Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close


Published: 13 May 2011

The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated. NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. However, because this API was modified within LWP, a single CVE identifier has been assigned.


https support moved to liblwp-protocol-https-perl package in Oneiric
Mitre description suggests that only CN checking is skipped by
default, while the Red Hat bugzilla suggests that possibly no cert
checks are done by default. Testing needed to be sure.
hardy's libio-socket-ssl-perl doesn't validate certs at all, so
we can't just fix libwww-perl.
Not many reverse dependencies in main seem to use https, and
introducing this into a stable release may cause disruptions for
systems using munin, custom code, or some other packages.
We are not going to fix this issue in stable releases.
If certificate validation is required, we suggest moving to
oneiric or newer, or using a backported libwww-perl package.




Package Release Status
Launchpad, Ubuntu, Debian
dapper Ignored
(end of life)
hardy Ignored
(end of life)
lucid Ignored
(end of life)
maverick Ignored
(end of life)
natty Ignored
(end of life)
oneiric Not vulnerable
Released (6.00)