Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 4 May 2014 08:26:25 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: Assign a CVE Identifier <cve-assign@...re.org>,
	Steffen Ullrich <coyote.frank@....net>
Subject: Re: Debian Bug#746579: libwww-perl: HTTPS_CA_DIR or
 HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL

Hi,

On Fri, May 02, 2014 at 02:54:33PM -0600, Kurt Seifried wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579
> 
> Package: libwww-perl
> Version: 6.06-1
> Tags: security
> Usertags: serious
> 
> If LWP uses IO::Socket::SSL as SSL socket class (this is the default),
> setting HTTPS_CA_DIR or HTTPS_CA_FILE environment variable disables(!)
> server cerificate verification:

An update on this issue for the affected versions:

Steffen Ullrich proposed a fix for this in [1]. The issue seem to be
introduced in LWP::Protocol::https in commit[2], which is version
6.04.

 [1] https://github.com/libwww-perl/lwp-protocol-https/pull/14
 [2] https://github.com/dagolden/lwp-protocol-https/commit/bcc46ce2dab53d2e2baa583f2243d6fc7d36dcc8

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