openSUSE Security Update: Security update for perl-HTTP-Tiny
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2023:0223-1
Rating:             moderate
References:         #1211002 
Cross-References:   CVE-2023-31486
CVSS scores:
                    CVE-2023-31486 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2023-31486 (SUSE): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products:
                    openSUSE Backports SLE-15-SP5
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:

   This update for perl-HTTP-Tiny fixes the following issues:

   perl-HTTP-Tiny was updated to 0.086:

   see /usr/share/doc/packages/perl-HTTP-Tiny/Changes

   0.086     2023-06-22 10:06:37-04:00 America/New_York

       - Fix code to use `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` as
         documented.

   0.084     2023-06-14 06:35:01-04:00 America/New_York

       - No changes from 0.083-TRIAL.

   0.083     2023-06-11 07:05:45-04:00 America/New_York (TRIAL RELEASE)

       [!!! SECURITY !!!]
       - Changes the `verify_SSL` default parameter from `0` to `1`. Fixes
         CVE-2023-31486 (boo#1211002)
       - `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` can be used to
         restore the
         old default if required.

   0.081     2022-07-17 09:01:51-04:00 America/New_York (TRIAL RELEASE)

         [FIXED]
         - No longer deletes the 'headers' key from post_form arguments
   hashref. [DOCS]
         - Noted that request/response content are handled as raw bytes.

   0.079     2021-11-04 12:33:43-04:00 America/New_York (TRIAL RELEASE)

         [FIXED]
         - Fixed uninitialized value warnings on older Perls when the
   REQUEST_METHOD environment variable is set and CGI_HTTP_PROXY is not.

   0.077     2021-07-22 13:07:14-04:00 America/New_York (TRIAL RELEASE)

         [ADDED]

         - Added a `patch` helper method for the HTTP `PATCH` verb.
         - If the REQUEST_METHOD environment variable is set, then
   CGI_HTTP_PROXY replaces HTTP_PROXY.

         [FIXED]

         - Unsupported scheme errors early without giving an uninitialized
   value warning first.
         - Sends Content-Length: 0 on empty body PUT/POST.  This is not in
   the spec, but some servers require this.
         - Allows optional status line reason, as clarified in RFC 7230.
         - Ignore SIGPIPE on reads as well as writes, as IO::Socket::SSL says
   that SSL reads can also send writes as a side effect.
         - Check if a server has closed a connection before preserving it for
   reuse.

         [DOCS]

         - Clarified that exceptions/errors result in 599 status codes.

         [PREREQS]

         - Optional IO::Socket::IP prereq must be at least version 0.32 to be
   used. This ensures correct timeout support.

   0.076     2018-08-05 21:07:38-04:00 America/New_York

         - No changes from 0.075-TRIAL.

   0.075     2018-08-01 07:03:36-04:00 America/New_York (TRIAL RELEASE)

         [CHANGED] - The 'peer' option now also can take a code reference

   0.073     2018-07-24 11:33:53-04:00 America/New_York (TRIAL RELEASE)

         [DOCS] - Documented 'protocol' field in response hash.

   0.071     2018-04-22 14:45:43+02:00 Europe/Oslo (TRIAL RELEASE)

         [DOCS] - Documented that method argument to request() is
   case-sensitive.


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP5:

      zypper in -t patch openSUSE-2023-223=1



Package List:

   - openSUSE Backports SLE-15-SP5 (noarch):

      perl-HTTP-Tiny-0.086-bp155.3.3.1


References:

   https://www.suse.com/security/cve/CVE-2023-31486.html
   https://bugzilla.suse.com/1211002

