Bug#669126: SSL validation in libwww-perl (CVE-2011-0633)
Salvatore Bonaccorso
carnil at debian.org
Tue Apr 17 15:29:45 UTC 2012
Package: libwww-perl
Version: 5.836-1
Severity: minor
Tags: security
Hi Moritz
I'm forwarding this to the bugtracker to have it tracked there, I hope
this is okay.
On Mon, Apr 16, 2012 at 05:33:41PM +0200, Moritz Muehlenhoff wrote:
> I'd like to you notify of two minor security issues, one in Perl itself
> and the other in libwww-perl:
>
> 1. CVE-2011-0663 has been assigned to this change from release 6.00:
>
> For https://... default to verified connections with require IO::Socket::SSL
> and Mozilla::CA modules to be installed. Old behaviour can be requested by
> setting the PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0. The
> LWP::UserAgent got new ssl_opts method to control this as well.
>
> Petr Pisar from Red Hat made a backport to 5.837, which is close to what
> we have in stable: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0633
>
> Maybe you want to backport this for one of the next point releases?
Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20120417/16e4cc6f/attachment-0001.pgp>
More information about the pkg-perl-maintainers
mailing list