Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 6 May 2014 16:19:14 -0400 (EDT)
Subject: Re: Debian Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL

Hash: SHA1

> Package: libwww-perl
> setting HTTPS_CA_DIR or HTTPS_CA_FILE environment variable

This is apparently still being investigated upstream, with updated as
recently as this afternoon. The set of issues is unusual and may
ultimately require more than one CVE ID.

At the moment, it seems that the most straightforward CVE assignment
is for the following statement in

  "If you google for HTTPS_CA_FILE you will probably only find
   references to LWP/Crypt::SSLeay. So, in a way, it makes sense to
   special case this because these are mostly users of the older LWP

This seems to be, more or less, equivalent to "the behavior of the
product is determined by using somewhat arbitrary environment
variables that, in practice, are correlated with whether the user may
desire a 'compatibility mode' with different security properties, even
though this correlation isn't especially strong."

Off hand, we don't know of any other product that does something like
that. So, we're assigning CVE-2014-3230 for the Least Surprise

There's a separate question of whether the "compatibility mode"
behavior has an implementation that matches its design. A second CVE
ID seems reasonably likely, but the issue itself is perhaps still
being analyzed. says
"contrary to what the name of the option suggests, verify_hostname is
supposed to enable/disable both certificate verification and that the
certificate matches hostname. But after this patch applied, it will
affect only the latter."

At this point, it seems unlikely that there would be a third CVE for
whether the "compatibility mode" behavior actually should not exist.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.