openSUSE: 2023:0223-1 moderate: perl-HTTP-Tiny

August 15, 2023
An update that fixes one vulnerability is now available

Description

This update for perl-HTTP-Tiny fixes the following issues: perl-HTTP-Tiny was updated to 0.086: see /usr/share/doc/packages/perl-HTTP-Tiny/Changes 0.086 2023-06-22 10:06:37-04:00 America/New_York - Fix code to use `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` as documented. 0.084 2023-06-14 06:35:01-04:00 America/New_York - No changes from 0.083-TRIAL. 0.083 2023-06-11 07:05:45-04:00 America/New_York (TRIAL RELEASE) [!!! SECURITY !!!] - Changes the `verify_SSL` default parameter from `0` to `1`. Fixes CVE-2023-31486 (boo#1211002) - `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` can be used to restore the old default if required. 0.081 2022-07-17 09:01:51-04:00 America/New_York (TRIAL RELEASE) [FIXED] - No longer deletes the 'headers' key from post_form arguments hashref. [DOCS] - Noted that request/response content are handled as raw bytes. 0.079 2021-11-04 12:33:43-04:00 America/New_York (TRIAL RELEASE) [FIXED] - Fixed uninitialized value warnings on older Perls when the REQUEST_METHOD environment variable is set and CGI_HTTP_PROXY is not. 0.077 2021-07-22 13:07:14-04:00 America/New_York (TRIAL RELEASE) [ADDED] - Added a `patch` helper method for the HTTP `PATCH` verb. - If the REQUEST_METHOD environment variable is set, then CGI_HTTP_PROXY replaces HTTP_PROXY. [FIXED] - Unsupported scheme errors early without giving an uninitialized value warning first. - Sends Content-Length: 0 on empty body PUT/POST. This is not in the spec, but some servers require this. - Allows optional status line reason, as clarified in RFC 7230. - Ignore SIGPIPE on reads as well as writes, as IO::Socket::SSL says that SSL reads can also send writes as a side effect. - Check if a server has closed a connection before preserving it for reuse. [DOCS] - Clarified that exceptions/errors result in 599 status codes. [PREREQS] - Optional IO::Socket::IP prereq must be at least version 0.32 to be used. This ensures correct timeout support. 0.076 2018-08-05 21:07:38-04:00 America/New_York - No changes from 0.075-TRIAL. 0.075 2018-08-01 07:03:36-04:00 America/New_York (TRIAL RELEASE) [CHANGED] - The 'peer' option now also can take a code reference 0.073 2018-07-24 11:33:53-04:00 America/New_York (TRIAL RELEASE) [DOCS] - Documented 'protocol' field in response hash. 0.071 2018-04-22 14:45:43+02:00 Europe/Oslo (TRIAL RELEASE) [DOCS] - Documented that method argument to request() is case-sensitive.

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2023-223=1


Package List

- openSUSE Backports SLE-15-SP5 (noarch): perl-HTTP-Tiny-0.086-bp155.3.3.1


References

https://www.suse.com/security/cve/CVE-2023-31486.html https://bugzilla.suse.com/1211002


Severity
Announcement ID: openSUSE-SU-2023:0223-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP5 .

Related News

11.Locks IsometricPattern Esm H320
2 - 3 min read
The Kinsing hacker group, or H2Miner, has been orchestrating illicit cryptocurrency mining campaigns since 2019 and poses a persistent security
32.Lock Code Circular Esm H320
2 - 3 min read
The Kimsuky APT group, reportedly linked to North Korea's Reconnaissance General Bureau (RGB), has been identified deploying a Linux version of its
4.Lock AbstractDigital Esm H320
2 - 3 min read
Recent research sheds light on the security vulnerabilities prevalent in Linux vendor kernels due to flawed engineering processes that backport
28.Lock Globe Esm H320
1 - 2 min read
The intersection of Linux and quantum computing has become increasingly apparent, emphasizing the importance of Linux-based operating systems in
6.EmailConnection Touch Esm H320
2 - 3 min read
Recent security updates for Ubuntu and Debian have been released to address vulnerabilities in Thunderbird, the popular open-source mail and
30.Lock Globe Motherboard Esm H320
1 - 2 min read
As cybersecurity practitioners, we are no strangers to the constant threat of malicious actors and the importance of remaining vigilant to protect
22.Lock ScreenEffect Esm H320
1 - 2 min read
EndeavorOS Gemini is a captivating and charming desktop operating system based on Arch Linux. The new release includes a kernel upgrade, 3D graphics
25.@Sign Hook Keyboard Esm H320
1 min read
Cyber risk is increasing for individuals and organizations, making flexible and robust solutions for identifying spam and malware increasingly

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved