Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20230420073459.003a5be2.hanno@hboeck.de>
Date: Thu, 20 Apr 2023 07:34:59 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: Perl's HTTP::Tiny has insecure TLS cert default,
 affecting CPAN.pm and other modules

On Wed, 19 Apr 2023 23:53:40 +0200
Steffen Nurpmeso <steffen@...oden.eu> wrote:

> IMO it is no vulnerability at all since it has "always" been _very
> clearly_ (even very lengthily) documented in the manual page.

A vulnerability does not go away if it's documented, and I find that a
rather strange take.

Also I think this discussion was had many times before, as plenty of
libraries in other language ecosystems defaulted to not checking certs
or doing incomplete checks, and over time they all defaulted to the
sane thing: To make the secure setting the default.
The fact that apparently noone has ever checked this for a major perl
library (I mean - CPAN itself, the package manager, is affected) is
quite telling tbh.

-- 
Hanno Böck
https://hboeck.de/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.