oss-sec mailing list archives

CVE request: perl-IO-Socket-SSL certificate hostname compare bug

From: Ludwig Nussel <ludwig.nussel () suse de>
Date: Fri, 28 Aug 2009 09:20:22 +0200

Hi,

IO-Socket-SSL was released a while ago with a security fix:

http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.30/Changes
v1.26 2009.07.03
- SECURITY BUGFIX! 
  fix Bug in verify_hostname_of_cert where it matched only the prefix for 
  the hostname when no wildcard was given, e.g. www.example.org matched
  against a certificate with name www.exam in it
  Thanks to MLEHMANN for reporting

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Current thread:

CVE request: perl-IO-Socket-SSL certificate hostname compare bug Ludwig Nussel (Aug 28)
- Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 29)
  - Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Tomas Hoger (Aug 31)
    - Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 31)
    - Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Tomas Hoger (Aug 31)
    - Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 31)
- Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steven M. Christey (Aug 31)