Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. Summary: perl-IO-Socket-SSL: incorrect checking of certificate hostnames https://bugzilla.redhat.com/show_bug.cgi?id=509819 Summary: perl-IO-Socket-SSL: incorrect checking of certificate hostnames Product: Security Response Version: unspecified Platform: All OS/Version: Linux Status: NEW Status Whiteboard: impace=moderate,source=gentoo,reported=20090703,public =20090703 Keywords: Security Severity: medium Priority: medium Component: vulnerability AssignedTo: security-response-team@xxxxxxxxxx ReportedBy: thoger@xxxxxxxxxx CC: paul@xxxxxxxxxxxx, wtogami@xxxxxxxxxx, jpo@xxxxxxxxxxxx, fedora-perl-devel-list@xxxxxxxxxx Classification: Other Target Release: --- New IO::Socket::SSL version 1.26 was released fixing a bug in a hostname verification code. v1.26 2009.07.03 - SECURITY BUGFIX! fix Bug in verify_hostname_of_cert where it matched only the prefix for the hostname when no wildcard was given, e.g. www.example.org matched against a certificate with name www.exam in it An attacker could use this flaw to spoof identity of the SSL protected site, if he could obtain a valid certificate from the CA trusted by client with the CN being a prefix of the hostname client tried to connect to (e.g. domain.co if client tries to connect to domain.com). Upstream fix (diff between 1.25 and 1.26): http://search.cpan.org/diff?from=IO-Socket-SSL-1.25&to=IO-Socket-SSL-1.26&w=1 -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl Fedora-perl-devel-list mailing list Fedora-perl-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-perl-devel-list
