| Name | CVE-2014-3230 |
| Description | The libwww-perl LWP::Protocol::https module 6.04 through 6.06 for Perl, when using IO::Socket::SSL as the SSL socket class, allows attackers to disable server certificate validation via the (1) HTTPS_CA_DIR or (2) HTTPS_CA_FILE environment variable. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 746579 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| liblwp-protocol-https-perl (PTS) | buster | 6.07-2 | fixed |
| bookworm, bullseye, sid | 6.10-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| liblwp-protocol-https-perl | source | wheezy | (not affected) | |||
| liblwp-protocol-https-perl | source | (unstable) | 6.04-3 | 746579 |
[wheezy] - liblwp-protocol-https-perl <not-affected> (Introduced by bcc46ce2dab53d2e2baa583f2243d6fc7d36dcc8 in 6.04)
Introduced by https://github.com/dagolden/lwp-protocol-https/commit/bcc46ce2dab53d2e2baa583f2243d6fc7d36dcc8
CVE assignment for https://github.com/libwww-perl/lwp-protocol-https/pull/14#issuecomment-42328818