oss-sec mailing list archives
Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules
From: "David A. Wheeler" <dwheeler () dwheeler com>
Date: Thu, 4 May 2023 16:50:53 -0400
On May 4, 2023, at 2:23 PM, Rainer Canavan <rainer.canavan () avenga com> wrote: I'd suspect that the issue in HTTP::Tiny would end up DISPUTED, since not validating TLS names is not the generally expected behavior, although it is documented (in bold no less).
I would also expect it to be at most disputed, not rejected. As Jeffry Walton noted, failing to validate a certificate is considered by many to be a vulnerability, there's even a specific CWE for this case: https://cwe.mitre.org/data/definitions/295.html Per the OP:
On Apr 18, 2023, at 11:46 AM, Stig Palmquist <stig () stig io> wrote: ... We have generated a list of over 300 potentially affected CPAN distributions.
A default that potentially causes over 300 other vulnerabilities sounds like a root cause vulnerability to me. Clearly many users do *not* treat this as expected behavior. A change of the default would, for many, produce the expected behavior. --- David A. Wheeler
Current thread:
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules, (continued)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Stig Palmquist (Apr 29)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules David A. Wheeler (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Moritz Bechler (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Michael Orlitzky (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 04)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Sam Bull (May 04)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Alan Coopersmith (May 04)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Rainer Canavan (May 04)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules David A. Wheeler (May 04)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (May 04)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Stig Palmquist (Apr 29)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Jeffrey Walton (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules John Helmert III (May 07)