Date: Thu, 4 May 2023 16:50:53 -0400 From: "David A. Wheeler" <dwheeler@...eeler.com> To: oss-security@...ts.openwall.com Subject: Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules > On May 4, 2023, at 2:23 PM, Rainer Canavan <rainer.canavan@...nga.com> wrote: > I'd suspect that the issue in > HTTP::Tiny would end up DISPUTED, since not validating TLS names is > not the generally expected behavior, although it is documented (in > bold no less). I would also expect it to be at most disputed, not rejected. As Jeffry Walton noted, failing to validate a certificate is considered by many to be a vulnerability, there's even a specific CWE for this case: https://cwe.mitre.org/data/definitions/295.html Per the OP: > On Apr 18, 2023, at 11:46 AM, Stig Palmquist <stig@...g.io> wrote: > ... We have generated a list of over 300 potentially affected > CPAN distributions. A default that potentially causes over 300 other vulnerabilities sounds like a root cause vulnerability to me. Clearly many users do *not* treat this as expected behavior. A change of the default would, for many, produce the expected behavior. --- David A. Wheeler
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.