[Bug 2230255] perl-HTTP-Tiny: a ton of new dependencies all of a sudden?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

https://bugzilla.redhat.com/show_bug.cgi?id=2230255



--- Comment #6 from Petr Pisar <ppisar@xxxxxxxxxx> ---
>    - Changes the `verify_SSL` default parameter from `0` to `1`.
>      Fixes CVE-2023-31486.

This does not mean that IO::Socket::SSL is now required. This only means that
if IO::Socket::SSL is used, then a certificate is verified. If an https URL is
passed to HTTP::Tiny, and IO::Socket::SSL is unavailable, then HTTP::Tiny
graciously fails. From HTTP::Tiny POD:

TLS/SSL SUPPORT
    Direct "https" connections are supported only if IO::Socket::SSL 1.56 or
    greater and Net::SSLeay 1.49 or greater are installed. An error will
    occur if new enough versions of these modules are not installed or if
    the TLS encryption fails. You can also use HTTP::Tiny::can_ssl() utility
    function that returns boolean to see if the required modules are
    installed.

Changing the dependency from Recommends to Requires has no influence on
CVE-2023-31486.


Maybe we could use the same approach as with LWP (perl-LWP-Protocol-https):
Keep HTTP::Tiny free from IO::Socket::SSL and instead introduce a new RPM
dependency symbol meaning "I want HTTP::Tiny with TLS support". That new
dependency symbol would pull HTTP::Tiny with IO::Socket::SSL. That new
dependency symbol would be imposed on packages which are required to process
HTTPS connections, like perl-CPAN now.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2230255

Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202230255%23c6
_______________________________________________
perl-devel mailing list -- perl-devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to perl-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/perl-devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Legacy Announce]     [Fedora PHP Devel]     [Kernel Devel]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite Information]

  Powered by Linux