ibgitlab-api-v4-perl: CVE-2023-31485

Debian Bug report logs - #954051
ibgitlab-api-v4-perl: CVE-2023-31485

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Felix Lechner <felix.lechner@lease-up.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libgitlab-api-v4-perl: Please verify server identity via SSL

Date: Sun, 15 Mar 2020 19:43:16 -0700

Package: libgitlab-api-v4-perl
Severity: important

Dear maintainer,

Your package uses the Perl module HTTP::Tiny but does not set the
verify_SSL attribute to a true value.

By default, that module does not validate the identity of server
certificates. The documentation states that "Server identity
verification is controversial and potentially tricky..." [1]

As late as 2015, upstream has been doubling up: "we're not going to be
responsible for the user's trust model" [2]

I believe, on the other hand, that the encryption of a transmission
has no value when talking to the wrong person. You can easily see the
useless and dangerous default by running the script at the end of this
message.

Will you please turn on the verify_SSL attribute in HTTP::Tiny?

Kind regards
Felix Lechner

[1] https://metacpan.org/pod/HTTP::Tiny#SSL-SUPPORT
[2] https://github.com/chansen/p5-http-tiny/issues/68

* * *

#!/usr/bin/perl

use HTTP::Tiny;

my $response = HTTP::Tiny->new->get('https://self-signed.badssl.com/');
 die "Failed!\n"
    unless $response->{success};

print "$response->{status} $response->{reason}\n";

while (my ($k, $v) = each %{$response->{headers}}) {
    for (ref $v eq 'ARRAY' ? @$v : $v) {
        print "$k: $_\n";
    }
}

print $response->{content}
    if length $response->{content};

Send a report that this bug log contains spam.