IO::Socket::SSL: Certificate validation error — GLSA 201101-06

An error in the hostname matching of IO::Socket::SSL might enable remote attackers to conduct man-in-the-middle attacks.

Affected Packages

dev-perl/IO-Socket-SSL on all architectures
Affected versions < 1.26
Unaffected versions >= 1.26

Background

IO::Socket::SSL is a Perl class implementing an object oriented interface to SSL sockets.

Description

The vendor reported that IO::Socket::SSL does not properly handle Common Name (CN) fields.

Impact

A remote attacker might employ a specially crafted certificate to conduct man-in-the-middle attacks on SSL connections made using IO::Socket::SSL.

Workaround

There is no known workaround at this time.

Resolution

All IO::Socket::SSL users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-perl/IO-Socket-SSL-1.26"

References

Release Date
January 16, 2011

Latest Revision
January 16, 2011: 01

Severity
normal

Exploitable
remote

Bugzilla entries