Pullup ticket #4423 - requested by taca www/p5-LWP-Protocol-https: security patch Apply patch to fix CVE-2014-3230.diff -r1.11 -r1.11.6.1 pkgsrc/www/p5-LWP-Protocol-https/Makefile
(tron)
@@ -1,17 +1,18 @@ | @@ -1,17 +1,18 @@ | |||
1 | # $NetBSD: Makefile,v 1.11 2013/07/10 02:51:56 schmonz Exp $ | 1 | # $NetBSD: Makefile,v 1.11.6.1 2014/05/28 19:45:34 tron Exp $ | |
2 | 2 | |||
3 | DISTNAME= LWP-Protocol-https-6.04 | 3 | DISTNAME= LWP-Protocol-https-6.04 | |
4 | PKGNAME= p5-${DISTNAME} | 4 | PKGNAME= p5-${DISTNAME} | |
5 | PKGREVISION= 1 | |||
5 | CATEGORIES= www perl5 | 6 | CATEGORIES= www perl5 | |
6 | MASTER_SITES= ${MASTER_SITE_PERL_CPAN:=LWP/} | 7 | MASTER_SITES= ${MASTER_SITE_PERL_CPAN:=LWP/} | |
7 | 8 | |||
8 | MAINTAINER= pkgsrc-users@NetBSD.org | 9 | MAINTAINER= pkgsrc-users@NetBSD.org | |
9 | HOMEPAGE= http://search.cpan.org/dist/LWP-Protocol-https/ | 10 | HOMEPAGE= http://search.cpan.org/dist/LWP-Protocol-https/ | |
10 | COMMENT= Provide https support for LWP::UserAgent | 11 | COMMENT= Provide https support for LWP::UserAgent | |
11 | LICENSE= ${PERL5_LICENSE} | 12 | LICENSE= ${PERL5_LICENSE} | |
12 | 13 | |||
13 | CONFLICTS+= p5-libwww<6.02 | 14 | CONFLICTS+= p5-libwww<6.02 | |
14 | 15 | |||
15 | DEPENDS+= p5-IO-Socket-SSL>=1.38:../../security/p5-IO-Socket-SSL | 16 | DEPENDS+= p5-IO-Socket-SSL>=1.38:../../security/p5-IO-Socket-SSL | |
16 | DEPENDS+= p5-Mozilla-CA>=20110101:../../security/p5-Mozilla-CA | 17 | DEPENDS+= p5-Mozilla-CA>=20110101:../../security/p5-Mozilla-CA | |
17 | 18 |
@@ -1,5 +1,6 @@ | @@ -1,5 +1,6 @@ | |||
1 | $NetBSD: distinfo,v 1.3 2013/07/10 02:51:56 schmonz Exp $ | 1 | $NetBSD: distinfo,v 1.3.6.1 2014/05/28 19:45:34 tron Exp $ | |
2 | 2 | |||
3 | SHA1 (LWP-Protocol-https-6.04.tar.gz) = 5a63cb409ff4ba34006d5a45120e7facc52dc837 | 3 | SHA1 (LWP-Protocol-https-6.04.tar.gz) = 5a63cb409ff4ba34006d5a45120e7facc52dc837 | |
4 | RMD160 (LWP-Protocol-https-6.04.tar.gz) = cc430e930aa607c1436b2be94d171c1192f64f3f | 4 | RMD160 (LWP-Protocol-https-6.04.tar.gz) = cc430e930aa607c1436b2be94d171c1192f64f3f | |
5 | Size (LWP-Protocol-https-6.04.tar.gz) = 4035 bytes | 5 | Size (LWP-Protocol-https-6.04.tar.gz) = 4035 bytes | |
6 | SHA1 (patch-lib_LWP_Protocol_https.pm) = 790507e4e14a1d8cf679f1089cea8fa457bb559d |
$NetBSD: patch-lib_LWP_Protocol_https.pm,v 1.1.2.2 2014/05/28 19:45:34 tron Exp $
Fix for CVE-2014-3230 from
https://github.com/libwww-perl/lwp-protocol-https/pull/14
--- lib/LWP/Protocol/https.pm.orig 2013-04-29 21:16:18.000000000 +0000
+++ lib/LWP/Protocol/https.pm
@@ -20,7 +20,11 @@ sub _extra_sock_opts
$ssl_opts{SSL_verifycn_scheme} = 'www';
}
else {
- $ssl_opts{SSL_verify_mode} = 0;
+ if ( $Net::HTTPS::SSL_SOCKET_CLASS eq 'Net::SSL' ) {
+ $ssl_opts{SSL_verifycn_scheme} = '';
+ } else {
+ $ssl_opts{SSL_verifycn_scheme} = 'none';
+ }
}
if ($ssl_opts{SSL_verify_mode}) {
unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) {