On Wed, Jul 29, 2009 at 10:13:09PM +0100, Dominic Hargreaves wrote: > On Mon, Jul 27, 2009 at 11:17:43AM +0200, Ansgar Burchardt wrote: > > Hi, > > > > Dominic Hargreaves <d...@earth.li> writes: > > > > > On Mon, Jul 06, 2009 at 10:36:15AM +0100, Dominic Hargreaves wrote: > > > > > >> 1.26 (just uploaded to unstable) fixes what looks like a fairly serious > > >> security issue: > > >> > > >> v1.26 2009.07.03 > > >> - SECURITY BUGFIX! > > >> fix Bug in verify_hostname_of_cert where it matched only the prefix > > >> for > > >> the hostname when no wildcard was given, e.g. www.example.org matched > > >> against a certificate with name www.exam in it > > >> Thanks to MLEHMANN for reporting > > >> > > >> >From inspecting the source this appears to apply to at least 1.24-1 > > >> (testing) and 1.16-1 (stable). > > > > > > Hi security team. > > > > > > I'd be grateful if you could review this and let us know whether you > > > believe a security update is necessary. A package with the fix backported > > > has been prepared in > > > > > > http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libio-socket-ssl-perl/ > > > > > > although it has not yet been fully tested. > > > > Any news about this? > > I've heard nothing from the security team.
Therefore may I upload to stable? -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
