Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
On Wed, Jul 29, 2009 at 10:13:09PM +0100, Dominic Hargreaves wrote: On Mon, Jul 27, 2009 at 11:17:43AM +0200, Ansgar Burchardt wrote: Hi, Dominic Hargreaves d...@earth.li writes: On Mon, Jul 06, 2009 at 10:36:15AM +0100, Dominic Hargreaves wrote: 1.26 (just uploaded to unstable) fixes what looks like a fairly serious security issue: v1.26 2009.07.03 - SECURITY BUGFIX! fix Bug in verify_hostname_of_cert where it matched only the prefix for the hostname when no wildcard was given, e.g. www.example.org matched against a certificate with name www.exam in it Thanks to MLEHMANN for reporting From inspecting the source this appears to apply to at least 1.24-1 (testing) and 1.16-1 (stable). Hi security team. I'd be grateful if you could review this and let us know whether you believe a security update is necessary. A package with the fix backported has been prepared in http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libio-socket-ssl-perl/ although it has not yet been fully tested. Any news about this? I've heard nothing from the security team. Therefore may I upload to stable? -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
On Fri, 2009-08-07 at 11:30 +0100, Dominic Hargreaves wrote: On Wed, Jul 29, 2009 at 10:13:09PM +0100, Dominic Hargreaves wrote: [...] On Mon, Jul 06, 2009 at 10:36:15AM +0100, Dominic Hargreaves wrote: [...] v1.26 2009.07.03 - SECURITY BUGFIX! fix Bug in verify_hostname_of_cert where it matched only the prefix for the hostname when no wildcard was given, e.g. www.example.org matched against a certificate with name www.exam in it Thanks to MLEHMANN for reporting From inspecting the source this appears to apply to at least 1.24-1 (testing) and 1.16-1 (stable). [...] I've heard nothing from the security team. Therefore may I upload to stable? Please go ahead. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
On Mon, Jul 27, 2009 at 11:17:43AM +0200, Ansgar Burchardt wrote: Hi, Dominic Hargreaves d...@earth.li writes: On Mon, Jul 06, 2009 at 10:36:15AM +0100, Dominic Hargreaves wrote: 1.26 (just uploaded to unstable) fixes what looks like a fairly serious security issue: v1.26 2009.07.03 - SECURITY BUGFIX! fix Bug in verify_hostname_of_cert where it matched only the prefix for the hostname when no wildcard was given, e.g. www.example.org matched against a certificate with name www.exam in it Thanks to MLEHMANN for reporting From inspecting the source this appears to apply to at least 1.24-1 (testing) and 1.16-1 (stable). Hi security team. I'd be grateful if you could review this and let us know whether you believe a security update is necessary. A package with the fix backported has been prepared in http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libio-socket-ssl-perl/ although it has not yet been fully tested. Any news about this? I've heard nothing from the security team. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
Hi, Dominic Hargreaves d...@earth.li writes: On Mon, Jul 06, 2009 at 10:36:15AM +0100, Dominic Hargreaves wrote: 1.26 (just uploaded to unstable) fixes what looks like a fairly serious security issue: v1.26 2009.07.03 - SECURITY BUGFIX! fix Bug in verify_hostname_of_cert where it matched only the prefix for the hostname when no wildcard was given, e.g. www.example.org matched against a certificate with name www.exam in it Thanks to MLEHMANN for reporting From inspecting the source this appears to apply to at least 1.24-1 (testing) and 1.16-1 (stable). Hi security team. I'd be grateful if you could review this and let us know whether you believe a security update is necessary. A package with the fix backported has been prepared in http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libio-socket-ssl-perl/ although it has not yet been fully tested. Any news about this? Regards, Ansgar -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
Package: libio-socket-ssl-perl Version: 1.24-1 Severity: grave Tags: security Justification: user security hole 1.26 (just uploaded to unstable) fixes what looks like a fairly serious security issue: v1.26 2009.07.03 - SECURITY BUGFIX! fix Bug in verify_hostname_of_cert where it matched only the prefix for the hostname when no wildcard was given, e.g. www.example.org matched against a certificate with name www.exam in it Thanks to MLEHMANN for reporting From inspecting the source this appears to apply to at least 1.24-1 (testing) and 1.16-1 (stable). -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
tag 535946 + patch
thanks
Hi
On Mon, Jul 06, 2009 at 10:36:15AM +0100, Dominic Hargreaves wrote:
Package: libio-socket-ssl-perl
Version: 1.24-1
Severity: grave
Tags: security
Justification: user security hole
1.26 (just uploaded to unstable) fixes what looks like a fairly serious
security issue:
v1.26 2009.07.03
- SECURITY BUGFIX!
