sgo

About • 1 of 1 publications Observed via author.

Page 1 of 1 · 1 of 1 publications

APR 14 2023
HackerietSourceAuthor: sgo

Perl HTTP::Tiny has insecure TLS default, affecting CPAN.pm and other modules

UPDATE 2023-06-12: v0.083-TRIAL has been released with a fix.

[CVE-2023-31486] HTTP::Tiny v0.082, is a http client included in Perl (since v5.13.9) and also a standalone CPAN module. It does not verify TLS certificates by default requiring users to opt-in with the verify_SSL=>1 flag to verify the identity of the HTTPS server they are communicating with.

The module is used by many distributions on CPAN, and likely other open source and proprietary software.

NOTE: This post summarizes…

Read more