CVE-2011-0633

2011-05-1300:00:00

ubuntu.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

57.4%

JSON

The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in
WWW::Mechanize, LWP::UserAgent, and other products, when running in
environments that do not set the If-SSL-Cert-Subject header, does not
enable full validation of SSL certificates by default, which allows remote
attackers to spoof servers via man-in-the-middle (MITM) attacks involving
hostnames that are not properly validated. NOTE: it could be argued that
this is a design limitation of the Net::HTTPS API, and separate
implementations should be independently assigned CVE identifiers for not
working around this limitation. However, because this API was modified
within LWP, a single CVE identifier has been assigned.

Bugs

Notes

Author	Note
tyhicks	https support moved to liblwp-protocol-https-perl package in Oneiric Mitre description suggests that only CN checking is skipped by default, while the Red Hat bugzilla suggests that possibly no cert checks are done by default. Testing needed to be sure.
mdeslaur	hardy’s libio-socket-ssl-perl doesn’t validate certs at all, so we can’t just fix libwww-perl. Not many reverse dependencies in main seem to use https, and introducing this into a stable release may cause disruptions for systems using munin, custom code, or some other packages. We are not going to fix this issue in stable releases. If certificate validation is required, we suggest moving to oneiric or newer, or using a backported libwww-perl package.

Author

Note

tyhicks

https support moved to liblwp-protocol-https-perl package in Oneiric Mitre description suggests that only CN checking is skipped by default, while the Red Hat bugzilla suggests that possibly no cert checks are done by default. Testing needed to be sure.

mdeslaur

hardy’s libio-socket-ssl-perl doesn’t validate certs at all, so we can’t just fix libwww-perl. Not many reverse dependencies in main seem to use https, and introducing this into a stable release may cause disruptions for systems using munin, custom code, or some other packages. We are not going to fix this issue in stable releases. If certificate validation is required, we suggest moving to oneiric or newer, or using a backported libwww-perl package.