Summary: | <dev-perl/IO-Socket-SSL-1.26: verify_hostname_of_cert() improper CN matching (CVE-2009-3024) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Torsten Veller (RETIRED) <tove> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.26/Changes | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Torsten Veller (RETIRED)
2009-07-03 10:27:49 UTC
Arches, please test and mark stable: =dev-perl/IO-Socket-SSL-1.26 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" Stable for HPPA. alpha/arm/ia64/s390/sh/sparc/x86 stable amd64 stable ppc64 done ppc done vote: YES YES, too. Request filed. CVE-2009-3024 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3024): The verify_hostname_of_cert function in the certificate checking feature in IO-Socket-SSL (IO::Socket::SSL) 1.14 through 1.25 only matches the prefix of a hostname when no wildcard is used, which allows remote attackers to bypass the hostname check for a certificate. GLSA 201101-06 addresses this issue, closing as fixed |