SSL validation in libwww-perl (CVE-2011-0633) / bsd_glob() crash in Perl interpreter (CVE-2011-2728)

Moritz Muehlenhoff jmm at
Mon Apr 16 15:33:41 UTC 2012

Dear Perl maintainers,
I'd like to you notify of two minor security issues, one in Perl itself
and the other in libwww-perl:

1. CVE-2011-0663 has been assigned to this change from release 6.00:

For https://... default to verified connections with require IO::Socket::SSL
and Mozilla::CA modules to be installed.  Old behaviour can be requested by
setting the PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0.  The
LWP::UserAgent got new ssl_opts method to control this as well.

Petr Pisar from Red Hat made a backport to 5.837, which is close to what
we have in stable:

Maybe you want to backport this for one of the next point releases?

2. 2011-2728 has been assigned to this bug in bsd_glob(). The Red Hat
bugzilla explains fairly well why this isn't a security bug in
practice. However, since the patch is straight-forward you might want
to piggy-back it, if you plan further Perl changes for point updates.


More information about the pkg-perl-maintainers mailing list