| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <E1NGz8r-0002xn-2o@titan.mandriva.com> Date: Sat, 05 Dec 2009 19:14:01 +0100 From: security@...driva.com To: full-disclosure@...ts.grok.org.uk Subject: [ MDVSA-2009:252-1 ] perl-IO-Socket-SSL -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:252-1 http://www.mandriva.com/security/ _______________________________________________________________________ Package : perl-IO-Socket-SSL Date : December 5, 2009 Affected: 2009.0 _______________________________________________________________________ Problem Description: A vulnerability was discovered and corrected in perl-IO-Socket-SSL: The verify_hostname_of_cert function in the certificate checking feature in IO-Socket-SSL (IO::Socket::SSL) 1.14 through 1.25 only matches the prefix of a hostname when no wildcard is used, which allows remote attackers to bypass the hostname check for a certificate (CVE-2009-3024). This update provides a fix for this vulnerability. Update: Packages were missing for 2009.0, this update addresses the problem. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3024 _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.0: 7e37ff49f7a218b12b4635a0fb061c8e 2009.0/i586/perl-IO-Socket-SSL-1.15-1.2mdv2009.0.noarch.rpm ffe8c1ead458cc0c011258f57d4908bf 2009.0/SRPMS/perl-IO-Socket-SSL-1.15-1.2mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 4297e01f0dc3ee3d86c95b8fe09b07f5 2009.0/x86_64/perl-IO-Socket-SSL-1.15-1.2mdv2009.0.noarch.rpm ffe8c1ead458cc0c011258f57d4908bf 2009.0/SRPMS/perl-IO-Socket-SSL-1.15-1.2mdv2009.0.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLGnbTmqjQ0CJFipgRAnMpAJ9auGQ0vfyu+BgpH+C/Tvkpc9lEUACgzSV3 R2Th+X3y48iBSWkfM2bbPfE= =bhoP -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists