Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 29 Aug 2009 20:45:53 +0200
From: Steffen Ullrich <Steffen_Ullrich@...ua.de>
To: oss-security@...ts.openwall.com,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug

Hi,

Just to make you able to classify the problem a bit more:
The fix is important but the impact of the problem is in my opinion currently minor,
because
- the feature to help checking the hostname against the certificate is fairly new
- in former times the apps/modules using IO::Socket::SSL had to implement
  the checking by itself (using the appropriate logic, which differs between
  various protocols).
- most did not implement any checking at all or implemented a limited or wrong check
- therefore I added the checks, where the app only has to decide how the check
  has to be done
- most apps/modules don't even do this simple thing yet, so that this buggy
  feature was not used

That means, that it only impacts apps/modules which depend on this feature
and there are only few (or none) of these apps. But it would probably be nice
to add a note to the CVE that apps/modules should start to implement proper 
certificate checking and that it got easier with newer IO::Socket::SSL
versions.

Regards,
Steffen (Maintainer of IO::Socket::SSL)


On Fri, Aug 28, 2009 at 09:20:22AM +0200, Ludwig Nussel <ludwig.nussel@...e.de> wrote:
> Hi,
> 
> IO-Socket-SSL was released a while ago with a security fix:
> 
> http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.30/Changes
> v1.26 2009.07.03
> - SECURITY BUGFIX! 
>   fix Bug in verify_hostname_of_cert where it matched only the prefix for 
>   the hostname when no wildcard was given, e.g. www.example.org matched
>   against a certificate with name www.exam in it
>   Thanks to MLEHMANN for reporting
> 
> cu
> Ludwig
> 
> -- 
>  (o_   Ludwig Nussel
>  //\   
>  V_/_  http://www.suse.de/
> SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

-- 
GeNUA Gesellschaft für Netzwerk - und Unix-Administration mbH
Domagkstr. 7, D-85551 Kirchheim. http://www.genua.de
Tel: (089) 99 19 50-0, Fax: (089) 99 10 50 - 999

Geschäftsführer: Dr. Magnus Harlander, Dr. Michaela Harlander,
Bernhard Schneck. Amtsgericht München HRB 98238

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.