Date: Sat, 29 Aug 2009 20:45:53 +0200 From: Steffen Ullrich <Steffen_Ullrich@...ua.de> To: oss-security@...ts.openwall.com, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Hi, Just to make you able to classify the problem a bit more: The fix is important but the impact of the problem is in my opinion currently minor, because - the feature to help checking the hostname against the certificate is fairly new - in former times the apps/modules using IO::Socket::SSL had to implement the checking by itself (using the appropriate logic, which differs between various protocols). - most did not implement any checking at all or implemented a limited or wrong check - therefore I added the checks, where the app only has to decide how the check has to be done - most apps/modules don't even do this simple thing yet, so that this buggy feature was not used That means, that it only impacts apps/modules which depend on this feature and there are only few (or none) of these apps. But it would probably be nice to add a note to the CVE that apps/modules should start to implement proper certificate checking and that it got easier with newer IO::Socket::SSL versions. Regards, Steffen (Maintainer of IO::Socket::SSL) On Fri, Aug 28, 2009 at 09:20:22AM +0200, Ludwig Nussel <ludwig.nussel@...e.de> wrote: > Hi, > > IO-Socket-SSL was released a while ago with a security fix: > > http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.30/Changes > v1.26 2009.07.03 > - SECURITY BUGFIX! > fix Bug in verify_hostname_of_cert where it matched only the prefix for > the hostname when no wildcard was given, e.g. www.example.org matched > against a certificate with name www.exam in it > Thanks to MLEHMANN for reporting > > cu > Ludwig > > -- > (o_ Ludwig Nussel > //\ > V_/_ http://www.suse.de/ > SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- GeNUA Gesellschaft für Netzwerk - und Unix-Administration mbH Domagkstr. 7, D-85551 Kirchheim. http://www.genua.de Tel: (089) 99 19 50-0, Fax: (089) 99 10 50 - 999 Geschäftsführer: Dr. Magnus Harlander, Dr. Michaela Harlander, Bernhard Schneck. Amtsgericht München HRB 98238
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.