https://bugzilla.redhat.com/show_bug.cgi?id=1094440 Bug ID: 1094440 Summary: perl-libwww-perl: incorrect handling of SSL certificate verification Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@xxxxxxxxxx Reporter: vdanen@xxxxxxxxxx CC: jkurik@xxxxxxxxxx, mmaslano@xxxxxxxxxx, perl-devel@xxxxxxxxxxxxxxxxxxxxxxx, perl-maint-list@xxxxxxxxxx, ppisar@xxxxxxxxxx, psabata@xxxxxxxxxx It was reported [1] that libwww-perl (LWP), when using IO::Socket::SSL (the default) and when the HTTPS_CA_DIR or HTTPS_CA_FILE environment variables were set, would disable server certificate verification. Judging by the commit [2], the intention was to disable only hostname verification for compatibility with Crypt::SSLeay, but the resultant effect is that SSL_verify_mode is set to 0. This code was introduced in LWP::Protocol::https in version 6.04, so earlier versions are not vulnerable. Potential patches [3],[4] are being discussed upstream [5]. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579 [2] https://github.com/dagolden/lwp-protocol-https/commit/bcc46ce2dab53d2e2baa583f2243d6fc7d36dcc8 [3] https://github.com/noxxi/lwp-protocol-https/commit/1b924708663f457a4f7c25ed35d7dfb3bb5b334d [4] https://github.com/noxxi/lwp-protocol-https/commit/6b5c876de80451ee54de5d853de37a62e26bf6fe [5] https://github.com/libwww-perl/lwp-protocol-https/pull/14 Statement: This issue did not affect the versions of perl-libwww-perl as shipped with Red Hat Enterprise Linux 5 and 6. -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=6oOhABRd7w&a=cc_unsubscribe -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
