Date: Sat, 29 Aug 2009 20:45:53 +0200 From: Steffen Ullrich <Steffen_Ullrich@...ua.de> To: oss-security@...ts.openwall.com, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Hi, Just to make you able to classify the problem a bit more: The fix is important but the impact of the problem is in my opinion currently minor, because - the feature to help checking the hostname against the certificate is fairly new - in former times the apps/modules using IO::Socket::SSL had to implement the checking by itself (using the appropriate logic, which differs between various protocols). - most did not implement any checking at all or implemented a limited or wrong check - therefore I added the checks, where the app only has to decide how the check has to be done - most apps/modules don't even do this simple thing yet, so that this buggy feature was not used That means, that it only impacts apps/modules which depend on this feature and there are only few (or none) of these apps. But it would probably be nice to add a note to the CVE that apps/modules should start to implement proper certificate checking and that it got easier with newer IO::Socket::SSL versions. Regards, Steffen (Maintainer of IO::Socket::SSL) On Fri, Aug 28, 2009 at 09:20:22AM +0200, Ludwig Nussel <ludwig.nussel@...e.de> wrote: > Hi, > > IO-Socket-SSL was released a while ago with a security fix: > > http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.30/Changes > v1.26 2009.07.03 > - SECURITY BUGFIX! > fix Bug in verify_hostname_of_cert where it matched only the prefix for > the hostname when no wildcard was given, e.g. www.example.org matched > against a certificate with name www.exam in it > Thanks to MLEHMANN for reporting > > cu > Ludwig > > -- > (o_ Ludwig Nussel > //\ > V_/_ http://www.suse.de/ > SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- GeNUA Gesellschaft für Netzwerk - und Unix-Administration mbH Domagkstr. 7, D-85551 Kirchheim. http://www.genua.de Tel: (089) 99 19 50-0, Fax: (089) 99 10 50 - 999 Geschäftsführer: Dr. Magnus Harlander, Dr. Michaela Harlander, Bernhard Schneck. Amtsgericht München HRB 98238
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.