Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Linux kernel security hardening Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Sat, 29 Aug 2009 20:45:53 +0200
From: Steffen Ullrich <Steffen_Ullrich@...ua.de>
To: oss-security@...ts.openwall.com,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug

Hi,

Just to make you able to classify the problem a bit more:
The fix is important but the impact of the problem is in my opinion currently minor,
because
- the feature to help checking the hostname against the certificate is fairly new
- in former times the apps/modules using IO::Socket::SSL had to implement
  the checking by itself (using the appropriate logic, which differs between
  various protocols).
- most did not implement any checking at all or implemented a limited or wrong check
- therefore I added the checks, where the app only has to decide how the check
  has to be done
- most apps/modules don't even do this simple thing yet, so that this buggy
  feature was not used

That means, that it only impacts apps/modules which depend on this feature
and there are only few (or none) of these apps. But it would probably be nice
to add a note to the CVE that apps/modules should start to implement proper 
certificate checking and that it got easier with newer IO::Socket::SSL
versions.

Regards,
Steffen (Maintainer of IO::Socket::SSL)


On Fri, Aug 28, 2009 at 09:20:22AM +0200, Ludwig Nussel <ludwig.nussel@...e.de> wrote:
> Hi,
> 
> IO-Socket-SSL was released a while ago with a security fix:
> 
> http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.30/Changes
> v1.26 2009.07.03
> - SECURITY BUGFIX! 
>   fix Bug in verify_hostname_of_cert where it matched only the prefix for 
>   the hostname when no wildcard was given, e.g. www.example.org matched
>   against a certificate with name www.exam in it
>   Thanks to MLEHMANN for reporting
> 
> cu
> Ludwig
> 
> -- 
>  (o_   Ludwig Nussel
>  //\   
>  V_/_  http://www.suse.de/
> SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

-- 
GeNUA Gesellschaft für Netzwerk - und Unix-Administration mbH
Domagkstr. 7, D-85551 Kirchheim. http://www.genua.de
Tel: (089) 99 19 50-0, Fax: (089) 99 10 50 - 999

Geschäftsführer: Dr. Magnus Harlander, Dr. Michaela Harlander,
Bernhard Schneck. Amtsgericht München HRB 98238

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