Dominic Hargreaves
2009-Jul-06 09:36 UTC
[Secure-testing-team] Bug#535946: libio-socket-ssl-perl: Partial hostname matching vulnerability fixed in 1.26
Package: libio-socket-ssl-perl Version: 1.24-1 Severity: grave Tags: security Justification: user security hole 1.26 (just uploaded to unstable) fixes what looks like a fairly serious security issue: v1.26 2009.07.03 - SECURITY BUGFIX! fix Bug in verify_hostname_of_cert where it matched only the prefix for the hostname when no wildcard was given, e.g. www.example.org matched against a certificate with name www.exam in it Thanks to MLEHMANN for reporting>From inspecting the source this appears to apply to at least 1.24-1(testing) and 1.16-1 (stable).