Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <C2F1E269-0FD7-45A2-A0E1-F1AC29383C09@dwheeler.com>
Date: Thu, 4 May 2023 16:50:53 -0400
From: "David A. Wheeler" <dwheeler@...eeler.com>
To: oss-security@...ts.openwall.com
Subject: Re: Perl's HTTP::Tiny has insecure TLS cert default,
 affecting CPAN.pm and other modules


> On May 4, 2023, at 2:23 PM, Rainer Canavan <rainer.canavan@...nga.com> wrote:
> I'd suspect that the issue in
> HTTP::Tiny would end up DISPUTED, since not validating TLS names is
> not the generally expected behavior, although it is documented (in
> bold no less).

I would also expect it to be at most disputed, not rejected.
As Jeffry Walton noted, failing to validate a certificate is considered
by many to be a vulnerability, there's even a specific CWE for this case:
https://cwe.mitre.org/data/definitions/295.html

Per the OP:

> On Apr 18, 2023, at 11:46 AM, Stig Palmquist <stig@...g.io> wrote:
> ... We have generated a list of over 300 potentially affected
> CPAN distributions.

A default that potentially causes over 300 other vulnerabilities sounds like
a root cause vulnerability to me. Clearly many users do *not* treat this as expected behavior.
A change of the default would, for many, produce the expected behavior.

--- David A. Wheeler

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.