CVE-2014-0139

Priority
Medium
Description
cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl
or gskit libraries for TLS, recognize a wildcard IP address in the
subject's Common Name (CN) field of an X.509 certificate, which might allow
man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted
certificate issued by a legitimate Certification Authority.
References
Bugs
Assigned-to
mdeslaur
Package
Source: curl (LP Ubuntu Debian)
Upstream:released (7.36.0)
Ubuntu 10.04 LTS (Lucid Lynx):released (7.19.7-1ubuntu1.7)
Ubuntu 12.04 LTS (Precise Pangolin):released (7.22.0-3ubuntu4.8)
Ubuntu 12.10 (Quantal Quetzal):released (7.27.0-1ubuntu1.9)
Ubuntu 13.10 (Saucy Salamander):released (7.32.0-1ubuntu1.4)
Ubuntu 14.04 LTS (Trusty Tahr):released (7.35.0-1ubuntu2)
Patches:
Upstream:http://curl.haxx.se/libcurl-reject-cert-ip-wildcards.patch
Upstream:https://github.com/bagder/curl/commit/5019c780958c3a8dbe64123aa90e6eaff1b84cfa
Upstream:https://github.com/bagder/curl/commit/965690f67e190b5069cb0b16eef6917cb0d8ae18
Upstream:https://github.com/bagder/curl/commit/4d06b27921bde6d0caba0c84c1e50f8495ed48ee
Upstream:https://github.com/bagder/curl/commit/7cb763cf576e9d6ab93fcc1fbfb02c95766a1334
More Information

Valid XHTML 1.0 Strict

Updated: 2014-04-17 18:14:59 UTC (commit 7945)