HTTP::Tiny v0.082, is a http client included in Perl (since v5.13.9) and also a standalone CPAN module. It does not verify TLS certificates by default requiring users to opt-in with the verify_SSL=>1 flag to verify the identity of the HTTPS server they are communicating with. https://www.openwall.com/lists/oss-security/2023/04/18/14 https://github.com/chansen/p5-http-tiny/issues/134 https://github.com/chansen/p5-http-tiny/pull/153 https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/ https://hackeriet.github.io/cpan-http-tiny-overview/ https://www.reddit.com/r/perl/comments/111tadi/psa_httptiny_disabled_ssl_verification_by_default/ https://github.com/advisories/GHSA-g56r-phrf-6pc4
Created perl-HTTP-Tiny tracking bugs for this issue: Affects: fedora-all [bug 2228395] Created perl:5.32/perl-HTTP-Tiny tracking bugs for this issue: Affects: fedora-all [bug 2228396] Created perl:5.34/perl-HTTP-Tiny tracking bugs for this issue: Affects: fedora-all [bug 2228397] Created perl:5.36/perl-HTTP-Tiny tracking bugs for this issue: Affects: fedora-all [bug 2228398]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6542 https://access.redhat.com/errata/RHSA-2023:6542
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7174 https://access.redhat.com/errata/RHSA-2023:7174
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0422 https://access.redhat.com/errata/RHSA-2024:0422
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:0579 https://access.redhat.com/errata/RHSA-2024:0579
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:4430 https://access.redhat.com/errata/RHSA-2024:4430