Mandriva Linux Security Advisory : perl-IO-Socket-SSL (MDVSA-2009:252-1)

medium Nessus Plugin ID 41960

Synopsis

The remote Mandriva Linux host is missing a security update.

Description

A vulnerability was discovered and corrected in perl-IO-Socket-SSL :

The verify_hostname_of_cert function in the certificate checking feature in IO-Socket-SSL (IO::Socket::SSL) 1.14 through 1.25 only matches the prefix of a hostname when no wildcard is used, which allows remote attackers to bypass the hostname check for a certificate (CVE-2009-3024).

This update provides a fix for this vulnerability.

Update :

Packages were missing for 2009.0, this update addresses the problem.

Solution

Update the affected perl-IO-Socket-SSL package.

Plugin Details

Severity: Medium

ID: 41960

File Name: mandriva_MDVSA-2009-252.nasl

Version: 1.17

Type: local

Published: 10/2/2009

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:perl-io-socket-ssl, cpe:/o:mandriva:linux:2009.0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 12/5/2009

Reference Information

CVE: CVE-2009-3024

BID: 35587

CWE: 310

MDVSA: 2009:252-1