Support / Security / Advisories / Mandriva Enterprise Server 5 / MDVSA-2009:252

Package name: perl-IO-Socket-SSL
Date: 2009-09-30
Advisory ID: MDVSA-2009:252
Affected versions: 2009.0 x86_64 , 2009.0 i586 , MES5 i586 , MES5 x86_64

Problem description

A vulnerability was discovered and corrected in perl-IO-Socket-SSL:

The verify_hostname_of_cert function in the certificate checking
feature in IO-Socket-SSL (IO::Socket::SSL) 1.14 through 1.25 only
matches the prefix of a hostname when no wildcard is used, which
allows remote attackers to bypass the hostname check for a certificate
(CVE-2009-3024).

This update provides a fix for this vulnerability.

Updated packages

2009.0 x86_64

 4b2b70c98ccf0372ddac26ab9ee7cf00  2009.0/x86_64/perl-IO-Socket-SSL-1.15-1.1mdv2009.0.noarch.rpm

2009.0 i586

 105f213eb1d2351b25922ee75ab2d0f4  2009.0/i586/perl-IO-Socket-SSL-1.15-1.1mdv2009.0.noarch.rpm

MES5 i586

 a0bbb57dfcffbc6707eda691eeb3a3e5  mes5/i586/perl-IO-Socket-SSL-1.15-1.1mdvmes5.noarch.rpm 
 4661a26b8c88cd183ebada5fb4155b98  mes5/SRPMS/perl-IO-Socket-SSL-1.15-1.1mdvmes5.src.rpm

MES5 x86_64

 44c13cc673984ccf919dd512613bffd3  mes5/x86_64/perl-IO-Socket-SSL-1.15-1.1mdvmes5.noarch.rpm 
 4661a26b8c88cd183ebada5fb4155b98  mes5/SRPMS/perl-IO-Socket-SSL-1.15-1.1mdvmes5.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3024