diff options
Diffstat (limited to 'poky/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch')
-rw-r--r-- | poky/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch | 217 |
1 files changed, 0 insertions, 217 deletions
diff --git a/poky/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch b/poky/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch deleted file mode 100644 index 0531e1f099..0000000000 --- a/poky/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch +++ /dev/null @@ -1,217 +0,0 @@ -From 77f557ef84698efeb6eed04e4a9704eaf85b741d -From: Stig Palmquist <git@stig.io> -Date: Mon Jun 5 16:46:22 2023 +0200 -Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable - insecure default - -- Changes the `verify_SSL` default parameter from `0` to `1` - - Based on patch by Dominic Hargreaves: - https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92 - - CVE: CVE-2023-31486 - -- Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that - enables the previous insecure default behaviour if set to `1`. - - This provides a workaround for users who encounter problems with the - new `verify_SSL` default. - - Example to disable certificate checks: - ``` - $ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl - ``` - -- Updates to documentation: - - Describe changing the verify_SSL value - - Describe the escape-hatch environment variable - - Remove rationale for not enabling verify_SSL - - Add missing certificate search paths - - Replace "SSL" with "TLS/SSL" where appropriate - - Use "machine-in-the-middle" instead of "man-in-the-middle" - -Upstream-Status: Backport [https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d] - -Signed-off-by: Soumya <soumya.sambu@windriver.com> ---- - cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 86 ++++++++++++++++++++++----------- - 1 file changed, 57 insertions(+), 29 deletions(-) - -diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm -index 83ca06d..ebc34a1 100644 ---- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm -+++ b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm -@@ -40,10 +40,14 @@ sub _croak { require Carp; Carp::croak(@_) } - #pod * C<timeout> — Request timeout in seconds (default is 60) If a socket open, - #pod read or write takes longer than the timeout, the request response status code - #pod will be 599. --#pod * C<verify_SSL> — A boolean that indicates whether to validate the SSL --#pod certificate of an C<https> — connection (default is false) -+#pod * C<verify_SSL> — A boolean that indicates whether to validate the TLS/SSL -+#pod certificate of an C<https> — connection (default is true). Changed from false -+#pod to true in version 0.083. - #pod * C<SSL_options> — A hashref of C<SSL_*> — options to pass through to - #pod L<IO::Socket::SSL> -+#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default -+#pod certificate verification behavior to not check server identity if set to 1. -+#pod Only effective if C<verify_SSL> is not set. Added in version 0.083. - #pod - #pod An accessor/mutator method exists for each attribute. - #pod -@@ -111,11 +115,17 @@ sub timeout { - sub new { - my($class, %args) = @_; - -+ # Support lower case verify_ssl argument, but only if verify_SSL is not -+ # true. -+ if ( exists $args{verify_ssl} ) { -+ $args{verify_SSL} ||= $args{verify_ssl}; -+ } -+ - my $self = { - max_redirect => 5, - timeout => defined $args{timeout} ? $args{timeout} : 60, - keep_alive => 1, -- verify_SSL => $args{verify_SSL} || $args{verify_ssl} || 0, # no verification by default -+ verify_SSL => defined $args{verify_SSL} ? $args{verify_SSL} : _verify_SSL_default(), - no_proxy => $ENV{no_proxy}, - }; - -@@ -134,6 +144,13 @@ sub new { - return $self; - } - -+sub _verify_SSL_default { -+ my ($self) = @_; -+ # Check if insecure default certificate verification behaviour has been -+ # changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 -+ return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1; -+} -+ - sub _set_proxies { - my ($self) = @_; - -@@ -1055,7 +1072,7 @@ sub new { - timeout => 60, - max_line_size => 16384, - max_header_lines => 64, -- verify_SSL => 0, -+ verify_SSL => HTTP::Tiny::_verify_SSL_default(), - SSL_options => {}, - %args - }, $class; -@@ -2043,11 +2060,11 @@ proxy - timeout - verify_SSL - --=head1 SSL SUPPORT -+=head1 TLS/SSL SUPPORT - - Direct C<https> connections are supported only if L<IO::Socket::SSL> 1.56 or - greater and L<Net::SSLeay> 1.49 or