This is for kirkstone branch. Attached is the updated patch.
Regards,
Soumya
________________________________
From: Richard Purdie <[email protected]>
Sent: Tuesday, June 6, 2023 4:35 PM
To: Sambu, Soumya <[email protected]>;
[email protected]
<[email protected]>
Subject: Re: [OE-core] [PATCH] perl: fix CVE-2023-31484
CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know
the content is safe.
On Mon, 2023-06-05 at 17:46 +0000, Soumya via lists.openembedded.org
wrote:
> CPAN.pm before 2.35 does not verify TLS certificates when downloading
> distributions over HTTPS.
>
> Signed-off-by: Soumya <[email protected]>
> ---
> .../perl/files/CVE-2023-31484.patch | 29 +++++++++++++++++++
> meta/recipes-devtools/perl/perl_5.34.1.bb | 1 +
> 2 files changed, 30 insertions(+)
> create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31484.patch
Which release is this patch against?
Cheers,
Richard
--- Begin Message ---
CPAN.pm before 2.35 does not verify TLS certificates when downloading
distributions over HTTPS.
Signed-off-by: Soumya <[email protected]>
---
.../perl/files/CVE-2023-31484.patch | 29 +++++++++++++++++++
meta/recipes-devtools/perl/perl_5.34.1.bb | 1 +
2 files changed, 30 insertions(+)
create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31484.patch
diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
new file mode 100644
index 0000000000..1f7cbd0da1
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
@@ -0,0 +1,29 @@
+From a625ec2cc3a0b6116c1f8b831d3480deb621c245 Mon Sep 17 00:00:00 2001
+From: Stig Palmquist <[email protected]>
+Date: Tue, 28 Feb 2023 11:54:06 +0100
+Subject: [PATCH] Add verify_SSL=>1 to HTTP::Tiny to verify https server
+ identity
+
+Upstream-Status: Backport
[https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0]
+
+CVE: CVE-2023-31484
+
+Signed-off-by: Soumya <[email protected]>
+---
+ cpan/CPAN/lib/CPAN/HTTP/Client.pm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/cpan/CPAN/lib/CPAN/HTTP/Client.pm
b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+index 4fc792c..a616fee 100644
+--- a/cpan/CPAN/lib/CPAN/HTTP/Client.pm
++++ b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+@@ -32,6 +32,7 @@ sub mirror {
+
+ my $want_proxy = $self->_want_proxy($uri);
+ my $http = HTTP::Tiny->new(
++ verify_SSL => 1,
+ $want_proxy ? (proxy => $self->{proxy}) : ()
+ );
+
+--
+2.40.0
diff --git a/meta/recipes-devtools/perl/perl_5.34.1.bb
b/meta/recipes-devtools/perl/perl_5.34.1.bb
index af4660091b..1fa8482bcd 100644
--- a/meta/recipes-devtools/perl/perl_5.34.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.34.1.bb
@@ -19,6 +19,7 @@ SRC_URI =
"https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
file://0001-cpan-Sys-Syslog-Makefile.PL-Fix-_PATH_LOG-for-determ.patch \
file://0001-Fix-build-with-gcc-12.patch \
file://CVE-2023-31486.patch \
+ file://CVE-2023-31484.patch \
"
SRC_URI:append:class-native = " \
file://perl-configpm-switch.patch \
--
2.40.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182417):
https://lists.openembedded.org/g/openembedded-core/message/182417
Mute This Topic: https://lists.openembedded.org/mt/99359707/7320427
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
--- End Message ---
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182426):
https://lists.openembedded.org/g/openembedded-core/message/182426
Mute This Topic: https://lists.openembedded.org/mt/99345985/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
