• Type: Bug
• Resolution: Done-Errata
• Priority: Undefined
• Fix Version/s: rhel-8.10
• Affects Version/s: rhel-8.10
• Component/s: perl-HTTP-Tiny
• Labels:

  None

[RHEL-21763] perl-HTTP-Tiny: man page not updated to reflect fix for CVE-2023-31486 [rhel-8]

Collapse comment: Errata Tool added a comment - 2024/05/22 10:17 AM

Errata Tool added a comment - 2024/05/22 10:17 AM

Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

For information on the advisory (perl-HTTP-Tiny bug fix and enhancement update), and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2024:3206

Expand comment: Errata Tool added a comment - 2024/05/22 10:17 AM

Errata Tool added a comment - 2024/05/22 10:17 AM Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (perl-HTTP-Tiny bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2024:3206

Collapse comment: Martin Kyral added a comment - 2024/01/26 8:27 AM, Edited by Martin Kyral - 2024/01/26 8:50 AM

Martin Kyral added a comment - 2024/01/26 8:27 AM - edited

Verified manually on 1MT-RHEL-8.10.0-20240123.20:

the man page in question now contains the following:

 

      •   "verify_SSL" — A boolean that indicates whether to validate the SSL certificate of an "https" — connection
          (default is true). Changed from false to true for CVE-2023-31486.

      •   "SSL_options" — A hashref of "SSL_*" — options to pass through to IO::Socket::SSL

      •   $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} — Changes the default certificate verification behavior to not
          check server identity if set to 1. Only effective if "verify_SSL" is not set. Added for CVE-2023-31486.

 

which reflects the change made to fix CVE-2023-31486

Expand comment: Martin Kyral added a comment - 2024/01/26 8:27 AM, Edited by Martin Kyral - 2024/01/26 8:50 AM

Martin Kyral added a comment - 2024/01/26 8:27 AM - edited Verified manually on 1MT-RHEL-8.10.0-20240123.20: the man page in question now contains the following:         •   "verify_SSL" — A boolean that indicates whether to validate the SSL certificate of an "https" — connection           (default is true). Changed from false to true for CVE-2023-31486.       •   "SSL_options" — A hashref of "SSL_*" — options to pass through to IO::Socket::SSL       •   $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} — Changes the default certificate verification behavior to not           check server identity if set to 1. Only effective if "verify_SSL" is not set. Added for CVE-2023-31486.   which reflects the change made to fix CVE-2023-31486

Collapse comment: gitlab-bot added a comment - 2024/01/16 1:16 PM

gitlab-bot added a comment - 2024/01/16 1:16 PM

Jitka Plesníková mentioned this issue in a merge request of Red Hat / centos-stream / rpms / perl-HTTP-Tiny on branch c8s-RHEL-21763:

Resolves: RHEL-21763

Expand comment: gitlab-bot added a comment - 2024/01/16 1:16 PM

gitlab-bot added a comment - 2024/01/16 1:16 PM Jitka Plesníková mentioned this issue in a merge request of Red Hat / centos-stream / rpms / perl-HTTP-Tiny on branch c8s-RHEL-21763 : Resolves: RHEL-21763