Bug 660847 (CVE-2010-4334)
| Summary: | CVE-2010-4334 perl-IO-Socket-SSL: ignores user request for peer verification | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
| Status: | CLOSED WONTFIX | QA Contact: | |||||||
| Severity: | low | Docs Contact: | |||||||
| Priority: | low | ||||||||
| Version: | unspecified | CC: | jose.p.oliveira.oss, paul, perl-devel, perl-maint-list, ppisar, psabata | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2015-08-22 15:00:59 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Vincent Danen
2010-12-07 18:08:55 UTC
Created attachment 467284 [details]
upstream 1.34->1.35 patch to fix the issue
This is the diff of upstream versions 1.34 and 1.35. The only change in 1.35 is this flaw.
This is CVE-2010-4334. Another reference: http://secunia.com/advisories/42508/ (In reply to comment #2) > Another reference: http://secunia.com/advisories/42508/ Secunia advisory mentions: The security issue is caused due to IO::Socket::SSL silently falling back to the "VERIFY_NONE" verification mode if another verification mode is defined but no valid ca_file or ca_path is provided. This is not entirely true, as IO::Socket::SSL carp()s in such case with error messages as: No certificate verification because neither SSL_ca_file nor SSL_ca_path known at /usr/share/perl5/IO/Socket/SSL.pm line 301 Looking that the upstream changelog, this problem was introduced as intended fallback behaviour in version 1.23: v1.23 2009.02.23 - if neither SSL_ca_file nor SSL_ca_path are known (e.g not given and the default values have no existing file|path) disable checking of certificates, but carp about the problem Affected versions are only in RHEL-6 and F-13/F-14. 1.22 -> 1.23 and 1.34 -> 1.35 diffs for posterity: http://search.cpan.org/diff?from=IO-Socket-SSL-1.22&to=IO-Socket-SSL-1.23&w=1 http://search.cpan.org/diff?from=IO-Socket-SSL-1.34&to=IO-Socket-SSL-1.35&w=1 Created attachment 469413 [details]
Test case
Slightly modified example ssl_client.pl script that can be used to test.
Fedora 13, 14 and Rawhide all now have IO::Socket::SSL 1.37. This issue has low security impact. Fallback to VERIFY_NONE only happens in case of misconfiguration, i.e. when user requests certificate verification but fails to specify valid CA certificate store. Warning message is printed in such case, making it easy to spot. I believe this one can be closed now. No, Red Hat Enterprise Linux 6 is still affected by this so it cannot be closed. Statement: This issue did not affect perl-IO-Socket-SSL version as shipped with Red Hat Enterprise Linux 5. Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |