Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 276360 (CVE-2009-3024) - <dev-perl/IO-Socket-SSL-1.26: verify_hostname_of_cert() improper CN matching (CVE-2009-3024)
Summary: <dev-perl/IO-Socket-SSL-1.26: verify_hostname_of_cert() improper CN matching ...
Status: RESOLVED FIXED
Alias: CVE-2009-3024
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://cpansearch.perl.org/src/SULLR/...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-03 10:27 UTC by Torsten Veller (RETIRED)
Modified: 2013-10-11 14:15 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Torsten Veller (RETIRED) gentoo-dev 2009-07-03 10:27:49 UTC 
v1.26 2009.07.03
- SECURITY BUGFIX! 
  fix Bug in verify_hostname_of_cert where it matched only the prefix for 
  the hostname when no wildcard was given, e.g. www.example.org matched
  against a certificate with name www.exam in it
  Thanks to MLEHMANN for reporting

dev-perl/IO-Socket-SSL-1.26 is in the tree
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-07-03 11:54:05 UTC 
Arches, please test and mark stable:
=dev-perl/IO-Socket-SSL-1.26
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2009-07-03 13:55:37 UTC 
Stable for HPPA.
Comment 3 Raúl Porcel (RETIRED) gentoo-dev 2009-07-04 14:58:46 UTC 
alpha/arm/ia64/s390/sh/sparc/x86 stable
Comment 4 Markus Meier gentoo-dev 2009-07-05 12:46:58 UTC 
amd64 stable
Comment 5 Brent Baude (RETIRED) gentoo-dev 2009-07-06 18:22:55 UTC 
ppc64 done
Comment 6 Brent Baude (RETIRED) gentoo-dev 2009-07-06 18:23:02 UTC 
ppc done
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 11:40:42 UTC 
vote: YES
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-10 18:07:11 UTC 
YES, too. Request filed.
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-01 11:03:31 UTC 
CVE-2009-3024 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3024):
  The verify_hostname_of_cert function in the certificate checking
  feature in IO-Socket-SSL (IO::Socket::SSL) 1.14 through 1.25 only
  matches the prefix of a hostname when no wildcard is used, which
  allows remote attackers to bypass the hostname check for a
  certificate.
Comment 10 Sergey Popov gentoo-dev 2013-10-11 14:15:37 UTC 
GLSA 201101-06 addresses this issue, closing as fixed