Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
On Wed, Jul 29, 2009 at 10:13:09PM +0100, Dominic Hargreaves wrote: On Mon, Jul 27, 2009 at 11:17:43AM +0200, Ansgar Burchardt wrote: Hi, Dominic Hargreaves d...@earth.li writes: On Mon, Jul 06, 2009 at 10:36:15AM +0100, Dominic Hargreaves wrote: 1.26 (just uploaded to unstable) fixes what looks like a fairly serious security issue: v1.26 2009.07.03 - SECURITY BUGFIX! fix Bug in verify_hostname_of_cert where it matched only the prefix for the hostname when no wildcard was given, e.g. www.example.org matched against a certificate with name www.exam in it Thanks to MLEHMANN for reporting From inspecting the source this appears to apply to at least 1.24-1 (testing) and 1.16-1 (stable). Hi security team. I'd be grateful if you could review this and let us know whether you believe a security update is necessary. A package with the fix backported has been prepared in http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libio-socket-ssl-perl/ although it has not yet been fully tested. Any news about this? I've heard nothing from the security team. Therefore may I upload to stable? -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
On Fri, 2009-08-07 at 11:30 +0100, Dominic Hargreaves wrote: On Wed, Jul 29, 2009 at 10:13:09PM +0100, Dominic Hargreaves wrote: [...] On Mon, Jul 06, 2009 at 10:36:15AM +0100, Dominic Hargreaves wrote: [...] v1.26 2009.07.03 - SECURITY BUGFIX! fix Bug in verify_hostname_of_cert where it matched only the prefix for the hostname when no wildcard was given, e.g. www.example.org matched against a certificate with name www.exam in it Thanks to MLEHMANN for reporting From inspecting the source this appears to apply to at least 1.24-1 (testing) and 1.16-1 (stable). [...] I've heard nothing from the security team. Therefore may I upload to stable? Please go ahead. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
On Mon, Jul 27, 2009 at 11:17:43AM +0200, Ansgar Burchardt wrote: Hi, Dominic Hargreaves d...@earth.li writes: On Mon, Jul 06, 2009 at 10:36:15AM +0100, Dominic Hargreaves wrote: 1.26 (just uploaded to unstable) fixes what looks like a fairly serious security issue: v1.26 2009.07.03 - SECURITY BUGFIX! fix Bug in verify_hostname_of_cert where it matched only the prefix for the hostname when no wildcard was given, e.g. www.example.org matched against a certificate with name www.exam in it Thanks to MLEHMANN for reporting From inspecting the source this appears to apply to at least 1.24-1 (testing) and 1.16-1 (stable). Hi security team. I'd be grateful if you could review this and let us know whether you believe a security update is necessary. A package with the fix backported has been prepared in http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libio-socket-ssl-perl/ although it has not yet been fully tested. Any news about this? I've heard nothing from the security team. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
Hi, Dominic Hargreaves d...@earth.li writes: On Mon, Jul 06, 2009 at 10:36:15AM +0100, Dominic Hargreaves wrote: 1.26 (just uploaded to unstable) fixes what looks like a fairly serious security issue: v1.26 2009.07.03 - SECURITY BUGFIX! fix Bug in verify_hostname_of_cert where it matched only the prefix for the hostname when no wildcard was given, e.g. www.example.org matched against a certificate with name www.exam in it Thanks to MLEHMANN for reporting From inspecting the source this appears to apply to at least 1.24-1 (testing) and 1.16-1 (stable). Hi security team. I'd be grateful if you could review this and let us know whether you believe a security update is necessary. A package with the fix backported has been prepared in http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libio-socket-ssl-perl/ although it has not yet been fully tested. Any news about this? Regards, Ansgar -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
