oss-sec mailing list archives
Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules
From: Steffen Nurpmeso <steffen () sdaoden eu>
Date: Wed, 19 Apr 2023 23:53:40 +0200
Demi Marie Obenour wrote in <ZD/4ODBjTesPMECg@itl-email>: |On Tue, Apr 18, 2023 at 05:46:30PM +0200, Stig Palmquist wrote: |> HTTP::Tiny v0.082, a Perl core module since v5.13.9 and available |> standalone on CPAN, does not verify TLS certs by default. Users must |> opt-in with the verify_SSL=>1 flag to verify certs when using HTTPS. ... |IMO this is an HTTP::Tiny vulnerability. IMO it is no vulnerability at all since it has "always" been _very clearly_ (even very lengthily) documented in the manual page. (Really, even i got that right in my s-cdda-to-db.pl.) Now you could say it could at build time, or at require time, or what, do the equivalent to HTTP::Tiny::can_ssl() automatically and itself, and make that the default (so that it kicks automatically). I am just wondering, since i for myself first test can_ssl() in order to react accordingly, that is, how do i know?, through _it_. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Current thread:
- Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Stig Palmquist (Apr 18)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Demi Marie Obenour (Apr 19)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 19)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Hanno Böck (Apr 19)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules David A. Wheeler (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Jeffrey Walton (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Matthew Fernandez (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 19)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Demi Marie Obenour (Apr 19)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 03)