From $URL: v1.35 2010.12.06 - if verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be verified as valid it will no longer fall back to VERIFY_NONE but throw an error. Thanks to Salvatore Bonaccorso and Daniel Kahn Gillmor for pointing out the problem, see also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058 From the Secunia advisory at http://secunia.com/advisories/42508/: A security issue has been reported in Perl IO::Socket::SSL, which can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to IO::Socket::SSL silently falling back to the "VERIFY_NONE" verification mode if another verification mode is defined but no valid ca_file or ca_path is provided. This can be exploited to e.g. bypass the expected verification mode and conduct spoofing attacks.
dev-perl/IO-Socket-SSL-1.35 is in the tree now
Arches, please test and mark stable: =dev-perl/IO-Socket-SSL-1.35 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
well on my x86 (*)my amd64 machine is down at the moment :)
x86 done. Thanks agostino.
Stable for HPPA.
Tested OK on SPARC, passed all its tests. Can stabilise.
Stable for PPC.
This has been assigned CVE-2010-4334. http://www.openwall.com/lists/oss-security/2010/12/07/4
arm stable
amd64 ok
ppc64 done
amd64 done. Thanks Agostino
alpha/ia64/s390/sh/sparc stable
GLSA Vote: No.
GLSA Vote: no, closing noglsa.