oss-sec mailing list archives
Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug
From: Steffen Ullrich <Steffen_Ullrich () genua de>
Date: Sat, 29 Aug 2009 20:45:53 +0200
Hi, Just to make you able to classify the problem a bit more: The fix is important but the impact of the problem is in my opinion currently minor, because - the feature to help checking the hostname against the certificate is fairly new - in former times the apps/modules using IO::Socket::SSL had to implement the checking by itself (using the appropriate logic, which differs between various protocols). - most did not implement any checking at all or implemented a limited or wrong check - therefore I added the checks, where the app only has to decide how the check has to be done - most apps/modules don't even do this simple thing yet, so that this buggy feature was not used That means, that it only impacts apps/modules which depend on this feature and there are only few (or none) of these apps. But it would probably be nice to add a note to the CVE that apps/modules should start to implement proper certificate checking and that it got easier with newer IO::Socket::SSL versions. Regards, Steffen (Maintainer of IO::Socket::SSL) On Fri, Aug 28, 2009 at 09:20:22AM +0200, Ludwig Nussel <ludwig.nussel () suse de> wrote:
Hi, IO-Socket-SSL was released a while ago with a security fix: http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.30/Changes v1.26 2009.07.03 - SECURITY BUGFIX! fix Bug in verify_hostname_of_cert where it matched only the prefix for the hostname when no wildcard was given, e.g. www.example.org matched against a certificate with name www.exam in it Thanks to MLEHMANN for reporting cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
-- GeNUA Gesellschaft für Netzwerk - und Unix-Administration mbH Domagkstr. 7, D-85551 Kirchheim. http://www.genua.de Tel: (089) 99 19 50-0, Fax: (089) 99 10 50 - 999 Geschäftsführer: Dr. Magnus Harlander, Dr. Michaela Harlander, Bernhard Schneck. Amtsgericht München HRB 98238
Current thread:
- CVE request: perl-IO-Socket-SSL certificate hostname compare bug Ludwig Nussel (Aug 28)
- Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 29)
- Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Tomas Hoger (Aug 31)
- Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 31)
- Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Tomas Hoger (Aug 31)
- Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 31)
- Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Tomas Hoger (Aug 31)
- Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 29)