Skip Menu |
 

This queue is for tickets about the XML-Stream CPAN distribution.

Report information
The Basics
Id: 57649
Status: patched
Priority: 0/
Queue: XML-Stream

People
Owner: dapatrick [...] cpan.org
Requestors: andersk [...] mit.edu
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in:
  • 1.13
  • 1.14
  • 1.15
  • 1.16
  • 1.17
  • 1.18
  • 1.19
  • 1.20
  • 1.21
  • 1.22
  • 1.23
  • 1.23_01
Fixed in: 1.23_02



Subject: Does not verify the remote SSL certificate
Download (untitled) / with headers
text/plain 414b
XML::Stream creates all SSL connections with SSL_verify_mode=>0x00. This is a security vulnerability, since it does not verify the remote SSL certificate, letting any attacker perform a man-in-the-middle attack on the connection. If SSL is requested, XML::Stream should verify the SSL certificate by default (perhaps with an additional option to disable verification, to be used only for testing purposes).
Download (untitled) / with headers
text/plain 245b
Anders, Sorry for taking so long to get back to you. Yes, indeed this is a problem and I will fix it immediately. I'll let you know when a fix has been committed to trunk. I plan on publishing a new release before the end of the week. Darian
Download (untitled) / with headers
text/plain 473b
Hi Anders, I'm preparing the a developer release of XML::Stream. The following commit includes a fix for the issue you've reported: http://github.com/dap/XML-Stream/commit/127866e35e993279d769ed7c05bbdb1a7d85f9be I have a couple of other issues to take care of, then this release will be published to CPAN as XML-Stream-1.23_02. In the meantime, feel free to clone the repo and give it a test. I will be pushing corresponding changes to Net::XMPP shortly. Best, Darian


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.