CVE-2011-0633 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0633): The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated. NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. However, because this API was modified within LWP, a single CVE identifier has been assigned.
Please stabilize =dev-perl/libwww-perl-6.30.0 =dev-perl/HTTP-Negotiate-6.0.0 =dev-perl/LWP-Protocol-https-6.20.0 =dev-perl/HTTP-Date-6.0.0 =dev-perl/File-Listing-6.30.0 =dev-perl/WWW-RobotRules-6.10.0 =dev-perl/Net-HTTP-6.10.0 =dev-perl/LWP-MediaTypes-6.10.0 =dev-perl/Encode-Locale-1.20.0 =dev-perl/HTTP-Message-6.20.0 =dev-perl/HTTP-Cookies-6.0.0 =dev-perl/HTTP-Daemon-6.0.0 =dev-perl/IO-Socket-SSL-1.440.0 =dev-perl/HTML-Form-6.0.0
all fine on amd64.
Builds fine on x86. Please mark stable for x86.
ppc done
x86 done, thanks Myckel!
amd64: all ok
arm stable
Stable for HPPA.
+ 08 Nov 2011; Tony Vroon <chainsaw@gentoo.org> HTTP-Date-6.0.0.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #386309. + 08 Nov 2011; Tony Vroon <chainsaw@gentoo.org> Encode-Locale-1.20.0.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #386309. + 08 Nov 2011; Tony Vroon <chainsaw@gentoo.org> LWP-MediaTypes-6.10.0.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #386309. + 08 Nov 2011; Tony Vroon <chainsaw@gentoo.org> HTTP-Message-6.20.0.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #386309. + 08 Nov 2011; Tony Vroon <chainsaw@gentoo.org> HTTP-Negotiate-6.0.0.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #386309. + 08 Nov 2011; Tony Vroon <chainsaw@gentoo.org> File-Listing-6.30.0.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #386309. + 08 Nov 2011; Tony Vroon <chainsaw@gentoo.org> HTTP-Cookies-6.0.0.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #386309. + 08 Nov 2011; Tony Vroon <chainsaw@gentoo.org> HTTP-Daemon-6.0.0.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #386309. + 08 Nov 2011; Tony Vroon <chainsaw@gentoo.org> WWW-RobotRules-6.10.0.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #386309. + 08 Nov 2011; Tony Vroon <chainsaw@gentoo.org> Net-HTTP-6.10.0.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #386309. + 08 Nov 2011; Tony Vroon <chainsaw@gentoo.org> IO-Socket-SSL-1.440.0.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #386309. + 08 Nov 2011; Tony Vroon <chainsaw@gentoo.org> + LWP-Protocol-https-6.20.0.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #386309. + 08 Nov 2011; Tony Vroon <chainsaw@gentoo.org> libwww-perl-6.30.0.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #386309. Consideration of dependency order would be appreciated in future bugs, particularly with stabilisation lists of this length.
alpha/ia64/m68k/s390/sh/sparc stable
ppc64 done
Thanks, folks. GLSA Vote: yes.
Vote: Yes. GLSA request filed.
This issue was resolved and addressed in GLSA 201402-04 at http://security.gentoo.org/glsa/glsa-201402-04.xml by GLSA coordinator Mikle Kolyada (Zlogene).
