From oss-security  Thu May 04 20:50:53 2023
From: "David A. Wheeler" <dwheeler () dwheeler ! com>
Date: Thu, 04 May 2023 20:50:53 +0000
To: oss-security
Subject: Re: [oss-security] Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modu
Message-Id: <C2F1E269-0FD7-45A2-A0E1-F1AC29383C09 () dwheeler ! com>
X-MARC-Message: https://marc.info/?l=oss-security&m=168323343603426


> On May 4, 2023, at 2:23 PM, Rainer Canavan <rainer.canavan@avenga.com> =
wrote:
> I'd suspect that the issue in
> HTTP::Tiny would end up DISPUTED, since not validating TLS names is
> not the generally expected behavior, although it is documented (in
> bold no less).

I would also expect it to be at most disputed, not rejected.
As Jeffry Walton noted, failing to validate a certificate is considered
by many to be a vulnerability, there's even a specific CWE for this =
case:
https://cwe.mitre.org/data/definitions/295.html

Per the OP:

> On Apr 18, 2023, at 11:46 AM, Stig Palmquist <stig@stig.io> wrote:
> ... We have generated a list of over 300 potentially affected
> CPAN distributions.

A default that potentially causes over 300 other vulnerabilities sounds =
like
a root cause vulnerability to me. Clearly many users do *not* treat this =
as expected behavior.
A change of the default would, for many, produce the expected behavior.

--- David A. Wheeler