[gentoo-commits] gentoo-x86 commit in dev-perl/LWP-Protocol-https/files: LWP-Protocol-https-6.60.0-etcsslcerts.patch LWP-Protocol-https-6.60.0-CVE-2014-3230.patch

Sun, 26 Oct 2014 16:09:27 -0700 

dilfridge    14/10/26 23:09:05

  Added:                LWP-Protocol-https-6.60.0-etcsslcerts.patch
                        LWP-Protocol-https-6.60.0-CVE-2014-3230.patch
  Log:
  Version bump, adding patch for bug 509666
  
  (Portage version: 2.2.14/cvs/Linux x86_64, signed Manifest commit with key 
EBE6A336BE19039C!)

Revision  Changes    Path
1.1                  
dev-perl/LWP-Protocol-https/files/LWP-Protocol-https-6.60.0-etcsslcerts.patch

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-perl/LWP-Protocol-https/files/LWP-Protocol-https-6.60.0-etcsslcerts.patch?rev=1.1&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-perl/LWP-Protocol-https/files/LWP-Protocol-https-6.60.0-etcsslcerts.patch?rev=1.1&content-type=text/plain

Index: LWP-Protocol-https-6.60.0-etcsslcerts.patch
===================================================================
See https://bugs.gentoo.org/358081


diff -ruN LWP-Protocol-https-6.06.orig/lib/LWP/Protocol/https.pm 
LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm
--- LWP-Protocol-https-6.06.orig/lib/LWP/Protocol/https.pm      2014-04-18 
18:33:26.000000000 +0200
+++ LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm   2014-10-27 
00:04:50.604802937 +0100
@@ -25,25 +25,7 @@
     }
     if ($ssl_opts{SSL_verify_mode}) {
        unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) 
{
-           eval {
-               require Mozilla::CA;
-           };
-           if ($@) {
-               if ($@ =! /^Can't locate Mozilla\/CA\.pm/) {
-                   $@ = <<'EOT';
-Can't verify SSL peers without knowing which Certificate Authorities to trust
-
-This problem can be fixed by either setting the PERL_LWP_SSL_CA_FILE
-environment variable or by installing the Mozilla::CA module.
-
-To disable verification of SSL peers set the PERL_LWP_SSL_VERIFY_HOSTNAME
-environment variable to 0.  If you do this you can't be sure that you
-communicate with the expected peer.
-EOT
-               }
-               die $@;
-           }
-           $ssl_opts{SSL_ca_file} = Mozilla::CA::SSL_ca_file();
+           $ssl_opts{SSL_ca_path} = '/etc/ssl/certs';
        }
     }
     $self->{ssl_opts} = \%ssl_opts;



1.1                  
dev-perl/LWP-Protocol-https/files/LWP-Protocol-https-6.60.0-CVE-2014-3230.patch

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-perl/LWP-Protocol-https/files/LWP-Protocol-https-6.60.0-CVE-2014-3230.patch?rev=1.1&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-perl/LWP-Protocol-https/files/LWP-Protocol-https-6.60.0-CVE-2014-3230.patch?rev=1.1&content-type=text/plain

Index: LWP-Protocol-https-6.60.0-CVE-2014-3230.patch
===================================================================
Source: https://bugzilla.redhat.com/show_bug.cgi?id=1094440

This patch combines the following two:
https://bugzilla.redhat.com/attachment.cgi?id=894747
https://bugzilla.redhat.com/attachment.cgi?id=894748

diff -ruN LWP-Protocol-https-6.06.orig/lib/LWP/Protocol/https.pm 
LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm
--- LWP-Protocol-https-6.06.orig/lib/LWP/Protocol/https.pm      2014-04-18 
18:33:26.000000000 +0200
+++ LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm   2014-10-26 
23:57:27.714303175 +0100
@@ -21,7 +21,11 @@
        $ssl_opts{SSL_verifycn_scheme} = 'www';
     }
     else {
-       $ssl_opts{SSL_verify_mode} = 0;
+       if ( $Net::HTTPS::SSL_SOCKET_CLASS eq 'Net::SSL' ) {
+           $ssl_opts{SSL_verifycn_scheme} = '';
+       } else {
+           $ssl_opts{SSL_verifycn_scheme} = 'none';
+       }
     }
     if ($ssl_opts{SSL_verify_mode}) {
        unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) 
{

Reply via email to