From 282fdd80c2517eca341347fc32518ece908b3f90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]> Date: Fri, 2 Sep 2016 09:24:00 +0200 Subject: 0.064 bump
--- .gitignore | 1 + ...-1238-avoid-loading-optional-modules-from.patch | 39 ---------------------- perl-HTTP-Tiny.spec | 12 +++---- sources | 2 +- 4 files changed, 8 insertions(+), 46 deletions(-) delete mode 100644 HTTP-Tiny-0.058-CVE-2016-1238-avoid-loading-optional-modules-from.patch diff --git a/.gitignore b/.gitignore index 07c7afa..83c5551 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,4 @@ /HTTP-Tiny-0.054.tar.gz /HTTP-Tiny-0.056.tar.gz /HTTP-Tiny-0.058.tar.gz +/HTTP-Tiny-0.064.tar.gz diff --git a/HTTP-Tiny-0.058-CVE-2016-1238-avoid-loading-optional-modules-from.patch b/HTTP-Tiny-0.058-CVE-2016-1238-avoid-loading-optional-modules-from.patch deleted file mode 100644 index db4eb9c..0000000 --- a/HTTP-Tiny-0.058-CVE-2016-1238-avoid-loading-optional-modules-from.patch +++ /dev/null @@ -1,39 +0,0 @@ -From b239c95ea7a256cfee9b8848f1bd4d1df6e66444 Mon Sep 17 00:00:00 2001 -From: Tony Cook <[email protected]> -Date: Wed, 27 Jul 2016 16:06:32 +1000 -Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default . - -The final . perl adds to @INC can be used by an attacker to fake -an optional module in a world writable directory for a process -using HTTP::Tiny when run from that directory. - -Remove the default . from the end of @INC when loading optional -modules. - -Closes #90 ---- - lib/HTTP/Tiny.pm | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm -index f8059b7..ea6db53 100644 ---- a/lib/HTTP/Tiny.pm -+++ b/lib/HTTP/Tiny.pm -@@ -504,6 +504,8 @@ sub can_ssl { - my($ok, $reason) = (1, ''); - - # Need IO::Socket::SSL 1.42 for SSL_create_ctx_callback -+ local @INC = @INC; -+ pop @INC if $INC[-1] eq '.'; - unless (eval {require IO::Socket::SSL; IO::Socket::SSL->VERSION(1.42)}) { - $ok = 0; - $reason .= qq/IO::Socket::SSL 1.42 must be installed for https support\n/; -@@ -1568,6 +1570,8 @@ sub _find_CA_file { - return $ca_file; - } - -+ local @INC = @INC; -+ pop @INC if $INC[-1] eq '.'; - return Mozilla::CA::SSL_ca_file() - if eval { require Mozilla::CA; 1 }; - diff --git a/perl-HTTP-Tiny.spec b/perl-HTTP-Tiny.spec index 443b086..b3b366f 100644 --- a/perl-HTTP-Tiny.spec +++ b/perl-HTTP-Tiny.spec @@ -1,6 +1,6 @@ Name: perl-HTTP-Tiny -Version: 0.058 -Release: 3%{?dist} +Version: 0.064 +Release: 1%{?dist} Summary: Small, simple, correct HTTP/1.1 client License: GPL+ or Artistic Group: Development/Libraries @@ -9,9 +9,6 @@ Source0: http://www.cpan.org/authors/id/D/DA/DAGOLDEN/HTTP-Tiny-%{version # Check for write failure, bug #1031096, refused by upstream, # <https://github.com/chansen/p5-http-tiny/issues/32> Patch0: HTTP-Tiny-0.058-Croak-on-failed-write-into-a-file.patch -# Avoid loading optional modules from default . (CVE-2016-1238) -# in upstream after 0.059 -Patch1: HTTP-Tiny-0.058-CVE-2016-1238-avoid-loading-optional-modules-from.patch BuildArch: noarch BuildRequires: findutils BuildRequires: make @@ -44,6 +41,7 @@ BuildRequires: perl(IO::File) BuildRequires: perl(IO::Socket::INET) # IO::Socket::SSL 1.56 not needed BuildRequires: perl(IPC::Cmd) +BuildRequires: perl(lib) # Mozilla::CA not needed # Net::SSLeay 1.49 not needed BuildRequires: perl(open) @@ -68,7 +66,6 @@ resumes after EINTR. %prep %setup -q -n HTTP-Tiny-%{version} %patch0 -p1 -%patch1 -p1 %build perl Makefile.PL INSTALLDIRS=vendor @@ -89,6 +86,9 @@ make test %{_mandir}/man3/* %changelog +* Fri Sep 02 2016 Petr Pisar <[email protected]> - 0.064-1 +- 0.064 bump + * Tue Aug 02 2016 Jitka Plesnikova <[email protected]> - 0.058-3 - Avoid loading optional modules from default . (CVE-2016-1238) diff --git a/sources b/sources index 2854176..be1cc11 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -2cef09fbfc897c14547f3774d14824eb HTTP-Tiny-0.058.tar.gz +4673143f2e400c8c7cc972b37a249e14 HTTP-Tiny-0.064.tar.gz -- cgit v0.12 http://pkgs.fedoraproject.org/cgit/perl-HTTP-Tiny.git/commit/?h=f25&id=282fdd80c2517eca341347fc32518ece908b3f90 -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list [email protected] https://lists.fedoraproject.org/admin/lists/[email protected]
