Date: Tue, 6 May 2014 16:19:14 -0400 (EDT) From: cve-assign@...re.org To: kseifried@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: Debian Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579 > Package: libwww-perl > setting HTTPS_CA_DIR or HTTPS_CA_FILE environment variable This is apparently still being investigated upstream, with https://github.com/libwww-perl/lwp-protocol-https/pull/14 updated as recently as this afternoon. The set of issues is unusual and may ultimately require more than one CVE ID. At the moment, it seems that the most straightforward CVE assignment is for the following statement in https://github.com/libwww-perl/lwp-protocol-https/pull/14#issuecomment-42328818 "If you google for HTTPS_CA_FILE you will probably only find references to LWP/Crypt::SSLeay. So, in a way, it makes sense to special case this because these are mostly users of the older LWP versions." This seems to be, more or less, equivalent to "the behavior of the product is determined by using somewhat arbitrary environment variables that, in practice, are correlated with whether the user may desire a 'compatibility mode' with different security properties, even though this correlation isn't especially strong." Off hand, we don't know of any other product that does something like that. So, we're assigning CVE-2014-3230 for the Least Surprise violation. There's a separate question of whether the "compatibility mode" behavior has an implementation that matches its design. A second CVE ID seems reasonably likely, but the issue itself is perhaps still being analyzed. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579#44 says "contrary to what the name of the option suggests, verify_hostname is supposed to enable/disable both certificate verification and that the certificate matches hostname. But after this patch applied, it will affect only the latter." At this point, it seems unlikely that there would be a third CVE for whether the "compatibility mode" behavior actually should not exist. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTaUA9AAoJEKllVAevmvmsIToH/i48lQZKdtiRRKzz8rWeUcYF HFw8ZmocshaCG2/ZyHiQv4j0w7jjBAuhOv4VDwZWR56WtRpGlcZYz7te7sglG6yM h7LQACHsr/cv9EcDyolAsmigv7/zjRSmhhE/uGhf/up30tKO4ZoaVFFNQClihfAc J3K23L8PhtxIVlp5eyHar6vndC53L1XwJn8lnvYXczSA9Y7q+3PAG4LF/oo4sWxz ZxfwgbNTyaKhpppPUcudHSOz8fpZVaGdqrYEWkXj0DY8+TQTHPYfZuGw6shyHuUL MTz/zRRdyBWjrMR9szq7XnJ3RzF63xjwyJGRhsQ1EquWwGcgR3GfCbYn4x43BNg= =HQLw -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