oss-sec mailing list archives

Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules

From: "David A. Wheeler" <dwheeler () dwheeler com>
Date: Wed, 3 May 2023 15:54:38 -0400

On May 3, 2023, at 3:15 PM, Reid Sutherland <reid () thirddimension net> wrote:

Who actually decides when something receives a CVE?


There's a process for assigning CVEs. Anyone who wants to be able to assign CVEs - that is, to become a CVE Numbering 
Authority (CNA) - has to follow various processes. I'm sure it can be improved, like all things. I'm not directly 
involved in this. You might find more information here:
https://www.cve.org/ProgramOrganization/CNAs

 This can be used to defame projects and products as in this case.



Identifying a vulnerability does not defame a project. If a library has the functionality to retrieve an https URLs, 
and fails to verify the server certificates by default, then I (and many others) would call that a vulnerability. After 
all, the default is what happens. If you request data from <https://google.com>, you wouldn't expect it to use the data 
from <https://godzilla.com>. There's a general expectation that https://FPP provides a secure connection to FOO (with 
confidentiality, integrity, and server authentication), unless you specially disable it.

--- David A. Wheeler

Current thread:

Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules, (continued)
- - - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Hanno Böck (Apr 19)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 20)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules David A. Wheeler (Apr 20)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 20)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Jeffrey Walton (Apr 20)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 20)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Matthew Fernandez (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Christian Heinrich (Apr 21)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Stig Palmquist (Apr 29)
  - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 03)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules David A. Wheeler (May 03)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 03)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Moritz Bechler (May 03)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Michael Orlitzky (May 03)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 04)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Sam Bull (May 04)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Alan Coopersmith (May 04)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Rainer Canavan (May 04)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules David A. Wheeler (May 04)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (May 04)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Jeffrey Walton (May 03)

(Thread continues...)