CVE-2014-3230

NameCVE-2014-3230
DescriptionThe libwww-perl LWP::Protocol::https module 6.04 through 6.06 for Perl, when using IO::Socket::SSL as the SSL socket class, allows attackers to disable server certificate validation via the (1) HTTPS_CA_DIR or (2) HTTPS_CA_FILE environment variable.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs746579

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
liblwp-protocol-https-perl (PTS)buster6.07-2fixed
bookworm, bullseye6.10-1fixed
trixie, sid6.14-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
liblwp-protocol-https-perlsourcewheezy(not affected)
liblwp-protocol-https-perlsource(unstable)6.04-3746579

Notes

[wheezy] - liblwp-protocol-https-perl <not-affected> (Introduced by bcc46ce2dab53d2e2baa583f2243d6fc7d36dcc8 in 6.04)
Introduced by https://github.com/dagolden/lwp-protocol-https/commit/bcc46ce2dab53d2e2baa583f2243d6fc7d36dcc8
CVE assignment for https://github.com/libwww-perl/lwp-protocol-https/pull/14#issuecomment-42328818
Search for package or bug name: Reporting problems