Mandriva Linux Security Advisory : perl-IO-Socket-SSL (MDVSA-2009:252-1)

Medium Nessus Plugin ID 41960


The remote Mandriva Linux host is missing a security update.


A vulnerability was discovered and corrected in perl-IO-Socket-SSL :

The verify_hostname_of_cert function in the certificate checking feature in IO-Socket-SSL (IO::Socket::SSL) 1.14 through 1.25 only matches the prefix of a hostname when no wildcard is used, which allows remote attackers to bypass the hostname check for a certificate (CVE-2009-3024).

This update provides a fix for this vulnerability.

Update :

Packages were missing for 2009.0, this update addresses the problem.


Update the affected perl-IO-Socket-SSL package.

Plugin Details

Severity: Medium

ID: 41960

File Name: mandriva_MDVSA-2009-252.nasl

Version: $Revision: 1.13 $

Type: local

Published: 2009/10/02

Modified: 2016/05/17

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:perl-IO-Socket-SSL, cpe:/o:mandriva:linux:2009.0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2009/12/05

Reference Information

CVE: CVE-2009-3024

BID: 35587

MDVSA: 2009:252-1

CWE: 310