CVE-2011-0633
Publication date 13 May 2011
Last updated 24 July 2024
Ubuntu priority
The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated. NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. However, because this API was modified within LWP, a single CVE identifier has been assigned.
Notes
tyhicks
https support moved to liblwp-protocol-https-perl package in Oneiric Mitre description suggests that only CN checking is skipped by default, while the Red Hat bugzilla suggests that possibly no cert checks are done by default. Testing needed to be sure.
mdeslaur
hardy's libio-socket-ssl-perl doesn't validate certs at all, so we can't just fix libwww-perl. Not many reverse dependencies in main seem to use https, and introducing this into a stable release may cause disruptions for systems using munin, custom code, or some other packages. We are not going to fix this issue in stable releases. If certificate validation is required, we suggest moving to oneiric or newer, or using a backported libwww-perl package.