File _patchinfo of Package patchinfo.18037

Overview Repositories Revisions Requests Users Attributes Meta

File _patchinfo of Package patchinfo.18037

<patchinfo incident="18037">
  <issue tracker="cve" id="2023-31486"/>
  <issue tracker="bnc" id="1211002">VUL-0: CVE-2023-31486: perl-HTTP-Tiny: Perl's HTTP:Tiny has insecure TLS cert default, affecting CPAN.pm and other modules</issue>
  <packager>bigironman</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for perl-HTTP-Tiny</summary>
  <description>This update for perl-HTTP-Tiny fixes the following issues:

perl-HTTP-Tiny was updated to 0.086:

see /usr/share/doc/packages/perl-HTTP-Tiny/Changes

0.086     2023-06-22 10:06:37-04:00 America/New_York

- Fix code to use `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` as documented.

0.084     2023-06-14 06:35:01-04:00 America/New_York

- No changes from 0.083-TRIAL.

0.083     2023-06-11 07:05:45-04:00 America/New_York (TRIAL RELEASE)

[!!! SECURITY !!!]
    - Changes the `verify_SSL` default parameter from `0` to `1`.
      Fixes CVE-2023-31486 (boo#1211002)
    - `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` can be used to restore the
      old default if required.

0.081     2022-07-17 09:01:51-04:00 America/New_York (TRIAL RELEASE)

[FIXED]
      - No longer deletes the 'headers' key from post_form arguments hashref.
      [DOCS]
      - Noted that request/response content are handled as raw bytes.

0.079     2021-11-04 12:33:43-04:00 America/New_York (TRIAL RELEASE)

[FIXED]
      - Fixed uninitialized value warnings on older Perls when the REQUEST_METHOD
        environment variable is set and CGI_HTTP_PROXY is not.

0.077     2021-07-22 13:07:14-04:00 America/New_York (TRIAL RELEASE)

[ADDED]

- Added a `patch` helper method for the HTTP `PATCH` verb.
      - If the REQUEST_METHOD environment variable is set, then CGI_HTTP_PROXY
        replaces HTTP_PROXY.

[FIXED]

- Unsupported scheme errors early without giving an uninitialized value
        warning first.
      - Sends Content-Length: 0 on empty body PUT/POST.  This is not in the spec,
        but some servers require this.
      - Allows optional status line reason, as clarified in RFC 7230.
      - Ignore SIGPIPE on reads as well as writes, as IO::Socket::SSL says that
        SSL reads can also send writes as a side effect.
      - Check if a server has closed a connection before preserving it for reuse.

[DOCS]

- Clarified that exceptions/errors result in 599 status codes.

[PREREQS]

- Optional IO::Socket::IP prereq must be at least version 0.32 to be used.
        This ensures correct timeout support.

0.076     2018-08-05 21:07:38-04:00 America/New_York
  
      - No changes from 0.075-TRIAL.
  
0.075     2018-08-01 07:03:36-04:00 America/New_York (TRIAL RELEASE)
  
      [CHANGED] - The 'peer' option now also can take a code reference

0.073     2018-07-24 11:33:53-04:00 America/New_York (TRIAL RELEASE)
  
      [DOCS] - Documented 'protocol' field in response hash.
  
0.071     2018-04-22 14:45:43+02:00 Europe/Oslo (TRIAL RELEASE)
  
      [DOCS] - Documented that method argument to request() is case-sensitive.
  
</description>
</patchinfo>

Places

File _patchinfo of Package patchinfo.18037

Places