CVE-2009-3024

NameCVE-2009-3024
DescriptionThe verify_hostname_of_cert function in the certificate checking feature in IO-Socket-SSL (IO::Socket::SSL) 1.14 through 1.25 only matches the prefix of a hostname when no wildcard is used, which allows remote attackers to bypass the hostname check for a certificate.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libio-socket-ssl-perl (PTS)jessie2.002-2+deb8u3fixed
stretch2.044-1fixed
buster2.060-3fixed
bullseye2.069-1fixed
bookworm2.081-2fixed
sid, trixie2.089-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libio-socket-ssl-perlsourceetch(not affected)
libio-socket-ssl-perlsourcelenny1.16-1+lenny1
libio-socket-ssl-perlsource(unstable)1.30-1

Notes

[etch] - libio-socket-ssl-perl <not-affected> (Affected functionality introduced in 1.14)
Search for package or bug name: Reporting problems