Package: libio-socket-ssl-perl Version: 1.24-1 Severity: grave Tags: security Justification: user security hole 1.26 (just uploaded to unstable) fixes what looks like a fairly serious security issue: v1.26 2009.07.03 - SECURITY BUGFIX! fix Bug in verify_hostname_of_cert where it matched only the prefix for the hostname when no wildcard was given, e.g. www.example.org matched against a certificate with name www.exam in it Thanks to MLEHMANN for reporting From inspecting the source this appears to apply to at least 1.24-1 (testing) and 1.16-1 (stable). -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
tag 535946 + patch thanks Hi On Mon, Jul 06, 2009 at 10:36:15AM +0100, Dominic Hargreaves wrote: Package: libio-socket-ssl-perl Version: 1.24-1 Severity: grave Tags: security Justification: user security hole 1.26 (just uploaded to unstable) fixes what looks like a fairly serious security issue: v1.26 2009.07.03 - SECURITY BUGFIX! fix Bug in verify_hostname_of_cert where it matched only the prefix for the hostname when no wildcard was given, e.g. www.example.org matched against a certificate with name www.exam in it Thanks to MLEHMANN for reporting I backported the changes from 1.25 to 1.26 from unstable to the 1.16 in Lenny: ---(snip)--- diff -urN libio-socket-ssl-perl-1.16.orig/SSL.pm libio-socket-ssl-perl-1.16/SSL.pm --- libio-socket-ssl-perl-1.16.orig/SSL.pm 2009-07-06 21:10:48.0 +0200 +++ libio-socket-ssl-perl-1.16/SSL.pm 2009-07-06 21:12:56.0 +0200 @@ -1036,7 +1036,7 @@ $ip4 = inet_aton( $identity ) or croak '$identity' is not IPv4, but neither IPv6 nor hostname; } else { # assume hostname - if ( $identity !~m{^[a-zA-Z0-9-_\.]+$} ) { + if ( $identity !~m{^[\w\-\.]+$} ) { $identity = idn_to_ascii($identity) or croak Warning: Given name '$identity' could not be converted to IDNA!; } @@ -1058,7 +1058,7 @@ } elsif ( $wtyp eq 'leftmost' and $name =~m{^\*(\..+)$} ) { $pattern = qr{^[\w\-]*\Q$1\E$}i; } else { - $pattern = qr{^\Q$name}i; + $pattern = qr{^\Q$name\E$}i; } return $identity =~ $pattern; }; diff -urN libio-socket-ssl-perl-1.16.orig/t/verify_hostname.t libio-socket-ssl-perl-1.16/t/verify_hostname.t --- libio-socket-ssl-perl-1.16.orig/t/verify_hostname.t 2009-07-06 21:10:48.0 +0200 +++ libio-socket-ssl-perl-1.16/t/verify_hostname.t 2009-07-06 21:11:09.0 +0200 @@ -88,6 +88,7 @@ 'www-13.lala.other.local' = [], 'smtp.mydomain.local' = [qw(smtp ldap www)], 'xn--lwe-sna.idntest.local' = [qw(smtp ldap www)], + 'smtp.mydomain.localizing.useless.local' = [], ); if ( $can_idn ) { # check IDN handling ---(snap)--- This are the changes done by 1.25 to 1.26. Kind regards Salvatore signature.asc Description: Digital signature
Processed: Re: Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
Processing commands for cont...@bugs.debian.org: tag 535946 + patch Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26 Tags were: security Tags added: patch thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
On Mon, Jul 06, 2009 at 09:20:59PM +0200, Salvatore Bonaccorso wrote: I backported the changes from 1.25 to 1.26 from unstable to the 1.16 in Lenny: Thanks, I'm preparing an update in the pkg-perl svn repository. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
On Mon, Jul 06, 2009 at 10:36:15AM +0100, Dominic Hargreaves wrote: 1.26 (just uploaded to unstable) fixes what looks like a fairly serious security issue: v1.26 2009.07.03 - SECURITY BUGFIX! fix Bug in verify_hostname_of_cert where it matched only the prefix for the hostname when no wildcard was given, e.g. www.example.org matched against a certificate with name www.exam in it Thanks to MLEHMANN for reporting From inspecting the source this appears to apply to at least 1.24-1 (testing) and 1.16-1 (stable). Hi security team. I'd be grateful if you could review this and let us know whether you believe a security update is necessary. A package with the fix backported has been prepared in http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libio-socket-ssl-perl/ although it has not yet been fully tested. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org