Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=509819 --- Comment #8 from Tomas Hoger <thoger@xxxxxxxxxx> 2009-07-24 10:35:54 EDT --- (In reply to comment #6) > For RHEL5, do we want to add hostname verification to the older version? I think if that is requested by the users, it can be done, but I don't think this should be done under / because of this bug. > If someone is relying on the *lack* of hostname verification, any app using > this perl module could possibly break in a customer environment. That would > be a bad thing for an update to do. Conversely, having hostname support > increases security. As far as I can see, risks should be rather low. As name verification only happens when it's requested explicitly by the application using the module (either via verify_hostname method or SSL_verifycn_* options to new()). Old code should work with new module versions without regressions related to this, but just a module version update will not automagically add hostname verification to apps that don't do it today. > Personally, I think that because RHEL5 and earlier didn't have support for it, > *this* issue isn't a security issue to affect them. Agree. If someone needs a hostname verification support in RHEL5 packages, it should be requested via RFE bug. Additionally, I had a look at applications using IO::Socket::SSL in RHEL5. There are only 2 components in the distribution: - spamassassin - Used for optional SSL encryption for spamd <-> spamc communication. Only used on server side (spamd), as client (spamc) is written in C and is using OpenSSL directly. Hence this feature is irrelevant to spamassassin. - perl-LDAP - This module does not have support for hostname verification, not even in the latest git version to date. Hence without further modifications of perl-LDAP itself, it won't benefit from hostname verification support in IO::Socket::SSL. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl Fedora-perl-devel-list mailing list Fedora-perl-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-perl-devel-list
