Re: Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
- To: 535946@bugs.debian.org
- Cc: debian-release@lists.debian.org
- Subject: Re: Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
- From: Dominic Hargreaves <dom@earth.li>
- Date: Fri, 7 Aug 2009 11:30:35 +0100
- Message-id: <[🔎] 20090807103035.GU24618@urchin.earth.li>
- In-reply-to: <20090729211309.GB4340@urchin.earth.li>
- References: <20090706093615.14016.84096.reportbug@gunboat-diplomat.oucs.ox.ac.uk> <20090706214852.GG10621@urchin.earth.li> <8763de7adk.fsf@marvin.43-1.org> <20090729211309.GB4340@urchin.earth.li>
On Wed, Jul 29, 2009 at 10:13:09PM +0100, Dominic Hargreaves wrote:
> On Mon, Jul 27, 2009 at 11:17:43AM +0200, Ansgar Burchardt wrote:
> > Hi,
> >
> > Dominic Hargreaves <dom@earth.li> writes:
> >
> > > On Mon, Jul 06, 2009 at 10:36:15AM +0100, Dominic Hargreaves wrote:
> > >
> > >> 1.26 (just uploaded to unstable) fixes what looks like a fairly serious
> > >> security issue:
> > >>
> > >> v1.26 2009.07.03
> > >> - SECURITY BUGFIX!
> > >> fix Bug in verify_hostname_of_cert where it matched only the prefix for
> > >> the hostname when no wildcard was given, e.g. www.example.org matched
> > >> against a certificate with name www.exam in it
> > >> Thanks to MLEHMANN for reporting
> > >>
> > >> >From inspecting the source this appears to apply to at least 1.24-1
> > >> (testing) and 1.16-1 (stable).
> > >
> > > Hi security team.
> > >
> > > I'd be grateful if you could review this and let us know whether you
> > > believe a security update is necessary. A package with the fix backported
> > > has been prepared in
> > >
> > > http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libio-socket-ssl-perl/
> > >
> > > although it has not yet been fully tested.
> >
> > Any news about this?
>
> I've heard nothing from the security team.
Therefore may I upload to stable?
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Reply to: