[Bug 509819] New: perl-IO-Socket-SSL: incorrect checking of certificate hostnames
bugzilla at redhat.com
bugzilla at redhat.com
Mon Jul 6 12:59:07 UTC 2009
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
Summary: perl-IO-Socket-SSL: incorrect checking of certificate hostnames
https://bugzilla.redhat.com/show_bug.cgi?id=509819
Summary: perl-IO-Socket-SSL: incorrect checking of certificate
hostnames
Product: Security Response
Version: unspecified
Platform: All
OS/Version: Linux
Status: NEW
Status Whiteboard: impace=moderate,source=gentoo,reported=20090703,public
=20090703
Keywords: Security
Severity: medium
Priority: medium
Component: vulnerability
AssignedTo: security-response-team at redhat.com
ReportedBy: thoger at redhat.com
CC: paul at city-fan.org, wtogami at redhat.com,
jpo at di.uminho.pt, fedora-perl-devel-list at redhat.com
Classification: Other
Target Release: ---
New IO::Socket::SSL version 1.26 was released fixing a bug in a hostname
verification code.
v1.26 2009.07.03
- SECURITY BUGFIX!
fix Bug in verify_hostname_of_cert where it matched only the prefix for
the hostname when no wildcard was given, e.g. www.example.org matched
against a certificate with name www.exam in it
An attacker could use this flaw to spoof identity of the SSL protected site, if
he could obtain a valid certificate from the CA trusted by client with the CN
being a prefix of the hostname client tried to connect to (e.g. domain.co if
client tries to connect to domain.com).
Upstream fix (diff between 1.25 and 1.26):
http://search.cpan.org/diff?from=IO-Socket-SSL-1.25&to=IO-Socket-SSL-1.26&w=1
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the Fedora-perl-devel-list
mailing list