[Bug 660847] CVE-2010-4334 perl-IO-Socket-SSL: ignores user request for peer verification
bugzilla at redhat.com
bugzilla at redhat.com
Tue Jan 4 08:29:46 UTC 2011
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=660847
Tomas Hoger <thoger at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|medium |low
Status Whiteboard|public=20101206,reported=20 |impact=low,public=20101206,
|101206,source=debian,impact |reported=20101206,source=de
|=moderate,cvss2=4.3/AV:N/AC |bian,cvss2=4/AV:N/AC:H/Au:N
|:M/Au:N/C:P/I:N/A:N,fedora- |/C:P/I:P/A:N,fedora-all/per
|all/perl-IO-Socket-SSL=affe |l-IO-Socket-SSL=affected,rh
|cted,rhel-6/perl-IO-Socket- |el-6/perl-IO-Socket-SSL=aff
|SSL=affected,rhel-5/perl-IO |ected,rhel-5/perl-IO-Socket
|-Socket-SSL=notaffected |-SSL=notaffected
Severity|medium |low
--- Comment #8 from Tomas Hoger <thoger at redhat.com> 2011-01-04 03:29:44 EST ---
This issue has low security impact. Fallback to VERIFY_NONE only happens in
case of misconfiguration, i.e. when user requests certificate verification but
fails to specify valid CA certificate store. Warning message is printed in
such case, making it easy to spot.
Statement:
The Red Hat Security Response Team has rated this issue as having low security
impact, a future update may address this flaw. This issue did not affect
perl-IO-Socket-SSL version as shipped with Red Hat Enterprise Linux 5.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the perl-devel
mailing list