Skip Menu |
 

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the XML-Stream CPAN distribution.

Report information
The Basics
Id: 57649
Status: resolved
Priority: 0/
Queue: XML-Stream

People
Owner: dapatrick [...] cpan.org
Requestors: andersk [...] mit.edu
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in:
  • 1.13
  • 1.14
  • 1.15
  • 1.16
  • 1.17
  • 1.18
  • 1.19
  • 1.20
  • 1.21
  • 1.22
  • 1.23
  • 1.23_01
Fixed in: 1.23_02



Subject: Does not verify the remote SSL certificate
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Content-Disposition: inline
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 414
Download (untitled) / with headers
text/plain 414b
XML::Stream creates all SSL connections with SSL_verify_mode=>0x00. This is a security vulnerability, since it does not verify the remote SSL certificate, letting any attacker perform a man-in-the-middle attack on the connection. If SSL is requested, XML::Stream should verify the SSL certificate by default (perhaps with an additional option to disable verification, to be used only for testing purposes).
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Content-Disposition: inline
Content-Type: text/plain; charset="UTF-8"
Message-ID: <rt-3.8.HEAD-10890-1276654406-282.57649-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 245
Download (untitled) / with headers
text/plain 245b
Anders, Sorry for taking so long to get back to you. Yes, indeed this is a problem and I will fix it immediately. I'll let you know when a fix has been committed to trunk. I plan on publishing a new release before the end of the week. Darian
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Content-Disposition: inline
Content-Type: text/plain; charset="UTF-8"
Message-ID: <rt-3.8.HEAD-24885-1284601090-1091.57649-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 473
Download (untitled) / with headers
text/plain 473b
Hi Anders, I'm preparing the a developer release of XML::Stream. The following commit includes a fix for the issue you've reported: http://github.com/dap/XML-Stream/commit/127866e35e993279d769ed7c05bbdb1a7d85f9be I have a couple of other issues to take care of, then this release will be published to CPAN as XML-Stream-1.23_02. In the meantime, feel free to clone the repo and give it a test. I will be pushing corresponding changes to Net::XMPP shortly. Best, Darian


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.