greater are installed. An error will occur --if new enough versions of these modules are not installed or if the SSL -+if new enough versions of these modules are not installed or if the TLS - encryption fails. You can also use C<HTTP::Tiny::can_ssl()> utility function - that returns boolean to see if the required modules are installed. - -@@ -2055,7 +2072,7 @@ An C<https> connection may be made via an C<http> proxy that supports the CONNEC - command (i.e. RFC 2817). You may not proxy C<https> via a proxy that itself - requires C<https> to communicate. - --SSL provides two distinct capabilities: -+TLS/SSL provides two distinct capabilities: - - =over 4 - -@@ -2069,24 +2086,17 @@ Verification of server identity - - =back - --B<By default, HTTP::Tiny does not verify server identity>. -- --Server identity verification is controversial and potentially tricky because it --depends on a (usually paid) third-party Certificate Authority (CA) trust model --to validate a certificate as legitimate. This discriminates against servers --with self-signed certificates or certificates signed by free, community-driven --CA's such as L<CAcert.org|http://cacert.org>. -+B<By default, HTTP::Tiny verifies server identity>. - --By default, HTTP::Tiny does not make any assumptions about your trust model, --threat level or risk tolerance. It just aims to give you an encrypted channel --when you need one. -+This was changed in version 0.083 due to security concerns. The previous default -+behavior can be enabled by setting C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> -+to 1. - --Setting the C<verify_SSL> attribute to a true value will make HTTP::Tiny verify --that an SSL connection has a valid SSL certificate corresponding to the host --name of the connection and that the SSL certificate has been verified by a CA. --Assuming you trust the CA, this will protect against a L<man-in-the-middle --attack|http://en.wikipedia.org/wiki/Man-in-the-middle_attack>. If you are --concerned about security, you should enable this option. -+Verification is done by checking that that the TLS/SSL connection has a valid -+certificate corresponding to the host name of the connection and that the -+certificate has been verified by a CA. Assuming you trust the CA, this will -+protect against L<machine-in-the-middle -+attacks|http://en.wikipedia.org/wiki/Machine-in-the-middle_attack>. - - Certificate verification requires a file containing trusted CA certificates. - -@@ -2094,9 +2104,7 @@ If the environment variable C<SSL_CERT_FILE> is present, HTTP::Tiny - will try to find a CA certificate file in that location. - - If the L<Mozilla::CA> module is installed, HTTP::Tiny will use the CA file --included with it as a source of trusted CA's. (This means you trust Mozilla, --the author of Mozilla::CA, the CPAN mirror where you got Mozilla::CA, the --toolchain used to install it, and your operating system security, right?) -+included with it as a source of trusted CA's. - - If that module is not available, then HTTP::Tiny will search several - system-specific default locations for a CA certificate file: -@@ -2115,13 +2123,33 @@ system-specific default locations for a CA certificate file: - - /etc/ssl/ca-bundle.pem - -+=item * -+ -+/etc/openssl/certs/ca-certificates.crt -+ -+=item * -+ -+/etc/ssl/cert.pem -+ -+=item * -+ -+/usr/local/share/certs/ca-root-nss.crt -+ -+=item * -+ -+/etc/pki/tls/cacert.pem -+ -+=item * -+ -+/etc/certs/ca-certificates.crt -+ - =back - - An error will be occur if C<verify_SSL> is true and no CA certificate file - is available. - --If you desire complete control over SSL connections, the C<SSL_options> attribute --lets you provide a hash reference that will be passed through to -+If you desire complete control over TLS/SSL connections, the C<SSL_options> -+attribute lets you provide a hash reference that will be passed through to - C<IO::Socket::SSL::start_SSL()>, overriding any options set by HTTP::Tiny. For - example, to provide your own trusted CA file: - -@@ -2131,7 +2159,7 @@ example, to provide your own trusted CA file: - - The C<SSL_options> attribute could also be used for such things as providing a - client certificate for authentication to a server or controlling the choice of --cipher used for the SSL connection. See L<IO::Socket::SSL> documentation for -+cipher used for the TLS/SSL connection. See L<IO::Socket::SSL> documentation for - details. - - =head1 PROXY SUPPORT --- -2.40.0 |