Fedora 13 : perl-IO-Socket-SSL-1.37-1.fc13 (2010-19054)

2010-12-2700:00:00

www.tenable.com

This update fixes a problem whereby IO::Socket::SSL fell back to the ‘VERIFY_NONE’ verification mode if another verification mode was defined but no valid ca_file or ca_path was provided.

The updated version throws an error in that situation rather than proceeding with the connection despite being unable to verify the certificate(s) as requested.

This issue was originally reported at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2010-19054.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(51381);
  script_version("1.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");

  script_cve_id("CVE-2010-4334");
  script_bugtraq_id(45189);
  script_xref(name:"FEDORA", value:"2010-19054");

  script_name(english:"Fedora 13 : perl-IO-Socket-SSL-1.37-1.fc13 (2010-19054)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update fixes a problem whereby IO::Socket::SSL fell back to the
'VERIFY_NONE' verification mode if another verification mode was
defined but no valid ca_file or ca_path was provided.

The updated version throws an error in that situation rather than
proceeding with the connection despite being unable to verify the
certificate(s) as requested.

This issue was originally reported at
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=660847"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2010-December/052594.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?0a29ffcc"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected perl-IO-Socket-SSL package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:perl-IO-Socket-SSL");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:13");

  script_set_attribute(attribute:"patch_publication_date", value:"2010/12/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/12/27");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^13([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 13.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC13", reference:"perl-IO-Socket-SSL-1.37-1.fc13")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "perl-IO-Socket-SSL");
}

VendorProductVersionCPE
fedoraprojectfedoraperl-io-socket-sslp-cpe:/a:fedoraproject:fedora:perl-io-socket-ssl
fedoraprojectfedora13cpe:/o:fedoraproject:fedora:13