[SECURITY] Fedora 14 Update: perl-IO-Socket-SSL-1.37-1.fc14
updates at fedoraproject.org
updates at fedoraproject.org
Sun Dec 26 19:55:32 UTC 2010
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-19058
2010-12-18 22:36:37
--------------------------------------------------------------------------------
Name : perl-IO-Socket-SSL
Product : Fedora 14
Version : 1.37
Release : 1.fc14
URL : http://search.cpan.org/dist/IO-Socket-SSL/
Summary : Perl library for transparent SSL
Description :
This module is a true drop-in replacement for IO::Socket::INET that
uses SSL to encrypt data before it is transferred to a remote server
or client. IO::Socket::SSL supports all the extra features that one
needs to write a full-featured SSL client or server application:
multiple SSL contexts, cipher selection, certificate verification, and
SSL version selection. As an extra bonus, it works perfectly with
mod_perl.
--------------------------------------------------------------------------------
Update Information:
This update fixes a problem whereby IO::Socket::SSL fell back to the "VERIFY_NONE" verification mode if another verification mode was defined but no valid ca_file or ca_path was provided.
The updated version throws an error in that situation rather than proceeding with the connection despite being unable to verify the certificate(s) as requested.
This issue was originally reported at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058
--------------------------------------------------------------------------------
ChangeLog:
* Fri Dec 10 2010 Paul Howarth <paul at city-fan.org> - 1.37-1
- Update to 1.37
- don't complain about invalid certificate locations if user explicitly set
SSL_ca_path and SSL_ca_file to undef: assume that user knows what they are
doing and will work around the problems themselves (CPAN RT#63741)
* Thu Dec 9 2010 Paul Howarth <paul at city-fan.org> - 1.36-1
- Update to 1.36
- update documentation for SSL_verify_callback based on CPAN RT#63743 and
CPAN RT#63740
* Mon Dec 6 2010 Paul Howarth <paul at city-fan.org> - 1.35-1
- Update to 1.35 (addresses CVE-2010-4334)
- if verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be
verified as valid, it will no longer fall back to VERIFY_NONE but throw an
error (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058)
* Tue Nov 2 2010 Paul Howarth <paul at city-fan.org> - 1.34-1
- Update to 1.34
- schema http for certificate verification changed to wildcards_in_cn=1
- if upgrading socket from inet to ssl fails due to handshake problems, the
socket gets downgraded back again but is still open (CPAN RT#61466)
- deprecate kill_socket: just use close()
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #660847 - CVE-2010-4334 perl-IO-Socket-SSL: ignores user request for peer verification
https://bugzilla.redhat.com/show_bug.cgi?id=660847
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update perl-IO-Socket-SSL' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list