CVE-2014-0139
Published: 27 March 2014
cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
Priority
Status
Package | Release | Status |
---|---|---|
curl Launchpad, Ubuntu, Debian |
upstream |
Released
(7.36.0)
|
lucid |
Released
(7.19.7-1ubuntu1.7)
|
|
precise |
Released
(7.22.0-3ubuntu4.8)
|
|
quantal |
Released
(7.27.0-1ubuntu1.9)
|
|
saucy |
Released
(7.32.0-1ubuntu1.4)
|
|
Patches: upstream: http://curl.haxx.se/libcurl-reject-cert-ip-wildcards.patch upstream: https://github.com/bagder/curl/commit/5019c780958c3a8dbe64123aa90e6eaff1b84cfa upstream: https://github.com/bagder/curl/commit/965690f67e190b5069cb0b16eef6917cb0d8ae18 upstream: https://github.com/bagder/curl/commit/4d06b27921bde6d0caba0c84c1e50f8495ed48ee upstream: https://github.com/bagder/curl/commit/7cb763cf576e9d6ab93fcc1fbfb02c95766a1334 |