Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
Adam D. Barratt
adam at adam-barratt.org.uk
Fri Aug 7 17:22:34 UTC 2009
On Fri, 2009-08-07 at 11:30 +0100, Dominic Hargreaves wrote:
> On Wed, Jul 29, 2009 at 10:13:09PM +0100, Dominic Hargreaves wrote:
[...]
> > > > On Mon, Jul 06, 2009 at 10:36:15AM +0100, Dominic Hargreaves wrote:
[...]
> > > >> v1.26 2009.07.03
> > > >> - SECURITY BUGFIX!
> > > >> fix Bug in verify_hostname_of_cert where it matched only the prefix for
> > > >> the hostname when no wildcard was given, e.g. www.example.org matched
> > > >> against a certificate with name www.exam in it
> > > >> Thanks to MLEHMANN for reporting
> > > >>
> > > >> >From inspecting the source this appears to apply to at least 1.24-1
> > > >> (testing) and 1.16-1 (stable).
[...]
> > I've heard nothing from the security team.
>
> Therefore may I upload to stable?
Please go ahead.
Regards,
Adam
More information about the pkg-perl-maintainers
mailing list