[Bug 1094440] New: perl-libwww-perl: incorrect handling of SSL certificate verification

https://bugzilla.redhat.com/show_bug.cgi?id=1094440 Bug ID: 1094440 Summary: perl-libwww-perl: incorrect handling of SSL certificate verification Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: vdanen(a)redhat.com CC: jkurik(a)redhat.com, mmaslano(a)redhat.com, perl-devel(a)lists.fedoraproject.org, perl-maint-list(a)redhat.com, ppisar(a)redhat.com, psabata(a)redhat.com It was reported [1] that libwww-perl (LWP), when using IO::Socket::SSL (the default) and when the HTTPS_CA_DIR or HTTPS_CA_FILE environment variables were set, would disable server certificate verification. Judging by the commit [2], the intention was to disable only hostname verification for compatibility with Crypt::SSLeay, but the resultant effect is that SSL_verify_mode is set to 0. This code was introduced in LWP::Protocol::https in version 6.04, so earlier versions are not vulnerable. Potential patches [3],[4] are being discussed upstream [5]. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579 [2] https://github.com/dagolden/lwp-protocol-https/commit/bcc46ce2dab53d2e2ba... [3] https://github.com/noxxi/lwp-protocol-https/commit/1b924708663f457a4f7c25... [4] https://github.com/noxxi/lwp-protocol-https/commit/6b5c876de80451ee54de5d... [5] https://github.com/libwww-perl/lwp-protocol-https/pull/14 Statement: This issue did not affect the versions of perl-libwww-perl as shipped with Red Hat Enterprise Linux 5 and 6. -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=6oOhABRd7w&a=cc_unsubscribe