oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules

From: Hanno Böck <hanno () hboeck de>
Date: Thu, 20 Apr 2023 07:34:59 +0200
On Wed, 19 Apr 2023 23:53:40 +0200
Steffen Nurpmeso <steffen () sdaoden eu> wrote:


IMO it is no vulnerability at all since it has "always" been _very
clearly_ (even very lengthily) documented in the manual page.


A vulnerability does not go away if it's documented, and I find that a
rather strange take.

Also I think this discussion was had many times before, as plenty of
libraries in other language ecosystems defaulted to not checking certs
or doing incomplete checks, and over time they all defaulted to the
sane thing: To make the secure setting the default.
The fact that apparently noone has ever checked this for a major perl
library (I mean - CPAN itself, the package manager, is affected) is
quite telling tbh.

-- 
Hanno Böck
https://hboeck.de/
Previous By Date Next
Previous By Thread Next

Current thread: