Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
Ansgar Burchardt
ansgar at 2008.43-1.org
Mon Jul 27 09:17:43 UTC 2009
Hi,
Dominic Hargreaves <dom at earth.li> writes:
> On Mon, Jul 06, 2009 at 10:36:15AM +0100, Dominic Hargreaves wrote:
>
>> 1.26 (just uploaded to unstable) fixes what looks like a fairly serious
>> security issue:
>>
>> v1.26 2009.07.03
>> - SECURITY BUGFIX!
>> fix Bug in verify_hostname_of_cert where it matched only the prefix for
>> the hostname when no wildcard was given, e.g. www.example.org matched
>> against a certificate with name www.exam in it
>> Thanks to MLEHMANN for reporting
>>
>> >From inspecting the source this appears to apply to at least 1.24-1
>> (testing) and 1.16-1 (stable).
>
> Hi security team.
>
> I'd be grateful if you could review this and let us know whether you
> believe a security update is necessary. A package with the fix backported
> has been prepared in
>
> http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libio-socket-ssl-perl/
>
> although it has not yet been fully tested.
Any news about this?
Regards,
Ansgar
More information about the pkg-perl-maintainers
mailing list