Date: Sun, 4 May 2014 08:26:25 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Cc: Assign a CVE Identifier <cve-assign@...re.org>, Steffen Ullrich <coyote.frank@....net> Subject: Re: Debian Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL Hi, On Fri, May 02, 2014 at 02:54:33PM -0600, Kurt Seifried wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579 > > Package: libwww-perl > Version: 6.06-1 > Tags: security > Usertags: serious > > If LWP uses IO::Socket::SSL as SSL socket class (this is the default), > setting HTTPS_CA_DIR or HTTPS_CA_FILE environment variable disables(!) > server cerificate verification: An update on this issue for the affected versions: Steffen Ullrich proposed a fix for this in . The issue seem to be introduced in LWP::Protocol::https in commit, which is version 6.04.  https://github.com/libwww-perl/lwp-protocol-https/pull/14  https://github.com/dagolden/lwp-protocol-https/commit/bcc46ce2dab53d2e2baa583f2243d6fc7d36dcc8 Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