Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=660847 Tomas Hoger <thoger@xxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fedora-perl-devel-list@redh | |at.com, jpo@xxxxxxxxxxxx, | |paul@xxxxxxxxxxxx, | |perl-maint-list@xxxxxxxxxx, | |ppisar@xxxxxxxxxx, | |psabata@xxxxxxxxxx --- Comment #3 from Tomas Hoger <thoger@xxxxxxxxxx> 2010-12-17 11:47:05 EST --- (In reply to comment #2) > Another reference: http://secunia.com/advisories/42508/ Secunia advisory mentions: The security issue is caused due to IO::Socket::SSL silently falling back to the "VERIFY_NONE" verification mode if another verification mode is defined but no valid ca_file or ca_path is provided. This is not entirely true, as IO::Socket::SSL carp()s in such case with error messages as: No certificate verification because neither SSL_ca_file nor SSL_ca_path known at /usr/share/perl5/IO/Socket/SSL.pm line 301 Looking that the upstream changelog, this problem was introduced as intended fallback behaviour in version 1.23: v1.23 2009.02.23 - if neither SSL_ca_file nor SSL_ca_path are known (e.g not given and the default values have no existing file|path) disable checking of certificates, but carp about the problem Affected versions are only in RHEL-6 and F-13/F-14. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
