Gentoo Logo

IO::Socket::SSL: Certificate validation error

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 201101-06 / IO::Socket::SSL
Release Date January 16, 2011
Latest Revision January 16, 2011: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
dev-perl/IO-Socket-SSL < 1.26 >= 1.26 All supported architectures

Related bugreports: #276360

Synopsis

An error in the hostname matching of IO::Socket::SSL might enable remote attackers to conduct man-in-the-middle attacks.

2.  Impact Information

Background

IO::Socket::SSL is a Perl class implementing an object oriented interface to SSL sockets.

Description

The vendor reported that IO::Socket::SSL does not properly handle Common Name (CN) fields.

Impact

A remote attacker might employ a specially crafted certificate to conduct man-in-the-middle attacks on SSL connections made using IO::Socket::SSL.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All IO::Socket::SSL users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-perl/IO-Socket-SSL-1.26"

4.  References

Print

Page updated January 16, 2011

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.