Date: Fri, 28 Aug 2009 09:20:22 +0200 From: Ludwig Nussel <ludwig.nussel@...e.de> To: oss-security@...ts.openwall.com Cc: Steffen_Ullrich@...ua.de, "Steven M. Christey" <coley@...us.mitre.org> Subject: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Hi, IO-Socket-SSL was released a while ago with a security fix: http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.30/Changes v1.26 2009.07.03 - SECURITY BUGFIX! fix Bug in verify_hostname_of_cert where it matched only the prefix for the hostname when no wildcard was given, e.g. www.example.org matched against a certificate with name www.exam in it Thanks to MLEHMANN for reporting cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.