[Bug 1094440] New: perl-libwww-perl: incorrect handling of SSL certificate verification
bugzilla at redhat.com
bugzilla at redhat.com
Mon May 5 17:05:04 UTC 2014
https://bugzilla.redhat.com/show_bug.cgi?id=1094440
Bug ID: 1094440
Summary: perl-libwww-perl: incorrect handling of SSL
certificate verification
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team at redhat.com
Reporter: vdanen at redhat.com
CC: jkurik at redhat.com, mmaslano at redhat.com,
perl-devel at lists.fedoraproject.org,
perl-maint-list at redhat.com, ppisar at redhat.com,
psabata at redhat.com
It was reported [1] that libwww-perl (LWP), when using IO::Socket::SSL (the
default) and when the HTTPS_CA_DIR or HTTPS_CA_FILE environment variables were
set, would disable server certificate verification. Judging by the commit [2],
the intention was to disable only hostname verification for compatibility with
Crypt::SSLeay, but the resultant effect is that SSL_verify_mode is set to 0.
This code was introduced in LWP::Protocol::https in version 6.04, so earlier
versions are not vulnerable.
Potential patches [3],[4] are being discussed upstream [5].
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579
[2]
https://github.com/dagolden/lwp-protocol-https/commit/bcc46ce2dab53d2e2baa583f2243d6fc7d36dcc8
[3]
https://github.com/noxxi/lwp-protocol-https/commit/1b924708663f457a4f7c25ed35d7dfb3bb5b334d
[4]
https://github.com/noxxi/lwp-protocol-https/commit/6b5c876de80451ee54de5d853de37a62e26bf6fe
[5] https://github.com/libwww-perl/lwp-protocol-https/pull/14
Statement:
This issue did not affect the versions of perl-libwww-perl as shipped with Red
Hat Enterprise Linux 5 and 6.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=6oOhABRd7w&a=cc_unsubscribe
More information about the perl-devel
mailing list