Headline
CVE-2023-31484: Add verify_SSL=>1 to HTTP::Tiny in CPAN::HTTP::Client to verify https server identity by stigtsp · Pull Request #175 · andk/cpanpm
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.
I’m assuming there still are systems out there that don’t use certificates properly (e.g. the may use self-signed certs and failed to place introduce them correctly into their setup).
Since CPAN.pm often is used for bootstrapping Perl, would it be more sensible to introduce a warning and/or environment variable override first, and perhaps change the verify_SSL attribute at some later point?
FWIW, I’m in favor of using this module as a tool to prod developers in the right direction when it comes to security issues (including certificate validation), but it seems to me that we may be asking a bit much if we expect a functioning CA chain of trust on a typical stripped-down minimal OS installation.
I’m happy if I’m proven wrong though; For example, if we can find out that most common & reasonably recent minimal OS images (e.g. container images) have /etc/ssl set up correctly, then I’d love to see verify_SSL set to 1.
Still I’m also wondering how much actually can break with this change.
Would you mind sharing some of your own thoughts on this, @stigtsp? 🙂
Related news
Ubuntu Security Notice 6112-2 - USN-6112-1 fixed vulnerabilities in Perl. This update provides the corresponding updates for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 22.10, and Ubuntu 23.04. It was discovered that Perl was not properly verifying TLS certificates when using CPAN together with HTTP::Tiny to download modules over HTTPS. If a remote attacker were able to intercept communications, this flaw could potentially be used to install altered modules.