https://bugzilla.redhat.com/show_bug.cgi?id=1094440
Bug ID: 1094440
Summary: perl-libwww-perl: incorrect handling of SSL
certificate verification
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: vdanen(a)redhat.com
CC: jkurik(a)redhat.com, mmaslano(a)redhat.com,
perl-devel(a)lists.fedoraproject.org,
perl-maint-list(a)redhat.com, ppisar(a)redhat.com,
psabata(a)redhat.com
It was reported [1] that libwww-perl (LWP), when using IO::Socket::SSL (the
default) and when the HTTPS_CA_DIR or HTTPS_CA_FILE environment variables were
set, would disable server certificate verification. Judging by the commit [2],
the intention was to disable only hostname verification for compatibility with
Crypt::SSLeay, but the resultant effect is that SSL_verify_mode is set to 0.
This code was introduced in LWP::Protocol::https in version 6.04, so earlier
versions are not vulnerable.
Potential patches [3],[4] are being discussed upstream [5].
[1]
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579
[2]
https://github.com/dagolden/lwp-protocol-https/commit/bcc46ce2dab53d2e2ba...
[3]
https://github.com/noxxi/lwp-protocol-https/commit/1b924708663f457a4f7c25...
[4]
https://github.com/noxxi/lwp-protocol-https/commit/6b5c876de80451ee54de5d...
[5]
https://github.com/libwww-perl/lwp-protocol-https/pull/14
Statement:
This issue did not affect the versions of perl-libwww-perl as shipped with Red
Hat Enterprise Linux 5 and 6.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=6oOhABRd7w&a=cc_unsubscribe