Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 276360 (CVE-2009-3024) - <dev-perl/IO-Socket-SSL-1.26: verify_hostname_of_cert() improper CN matching (CVE-2009-3024)
Summary: <dev-perl/IO-Socket-SSL-1.26: verify_hostname_of_cert() improper CN matching ...
Alias: CVE-2009-3024
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2009-07-03 10:27 UTC by Torsten Veller (RETIRED)
Modified: 2013-10-11 14:15 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Torsten Veller (RETIRED) gentoo-dev 2009-07-03 10:27:49 UTC
v1.26 2009.07.03
  fix Bug in verify_hostname_of_cert where it matched only the prefix for 
  the hostname when no wildcard was given, e.g. matched
  against a certificate with name www.exam in it
  Thanks to MLEHMANN for reporting

dev-perl/IO-Socket-SSL-1.26 is in the tree
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-07-03 11:54:05 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2009-07-03 13:55:37 UTC
Stable for HPPA.
Comment 3 Raúl Porcel (RETIRED) gentoo-dev 2009-07-04 14:58:46 UTC
alpha/arm/ia64/s390/sh/sparc/x86 stable
Comment 4 Markus Meier gentoo-dev 2009-07-05 12:46:58 UTC
amd64 stable
Comment 5 Brent Baude (RETIRED) gentoo-dev 2009-07-06 18:22:55 UTC
ppc64 done
Comment 6 Brent Baude (RETIRED) gentoo-dev 2009-07-06 18:23:02 UTC
ppc done
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 11:40:42 UTC
vote: YES
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-10 18:07:11 UTC
YES, too. Request filed.
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-01 11:03:31 UTC
CVE-2009-3024 (
  The verify_hostname_of_cert function in the certificate checking
  feature in IO-Socket-SSL (IO::Socket::SSL) 1.14 through 1.25 only
  matches the prefix of a hostname when no wildcard is used, which
  allows remote attackers to bypass the hostname check for a

Comment 10 Sergey Popov gentoo-dev 2013-10-11 14:15:37 UTC
GLSA 201101-06 addresses this issue, closing as fixed