Bug#507402: SSL verify in libwww-perl
Simon Waters
simonw at zynet.net
Wed Oct 17 13:09:00 UTC 2012
This behaviour is fixed upstream
See note on
http://search.cpan.org/~gaas/libwww-perl-6.04/lib/LWP/UserAgent.pm
Which notes that this is not checked in 5.837 and earlier.
I believe it is fixed but not the default in 6.00
It should do the right thing by default in 6.03 and later.
I'm not clear from documentation where in fact the issue lies, I suspect
because upstream have unbundled some modules from the same source.
Just came across this as I upgraded the Perl libraries for an
application using CPAN and broke it as the SSL connection required
additional certificate authority data that was not being supplied. So
the connection could have been easily intercepted.
Wheezy has 6.04 which is current.
I believe this bug has incorrect severity since it potentially
undermines security in all 373 packages that depend on it, along with
3rd party code such as that which I was working on.
More information about the pkg-perl-maintainers
mailing list