Package: libwww-perl Version: 5.836-1 Severity: minor Tags: security Hi Moritz
I'm forwarding this to the bugtracker to have it tracked there, I hope this is okay. On Mon, Apr 16, 2012 at 05:33:41PM +0200, Moritz Muehlenhoff wrote: > I'd like to you notify of two minor security issues, one in Perl itself > and the other in libwww-perl: > > 1. CVE-2011-0663 has been assigned to this change from release 6.00: > > For https://... default to verified connections with require IO::Socket::SSL > and Mozilla::CA modules to be installed. Old behaviour can be requested by > setting the PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0. The > LWP::UserAgent got new ssl_opts method to control this as well. > > Petr Pisar from Red Hat made a backport to 5.837, which is close to what > we have in stable: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0633 > > Maybe you want to backport this for one of the next point releases? Regards, Salvatore
signature.asc
Description: Digital signature
