CVE-2011-0633

Published: 13 May 2011

The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated. NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. However, because this API was modified within LWP, a single CVE identifier has been assigned.

Notes

https support moved to liblwp-protocol-https-perl package in Oneiric
Mitre description suggests that only CN checking is skipped by
default, while the Red Hat bugzilla suggests that possibly no cert
checks are done by default. Testing needed to be sure.

hardy's libio-socket-ssl-perl doesn't validate certs at all, so
we can't just fix libwww-perl.
Not many reverse dependencies in main seem to use https, and
introducing this into a stable release may cause disruptions for
systems using munin, custom code, or some other packages.
We are not going to fix this issue in stable releases.
If certificate validation is required, we suggest moving to
oneiric or newer, or using a backported libwww-perl package.

Status

References

• https://www.cve.org/CVERecord?id=CVE-2011-0633
• NVD
• Launchpad
• Debian

Bugs

• https://bugzilla.redhat.com/show_bug.cgi?id=705044
• https://bugzilla.redhat.com/show_bug.cgi?id=745800