Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26

Dominic Hargreaves dom at earth.li
Mon Jul 6 21:48:52 UTC 2009


On Mon, Jul 06, 2009 at 10:36:15AM +0100, Dominic Hargreaves wrote:

> 1.26 (just uploaded to unstable) fixes what looks like a fairly serious
> security issue:
> 
> v1.26 2009.07.03
> - SECURITY BUGFIX! 
>   fix Bug in verify_hostname_of_cert where it matched only the prefix for 
>   the hostname when no wildcard was given, e.g. www.example.org matched
>   against a certificate with name www.exam in it
>   Thanks to MLEHMANN for reporting
> 
> >From inspecting the source this appears to apply to at least 1.24-1
> (testing) and 1.16-1 (stable).

Hi security team.

I'd be grateful if you could review this and let us know whether you
believe a security update is necessary. A package with the fix backported
has been prepared in

http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libio-socket-ssl-perl/

although it has not yet been fully tested.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)





More information about the pkg-perl-maintainers mailing list