CVE-2013-4248 (retired)

The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP
before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0'
character in a domain name in the Subject Alternative Name field of an
X.509 certificate, which allows man-in-the-middle attackers to spoof
arbitrary SSL servers via a crafted certificate issued by a legitimate
Certification Authority, a related issue to CVE-2009-2408.
 mdeslaur> initially fixed in 5.5.2 and 5.4.18
 mdeslaur> regression fixed in 5.5.3 and 5.4.19
More Information

Updated: 2019-03-26 12:09:35 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)