DescriptionThe libwww-perl LWP::Protocol::https module 6.04 through 6.06 for Perl, when using IO::Socket::SSL as the SSL socket class, allows attackers to disable server certificate validation via the (1) HTTPS_CA_DIR or (2) HTTPS_CA_FILE environment variable.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs746579

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
liblwp-protocol-https-perl (PTS)bookworm, bullseye6.10-1fixed
sid, trixie6.14-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
liblwp-protocol-https-perlsourcewheezy(not affected)


[wheezy] - liblwp-protocol-https-perl <not-affected> (Introduced by bcc46ce2dab53d2e2baa583f2243d6fc7d36dcc8 in 6.04)
Introduced by
CVE assignment for

Search for package or bug name: Reporting problems