[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modu
From:       Hanno =?iso-8859-1?q?B=F6ck?= <hanno () hboeck ! de>
Date:       2023-04-20 5:34:59
Message-ID: 20230420073459.003a5be2.hanno () hboeck ! de
[Download RAW message or body]

On Wed, 19 Apr 2023 23:53:40 +0200
Steffen Nurpmeso <steffen@sdaoden.eu> wrote:

> IMO it is no vulnerability at all since it has "always" been _very
> clearly_ (even very lengthily) documented in the manual page.

A vulnerability does not go away if it's documented, and I find that a
rather strange take.

Also I think this discussion was had many times before, as plenty of
libraries in other language ecosystems defaulted to not checking certs
or doing incomplete checks, and over time they all defaulted to the
sane thing: To make the secure setting the default.
The fact that apparently noone has ever checked this for a major perl
library (I mean - CPAN itself, the package manager, is affected) is
quite telling tbh.

-- 
Hanno Böck
https://hboeck.de/
[prev in list] [next in list] [prev in thread] [next in thread]