oss-sec mailing list archives
Re: Debian Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL
From: Salvatore Bonaccorso <carnil () debian org>
Date: Sun, 4 May 2014 08:26:25 +0200
Hi, On Fri, May 02, 2014 at 02:54:33PM -0600, Kurt Seifried wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579 Package: libwww-perl Version: 6.06-1 Tags: security Usertags: serious If LWP uses IO::Socket::SSL as SSL socket class (this is the default), setting HTTPS_CA_DIR or HTTPS_CA_FILE environment variable disables(!) server cerificate verification:
An update on this issue for the affected versions: Steffen Ullrich proposed a fix for this in [1]. The issue seem to be introduced in LWP::Protocol::https in commit[2], which is version 6.04. [1] https://github.com/libwww-perl/lwp-protocol-https/pull/14 [2] https://github.com/dagolden/lwp-protocol-https/commit/bcc46ce2dab53d2e2baa583f2243d6fc7d36dcc8 Regards, Salvatore
Current thread:
- Debian Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL Kurt Seifried (May 02)
- Re: Debian Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL Salvatore Bonaccorso (May 03)
- Re: Debian Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL cve-assign (May 06)