SSL validation in libwww-perl (CVE-2011-0633) / bsd_glob() crash in Perl interpreter (CVE-2011-2728)
jmm at debian.org
Mon Apr 16 15:33:41 UTC 2012
Dear Perl maintainers,
I'd like to you notify of two minor security issues, one in Perl itself
and the other in libwww-perl:
1. CVE-2011-0663 has been assigned to this change from release 6.00:
For https://... default to verified connections with require IO::Socket::SSL
and Mozilla::CA modules to be installed. Old behaviour can be requested by
setting the PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0. The
LWP::UserAgent got new ssl_opts method to control this as well.
Petr Pisar from Red Hat made a backport to 5.837, which is close to what
we have in stable: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0633
Maybe you want to backport this for one of the next point releases?
2. 2011-2728 has been assigned to this bug in bsd_glob(). The Red Hat
bugzilla explains fairly well why this isn't a security bug in
practice. However, since the patch is straight-forward you might want
to piggy-back it, if you plan further Perl changes for point updates.
More information about the pkg-perl-maintainers