-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2010-19054 2010-12-18 22:36:27 --------------------------------------------------------------------------------
Name : perl-IO-Socket-SSL Product : Fedora 13 Version : 1.37 Release : 1.fc13 URL : http://search.cpan.org/dist/IO-Socket-SSL/ Summary : Perl library for transparent SSL Description : This module is a true drop-in replacement for IO::Socket::INET that uses SSL to encrypt data before it is transferred to a remote server or client. IO::Socket::SSL supports all the extra features that one needs to write a full-featured SSL client or server application: multiple SSL contexts, cipher selection, certificate verification, and SSL version selection. As an extra bonus, it works perfectly with mod_perl. -------------------------------------------------------------------------------- Update Information: This update fixes a problem whereby IO::Socket::SSL fell back to the "VERIFY_NONE" verification mode if another verification mode was defined but no valid ca_file or ca_path was provided. The updated version throws an error in that situation rather than proceeding with the connection despite being unable to verify the certificate(s) as requested. This issue was originally reported at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058 -------------------------------------------------------------------------------- ChangeLog: * Fri Dec 10 2010 Paul Howarth <[email protected]> - 1.37-1 - Update to 1.37 - don't complain about invalid certificate locations if user explicitly set SSL_ca_path and SSL_ca_file to undef: assume that user knows what they are doing and will work around the problems themselves (CPAN RT#63741) * Thu Dec 9 2010 Paul Howarth <[email protected]> - 1.36-1 - Update to 1.36 - update documentation for SSL_verify_callback based on CPAN RT#63743 and CPAN RT#63740 * Mon Dec 6 2010 Paul Howarth <[email protected]> - 1.35-1 - Update to 1.35 (addresses CVE-2010-4334) - if verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be verified as valid, it will no longer fall back to VERIFY_NONE but throw an error (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058) * Tue Nov 2 2010 Paul Howarth <[email protected]> - 1.34-1 - Update to 1.34 - schema http for certificate verification changed to wildcards_in_cn=1 - if upgrading socket from inet to ssl fails due to handshake problems, the socket gets downgraded back again but is still open (CPAN RT#61466) - deprecate kill_socket: just use close() * Sun May 2 2010 Marcela Maslanova <[email protected]> - 1.33-2 - Mass rebuild with perl-5.12.0 -------------------------------------------------------------------------------- References: [ 1 ] Bug #660847 - CVE-2010-4334 perl-IO-Socket-SSL: ignores user request for peer verification https://bugzilla.redhat.com/show_bug.cgi?id=660847 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update perl-IO-Socket-SSL' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
