oss-sec mailing list archives
Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug
From: Tomas Hoger <thoger () redhat com>
Date: Mon, 31 Aug 2009 17:23:53 +0200
On Sat, 29 Aug 2009 20:45:53 +0200 Steffen Ullrich <Steffen_Ullrich () genua de> wrote:
- the feature to help checking the hostname against the certificate is fairly new
Introduced in 1.14, unless I'm mistaken: http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.14/Changes It may be good to have this listed in the CVE description. Anyway, prefix requirement is another mitigation, as one may not be able to get valid certificate for a prefix of arbitrary host name (though it may be easier for TLDs as .com and .net via .co and .ne). Speaking of prefixes, has anyone checked IO-Socket-SSL for CVE-2009-2408-like issues? If there is an issues, should it get fixed in IO-Socket-SSL or in Net-SSLeay? -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- CVE request: perl-IO-Socket-SSL certificate hostname compare bug Ludwig Nussel (Aug 28)
- Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 29)
- Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Tomas Hoger (Aug 31)
- Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 31)
- Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Tomas Hoger (Aug 31)
- Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 31)
- Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Tomas Hoger (Aug 31)
- Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 29)