Re: Bug#962407: libhttp-tiny-perl: CVE-2023-31486: Does not default to verify SSL certificates
- To: Damyan Ivanov <dmn@debian.org>, 962407@bugs.debian.org
- Cc: debian-perl@lists.debian.org
- Subject: Re: Bug#962407: libhttp-tiny-perl: CVE-2023-31486: Does not default to verify SSL certificates
- From: gregor herrmann <gregoa@debian.org>
- Date: Mon, 19 Jun 2023 19:27:07 +0200
- Message-id: <[🔎] ZJCP64bgX+u2VR+s@jadzia.comodo.priv.at>
- Mail-followup-to: Damyan Ivanov <dmn@debian.org>, 962407@bugs.debian.org, debian-perl@lists.debian.org
- In-reply-to: <Yo9yYOJVWzPlzc6N@ktnx.net>
- References: <20200520220220.7s3bkjxv4ykcrk5r@urchin.earth.li> <20200524163854.eus6rdpbdapvv2xe@urchin.earth.li> <20200524180028.GB6846@jadzia.comodo.priv.at> <20200607162221.l5gnwrpwbydbdznh@urchin.earth.li> <CAFHYt55BmsvEZAMTnUDot6AxCSFk6FYg4DGtGMXBagts_L+_-A@mail.gmail.com> <20200607164541.nebj25hvjnthtoc2@urchin.earth.li> <CAFHYt55BmsvEZAMTnUDot6AxCSFk6FYg4DGtGMXBagts_L+_-A@mail.gmail.com> <Yo6QaV8x7iQEN8ek@jadzia.comodo.priv.at> <CAFHYt55BmsvEZAMTnUDot6AxCSFk6FYg4DGtGMXBagts_L+_-A@mail.gmail.com> <Yo9yYOJVWzPlzc6N@ktnx.net>
Control: tag -1 + fixed-upstream
On Thu, 26 May 2022 12:28:16 +0000, Damyan Ivanov wrote:
> > > https://github.com/chansen/p5-http-tiny/issues/134
> > Revisiting this issue now, the state seems to be:
> > The upstream ticket was closed with
> > "On reflection, we shouldn't make this change for backwards compatibility."
Update: This is now changed in HTTP::Tiny 0.083 (which also got
imported into perl core 5.38-RC1):
https://metacpan.org/release/DAGOLDEN/HTTP-Tiny-0.084/source/Changes#L11-12
Cheers,
gregor
--
.''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
: :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
`. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
`-
Attachment:
signature.asc
Description: Digital Signature
Reply to: