tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

p5-libwww



Hi,

p5-libwww is at present at version 5.837 in pkgsrc
the current version of that software is 6.02

5.837 is the last '5' version, the '6' versions have a bunch of moduls
split out. I recently packaged these new modules, so that all dependencies
for p5-libwww-6.02 are already present.

Formally, p5-libwww-6.02 does not depend on p5-LWP-Protocol-https,
but p5-libwww-5.837 contained https capability. That's the reason it
reports as vulnerable in fact:
p5-libwww-5.837 wasn't too picky about the certs it got, ie it did
encryption but not really verification. p5-LWP-Protocol-https by default
checks the certificate, or fails if it can't when e.g. there is no CA cert
for the certificate in question. One can tell it to not verify by setting
the environment variable PERL_LWP_SSL_VERIFY_HOSTNAME to 0.

So, update p5-libwww? with or without p5-LWP-Protocol-https as package
dependency?

regards,
        spz
-- 
spz%serpens.de@localhost (S.P.Zeidler)


Home | Main Index | Thread Index | Old Index