This behaviour is fixed upstream
See note on
http://search.cpan.org/~gaas/libwww-perl-6.04/lib/LWP/UserAgent.pm
Which notes that this is not checked in 5.837 and earlier.
I believe it is fixed but not the default in 6.00
It should do the right thing by default in 6.03 and later.
I'm not clear from documentation where in fact the issue lies, I suspect
because upstream have unbundled some modules from the same source.
Just came across this as I upgraded the Perl libraries for an
application using CPAN and broke it as the SSL connection required
additional certificate authority data that was not being supplied. So
the connection could have been easily intercepted.
Wheezy has 6.04 which is current.
I believe this bug has incorrect severity since it potentially
undermines security in all 373 packages that depend on it, along with
3rd party code such as that which I was working on.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org