Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2014-0139

Published: 27 March 2014

cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.

Priority

Medium

Status

Package Release Status
curl
Launchpad, Ubuntu, Debian
upstream
Released (7.36.0)
lucid
Released (7.19.7-1ubuntu1.7)
precise
Released (7.22.0-3ubuntu4.8)
quantal
Released (7.27.0-1ubuntu1.9)
saucy
Released (7.32.0-1ubuntu1.4)
Patches:
upstream: http://curl.haxx.se/libcurl-reject-cert-ip-wildcards.patch
upstream: https://github.com/bagder/curl/commit/5019c780958c3a8dbe64123aa90e6eaff1b84cfa
upstream: https://github.com/bagder/curl/commit/965690f67e190b5069cb0b16eef6917cb0d8ae18
upstream: https://github.com/bagder/curl/commit/4d06b27921bde6d0caba0c84c1e50f8495ed48ee
upstream: https://github.com/bagder/curl/commit/7cb763cf576e9d6ab93fcc1fbfb02c95766a1334