oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules

From: Steffen Nurpmeso <steffen () sdaoden eu>
Date: Wed, 19 Apr 2023 23:53:40 +0200
Demi Marie Obenour wrote in
 <ZD/4ODBjTesPMECg@itl-email>:
 |On Tue, Apr 18, 2023 at 05:46:30PM +0200, Stig Palmquist wrote:
 |> HTTP::Tiny v0.082, a Perl core module since v5.13.9 and available
 |> standalone on CPAN, does not verify TLS certs by default. Users must
 |> opt-in with the verify_SSL=>1 flag to verify certs when using HTTPS.
 ...
 |IMO this is an HTTP::Tiny vulnerability.

IMO it is no vulnerability at all since it has "always" been _very
clearly_ (even very lengthily) documented in the manual page.
(Really, even i got that right in my s-cdda-to-db.pl.)
Now you could say it could at build time, or at require time, or
what, do the equivalent to HTTP::Tiny::can_ssl() automatically and
itself, and make that the default (so that it kicks
automatically).
I am just wondering, since i for myself first test can_ssl() in
order to react accordingly, that is, how do i know?, through _it_.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
Previous By Date Next
Previous By Thread Next

Current thread: