Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
Dominic Hargreaves
dom at earth.li
Wed Jul 29 21:13:09 UTC 2009
On Mon, Jul 27, 2009 at 11:17:43AM +0200, Ansgar Burchardt wrote:
> Hi,
>
> Dominic Hargreaves <dom at earth.li> writes:
>
> > On Mon, Jul 06, 2009 at 10:36:15AM +0100, Dominic Hargreaves wrote:
> >
> >> 1.26 (just uploaded to unstable) fixes what looks like a fairly serious
> >> security issue:
> >>
> >> v1.26 2009.07.03
> >> - SECURITY BUGFIX!
> >> fix Bug in verify_hostname_of_cert where it matched only the prefix for
> >> the hostname when no wildcard was given, e.g. www.example.org matched
> >> against a certificate with name www.exam in it
> >> Thanks to MLEHMANN for reporting
> >>
> >> >From inspecting the source this appears to apply to at least 1.24-1
> >> (testing) and 1.16-1 (stable).
> >
> > Hi security team.
> >
> > I'd be grateful if you could review this and let us know whether you
> > believe a security update is necessary. A package with the fix backported
> > has been prepared in
> >
> > http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libio-socket-ssl-perl/
> >
> > although it has not yet been fully tested.
>
> Any news about this?
I've heard nothing from the security team.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the pkg-perl-maintainers
mailing list