https://bugzilla.redhat.com/show_bug.cgi?id=1094440
Bug ID: 1094440 Summary: perl-libwww-perl: incorrect handling of SSL certificate verification Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: vdanen@redhat.com CC: jkurik@redhat.com, mmaslano@redhat.com, perl-devel@lists.fedoraproject.org, perl-maint-list@redhat.com, ppisar@redhat.com, psabata@redhat.com
It was reported [1] that libwww-perl (LWP), when using IO::Socket::SSL (the default) and when the HTTPS_CA_DIR or HTTPS_CA_FILE environment variables were set, would disable server certificate verification. Judging by the commit [2], the intention was to disable only hostname verification for compatibility with Crypt::SSLeay, but the resultant effect is that SSL_verify_mode is set to 0. This code was introduced in LWP::Protocol::https in version 6.04, so earlier versions are not vulnerable.
Potential patches [3],[4] are being discussed upstream [5].
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579 [2] https://github.com/dagolden/lwp-protocol-https/commit/bcc46ce2dab53d2e2baa58... [3] https://github.com/noxxi/lwp-protocol-https/commit/1b924708663f457a4f7c25ed3... [4] https://github.com/noxxi/lwp-protocol-https/commit/6b5c876de80451ee54de5d853... [5] https://github.com/libwww-perl/lwp-protocol-https/pull/14
Statement:
This issue did not affect the versions of perl-libwww-perl as shipped with Red Hat Enterprise Linux 5 and 6.