fix Bug in verify_hostname_of_cert where it matched only the prefix for
the hostname when no wildcard was given, e.g. www.example.org matched
against a certificate with name www.exam in it
Thanks to MLEHMANN for reporting
I backported the changes from 1.25 to 1.26 from unstable to the 1.16
in Lenny:
---(snip)---
diff -urN libio-socket-ssl-perl-1.16.orig/SSL.pm
libio-socket-ssl-perl-1.16/SSL.pm
--- libio-socket-ssl-perl-1.16.orig/SSL.pm 2009-07-06 21:10:48.0
+0200
+++ libio-socket-ssl-perl-1.16/SSL.pm 2009-07-06 21:12:56.0 +0200
@@ -1036,7 +1036,7 @@
$ip4 = inet_aton( $identity ) or croak '$identity' is
not IPv4, but neither IPv6 nor hostname;
} else {
# assume hostname
- if ( $identity !~m{^[a-zA-Z0-9-_\.]+$} ) {
+ if ( $identity !~m{^[\w\-\.]+$} ) {
$identity = idn_to_ascii($identity) or
croak Warning: Given name '$identity'
could not be converted to IDNA!;
}
@@ -1058,7 +1058,7 @@
} elsif ( $wtyp eq 'leftmost' and $name =~m{^\*(\..+)$}
) {
$pattern = qr{^[\w\-]*\Q$1\E$}i;
} else {
- $pattern = qr{^\Q$name}i;
+ $pattern = qr{^\Q$name\E$}i;
}
return $identity =~ $pattern;
};
diff -urN libio-socket-ssl-perl-1.16.orig/t/verify_hostname.t
libio-socket-ssl-perl-1.16/t/verify_hostname.t
--- libio-socket-ssl-perl-1.16.orig/t/verify_hostname.t 2009-07-06
21:10:48.0 +0200
+++ libio-socket-ssl-perl-1.16/t/verify_hostname.t 2009-07-06
21:11:09.0 +0200
@@ -88,6 +88,7 @@
'www-13.lala.other.local' = [],
'smtp.mydomain.local' = [qw(smtp ldap www)],
'xn--lwe-sna.idntest.local' = [qw(smtp ldap www)],
+ 'smtp.mydomain.localizing.useless.local' = [],
);
if ( $can_idn ) {
# check IDN handling
---(snap)---
This are the changes done by 1.25 to 1.26.
Kind regards
Salvatore
signature.asc
Description: Digital signature
Processed: Re: Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
Processing commands for cont...@bugs.debian.org: tag 535946 + patch Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26 Tags were: security Tags added: patch thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
On Mon, Jul 06, 2009 at 09:20:59PM +0200, Salvatore Bonaccorso wrote: I backported the changes from 1.25 to 1.26 from unstable to the 1.16 in Lenny: Thanks, I'm preparing an update in the pkg-perl svn repository. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
On Mon, Jul 06, 2009 at 10:36:15AM +0100, Dominic Hargreaves wrote: 1.26 (just uploaded to unstable) fixes what looks like a fairly serious security issue: v1.26 2009.07.03 - SECURITY BUGFIX! fix Bug in verify_hostname_of_cert where it matched only the prefix for the hostname when no wildcard was given, e.g. www.example.org matched against a certificate with name www.exam in it Thanks to MLEHMANN for reporting From inspecting the source this appears to apply to at least 1.24-1 (testing) and 1.16-1 (stable). Hi security team. I'd be grateful if you could review this and let us know whether you believe a security update is necessary. A package with the fix backported has been prepared in http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libio-socket-ssl-perl/ although it has not yet been fully tested. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
