oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules

From: "David A. Wheeler" <dwheeler () dwheeler com>
Date: Thu, 4 May 2023 16:50:53 -0400


On May 4, 2023, at 2:23 PM, Rainer Canavan <rainer.canavan () avenga com> wrote:
I'd suspect that the issue in
HTTP::Tiny would end up DISPUTED, since not validating TLS names is
not the generally expected behavior, although it is documented (in
bold no less).


I would also expect it to be at most disputed, not rejected.
As Jeffry Walton noted, failing to validate a certificate is considered
by many to be a vulnerability, there's even a specific CWE for this case:
https://cwe.mitre.org/data/definitions/295.html

Per the OP:


On Apr 18, 2023, at 11:46 AM, Stig Palmquist <stig () stig io> wrote:
... We have generated a list of over 300 potentially affected
CPAN distributions.


A default that potentially causes over 300 other vulnerabilities sounds like
a root cause vulnerability to me. Clearly many users do *not* treat this as expected behavior.
A change of the default would, for many, produce the expected behavior.

--- David A. Wheeler
Previous By Date Next
Previous By Thread Next

Current thread: