[Secure-testing-team] Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
Dominic Hargreaves
dom at earth.li
Mon Jul 6 09:36:15 UTC 2009
Package: libio-socket-ssl-perl
Version: 1.24-1
Severity: grave
Tags: security
Justification: user security hole
1.26 (just uploaded to unstable) fixes what looks like a fairly serious
security issue:
v1.26 2009.07.03
- SECURITY BUGFIX!
fix Bug in verify_hostname_of_cert where it matched only the prefix for
the hostname when no wildcard was given, e.g. www.example.org matched
against a certificate with name www.exam in it
Thanks to MLEHMANN for reporting
>From inspecting the source this appears to apply to at least 1.24-1
(testing) and 1.16-1 (stable).
More information about the Secure-testing-team
mailing list