Gentoo Archives: gentoo-announce

From: Stefan Behte <craig@g.o>
To: gentoo-announce@g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 201101-06 ] IO::Socket::SSL: Certificate validation error
Date: Sun, 16 Jan 2011 12:49:53
Message-Id: 4D32D264.3070803@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201101-06
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: IO::Socket::SSL: Certificate validation error
9 Date: January 16, 2011
10 Bugs: #276360
11 ID: 201101-06
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 An error in the hostname matching of IO::Socket::SSL might enable
19 remote attackers to conduct man-in-the-middle attacks.
20
21 Background
22 ==========
23
24 IO::Socket::SSL is a Perl class implementing an object oriented
25 interface to SSL sockets.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 dev-perl/IO-Socket-SSL < 1.26 >= 1.26
34
35 Description
36 ===========
37
38 The vendor reported that IO::Socket::SSL does not properly handle
39 Common Name (CN) fields.
40
41 Impact
42 ======
43
44 A remote attacker might employ a specially crafted certificate to
45 conduct man-in-the-middle attacks on SSL connections made using
46 IO::Socket::SSL.
47
48 Workaround
49 ==========
50
51 There is no known workaround at this time.
52
53 Resolution
54 ==========
55
56 All IO::Socket::SSL users should upgrade to the latest version:
57
58 # emerge --sync
59 # emerge --ask --oneshot --verbose ">=dev-perl/IO-Socket-SSL-1.26"
60
61 References
62 ==========
63
64 [ 1 ] CVE-2009-3024
65 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3024
66
67 Availability
68 ============
69
70 This GLSA and any updates to it are available for viewing at
71 the Gentoo Security Website:
72
73 http://security.gentoo.org/glsa/glsa-201101-06.xml
74
75 Concerns?
76 =========
77
78 Security is a primary focus of Gentoo Linux and ensuring the
79 confidentiality and security of our users machines is of utmost
80 importance to us. Any security concerns should be addressed to
81 security@g.o or alternatively, you may file a bug at
82 https://bugs.gentoo.org.
83
84 License
85 =======
86
87 Copyright 2011 Gentoo Foundation, Inc; referenced text
88 belongs to its owner(s).
89
90 The contents of this document are licensed under the
91 Creative Commons - Attribution / Share Alike license.
92
93 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature