[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modu
From:       "David A. Wheeler" <dwheeler () dwheeler ! com>
Date:       2023-05-04 20:50:53
Message-ID: C2F1E269-0FD7-45A2-A0E1-F1AC29383C09 () dwheeler ! com
[Download RAW message or body]


> On May 4, 2023, at 2:23 PM, Rainer Canavan <rainer.canavan@avenga.com> =
wrote:
> I'd suspect that the issue in
> HTTP::Tiny would end up DISPUTED, since not validating TLS names is
> not the generally expected behavior, although it is documented (in
> bold no less).

I would also expect it to be at most disputed, not rejected.
As Jeffry Walton noted, failing to validate a certificate is considered
by many to be a vulnerability, there's even a specific CWE for this =
case:
https://cwe.mitre.org/data/definitions/295.html

Per the OP:

> On Apr 18, 2023, at 11:46 AM, Stig Palmquist <stig@stig.io> wrote:
> ... We have generated a list of over 300 potentially affected
> CPAN distributions.

A default that potentially causes over 300 other vulnerabilities sounds =
like
a root cause vulnerability to me. Clearly many users do *not* treat this =
as expected behavior.
A change of the default would, for many, produce the expected behavior.

--- David A. Wheeler

[prev in list] [next in list] [prev in thread] [next in thread]