d15db56c599e52e1e Mon Sep 17 00:00:00 2001
+From: Kent Fredric <kentnl@gentoo.org>
+Date: Tue, 21 Mar 2017 10:07:35 +1300
+Subject: Ensure using System Certificates instead of Mozilla-CA
+
+Bug: https://bugs.gentoo.org/358081
+---
+ lib/LWP/Protocol/https.pm | 24 +++---------------------
+ 1 file changed, 3 insertions(+), 21 deletions(-)
+
+diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm
+index ed4d832..f8ab398 100644
+--- a/lib/LWP/Protocol/https.pm
++++ b/lib/LWP/Protocol/https.pm
+@@ -24,27 +24,9 @@ sub _extra_sock_opts
+ $ssl_opts{SSL_verify_mode} = 0;
+ }
+ if ($ssl_opts{SSL_verify_mode}) {
+- unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) {
+- eval {
+- require Mozilla::CA;
+- };
+- if ($@) {
+- if ($@ =~ /^Can't locate Mozilla\/CA\.pm/) {
+- $@ = <<'EOT';
+-Can't verify SSL peers without knowing which Certificate Authorities to trust
+-
+-This problem can be fixed by either setting the PERL_LWP_SSL_CA_FILE
+-environment variable or by installing the Mozilla::CA module.
+-
+-To disable verification of SSL peers set the PERL_LWP_SSL_VERIFY_HOSTNAME
+-environment variable to 0. If you do this you can't be sure that you
+-communicate with the expected peer.
+-EOT
+- }
+- die $@;
+- }
+- $ssl_opts{SSL_ca_file} = Mozilla::CA::SSL_ca_file();
+- }
++ unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) {
++ $ssl_opts{SSL_ca_path} = '/etc/ssl/certs';
++ }
+ }
+ $self->{ssl_opts} = \%ssl_opts;
+ return (%ssl_opts, $self->SUPER::_extra_sock_opts);
+--
+2.12.0
+
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2017-03-20 21:41 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-03-20 21:41 [gentoo-commits] repo/gentoo:master commit in: dev-perl/LWP-Protocol-https/, dev-perl/LWP-Protocol-https/files/ Kent Fredric
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox