v1.26 2009.07.03 - SECURITY BUGFIX! fix Bug in verify_hostname_of_cert where it matched only the prefix for the hostname when no wildcard was given, e.g. www.example.org matched against a certificate with name www.exam in it Thanks to MLEHMANN for reporting dev-perl/IO-Socket-SSL-1.26 is in the tree
Arches, please test and mark stable: =dev-perl/IO-Socket-SSL-1.26 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
alpha/arm/ia64/s390/sh/sparc/x86 stable
amd64 stable
ppc64 done
ppc done
vote: YES
YES, too. Request filed.
CVE-2009-3024 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3024): The verify_hostname_of_cert function in the certificate checking feature in IO-Socket-SSL (IO::Socket::SSL) 1.14 through 1.25 only matches the prefix of a hostname when no wildcard is used, which allows remote attackers to bypass the hostname check for a certificate.
GLSA 201101-06 addresses this issue, closing as fixed