[Bug 1094440] New: perl-libwww-perl: incorrect handling of SSL certificate verification

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://bugzilla.redhat.com/show_bug.cgi?id=1094440

            Bug ID: 1094440
           Summary: perl-libwww-perl: incorrect handling of SSL
                    certificate verification
           Product: Security Response
         Component: vulnerability
          Keywords: Security
          Severity: high
          Priority: high
          Assignee: security-response-team@xxxxxxxxxx
          Reporter: vdanen@xxxxxxxxxx
                CC: jkurik@xxxxxxxxxx, mmaslano@xxxxxxxxxx,
                    perl-devel@xxxxxxxxxxxxxxxxxxxxxxx,
                    perl-maint-list@xxxxxxxxxx, ppisar@xxxxxxxxxx,
                    psabata@xxxxxxxxxx



It was reported [1] that libwww-perl (LWP), when using IO::Socket::SSL (the
default) and when the HTTPS_CA_DIR or HTTPS_CA_FILE environment variables were
set, would disable server certificate verification.  Judging by the commit [2],
the intention was to disable only hostname verification for compatibility with
Crypt::SSLeay, but the resultant effect is that SSL_verify_mode is set to 0. 
This code was introduced in LWP::Protocol::https in version 6.04, so earlier
versions are not vulnerable.

Potential patches [3],[4] are being discussed upstream [5].

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579
[2]
https://github.com/dagolden/lwp-protocol-https/commit/bcc46ce2dab53d2e2baa583f2243d6fc7d36dcc8
[3]
https://github.com/noxxi/lwp-protocol-https/commit/1b924708663f457a4f7c25ed35d7dfb3bb5b334d
[4]
https://github.com/noxxi/lwp-protocol-https/commit/6b5c876de80451ee54de5d853de37a62e26bf6fe
[5] https://github.com/libwww-perl/lwp-protocol-https/pull/14


Statement:

This issue did not affect the versions of perl-libwww-perl as shipped with Red
Hat Enterprise Linux 5 and 6.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=6oOhABRd7w&a=cc_unsubscribe
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/perl-devel





[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Legacy Announce]     [Fedora PHP Devel]     [Kernel Devel]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite Information]
  Powered by Linux