oss-sec mailing list archives

Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug

From: Steffen Ullrich <Steffen_Ullrich () genua de>
Date: Sat, 29 Aug 2009 20:45:53 +0200

Hi,

Just to make you able to classify the problem a bit more:
The fix is important but the impact of the problem is in my opinion currently minor,
because
- the feature to help checking the hostname against the certificate is fairly new
- in former times the apps/modules using IO::Socket::SSL had to implement
  the checking by itself (using the appropriate logic, which differs between
  various protocols).
- most did not implement any checking at all or implemented a limited or wrong check
- therefore I added the checks, where the app only has to decide how the check
  has to be done
- most apps/modules don't even do this simple thing yet, so that this buggy
  feature was not used

That means, that it only impacts apps/modules which depend on this feature
and there are only few (or none) of these apps. But it would probably be nice
to add a note to the CVE that apps/modules should start to implement proper 
certificate checking and that it got easier with newer IO::Socket::SSL
versions.

Regards,
Steffen (Maintainer of IO::Socket::SSL)


On Fri, Aug 28, 2009 at 09:20:22AM +0200, Ludwig Nussel <ludwig.nussel () suse de> wrote:

Hi,

IO-Socket-SSL was released a while ago with a security fix:

http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.30/Changes
v1.26 2009.07.03
- SECURITY BUGFIX! 
  fix Bug in verify_hostname_of_cert where it matched only the prefix for 
  the hostname when no wildcard was given, e.g. www.example.org matched
  against a certificate with name www.exam in it
  Thanks to MLEHMANN for reporting

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)


-- 
GeNUA Gesellschaft für Netzwerk - und Unix-Administration mbH
Domagkstr. 7, D-85551 Kirchheim. http://www.genua.de
Tel: (089) 99 19 50-0, Fax: (089) 99 10 50 - 999

Geschäftsführer: Dr. Magnus Harlander, Dr. Michaela Harlander,
Bernhard Schneck. Amtsgericht München HRB 98238

Current thread:

CVE request: perl-IO-Socket-SSL certificate hostname compare bug Ludwig Nussel (Aug 28)
- Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 29)
  - Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Tomas Hoger (Aug 31)
    - Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 31)
    - Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Tomas Hoger (Aug 31)
    - Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 31)
- Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steven M. Christey (Aug 31)