[Bug 509819] New: perl-IO-Socket-SSL: incorrect checking of certificate hostnames

[bugzilla at redhat.com]

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.

Summary: perl-IO-Socket-SSL: incorrect checking of certificate hostnames

https://bugzilla.redhat.com/show_bug.cgi?id=509819

           Summary: perl-IO-Socket-SSL: incorrect checking of certificate
                    hostnames
           Product: Security Response
           Version: unspecified
          Platform: All
        OS/Version: Linux
            Status: NEW
 Status Whiteboard: impace=moderate,source=gentoo,reported=20090703,public
                    =20090703
          Keywords: Security
          Severity: medium
          Priority: medium
         Component: vulnerability
        AssignedTo: security-response-team at redhat.com
        ReportedBy: thoger at redhat.com
                CC: paul at city-fan.org, wtogami at redhat.com,
                    jpo at di.uminho.pt, fedora-perl-devel-list at redhat.com
    Classification: Other
    Target Release: ---


New IO::Socket::SSL version 1.26 was released fixing a bug in a hostname
verification code.

  v1.26 2009.07.03
  - SECURITY BUGFIX! 
    fix Bug in verify_hostname_of_cert where it matched only the prefix for 
    the hostname when no wildcard was given, e.g. www.example.org matched
    against a certificate with name www.exam in it

An attacker could use this flaw to spoof identity of the SSL protected site, if
he could obtain a valid certificate from the CA trusted by client with the CN
being a prefix of the hostname client tried to connect to (e.g. domain.co if
client tries to connect to domain.com).

Upstream fix (diff between 1.25 and 1.26):
http://search.cpan.org/diff?from=IO-Socket-SSL-1.25&to=IO-Socket-SSL-1.26&w=1

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.