Hi Damyan, On Mon, Mar 16, 2020 at 10:29 AM Damyan Ivanov <d...@debian.org> wrote: > > Any idea how many packages are we talking about?
Below is my working list for filing bugs. It is based on a full text search from codesearch.d.n. My designations may not be entirely consistent, but in general 'good' means that verify_SSL was turned on (or SSL_verify_mode was set in SSL_options) while 'fpos' means it was a false positive that mentioned HTTP::Tiny but did not use it. As a side note, the POD for HTTP::Tiny is ambiguous whether to use 'verify_SSL' or 'SSL_verify'. If we fix the issue on the consumer side, as suggested by the security team, we should also include the consumers of many libraries on this list, such as HTTP::Thin. Please see #954057 for details. Kind regards Felix Lechner #954040 cpanminus #954041 cpanoutdated [good] devscripts #954042 inxi [fpos] libalien-gnuplot-perl #954043 libcpan-common-index-perl #954044 libcpan-perl-releases-perl #954045 libcpanplus-perl #954046 libcpan-sqlite-perl [http] libdancer2-perl [http] libdancer-perl [fpos] libdbix-class-schema-loader-perl #954054 libdist-inkt-role-test-perl [fpos] libfile-slurp-perl #954051 libgitlab-api-v4-perl [fpos] libhijk-perl #954056 libhtml-html5-parser-perl [fpos] libhttp-lite-perl #954057 libhttp-thin-perl #954058 libhttp-tinyish-perl libhttp-tiny-multipart-perl libhttp-tiny-perl [????] libio-socket-ssl-perl [fpos] liblexical-accessor-perl [good] libmenlo-legacy-perl #954059 libmenlo-perl #954083 libmetacpan-client-perl [fpos] libmodule-corelist-perl [fpos] libmongodb-perl [test] libmoo-perl #954084 libnanomsg-raw-perl [fpos] libnet-ssleay-perl #954085 libpandoc-wrapper-perl [fpos] libparallel-forkmanager-perl #954089 libplack-perl [good] libprotocol-acme-perl librole-rest-client-perl libsearch-elasticsearch-perl libspreadsheet-readsxc-perl libtask-kensho-perl liburi-encode-perl #954048 libwww-oauth-perl [fpos] libyahc-perl [good] ntp [fpos] percona-toolkit perl [fpos] pinto #954038 pkg-perl-tools #954047 pmuninstall