CVE-2014-0139
Published: 27 March 2014
cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
Priority
Status
Package | Release | Status |
---|---|---|
curl Launchpad, Ubuntu, Debian |
Upstream |
Released
(7.36.0)
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(7.35.0-1ubuntu2)
|
|
Patches: Upstream: http://curl.haxx.se/libcurl-reject-cert-ip-wildcards.patch Upstream: https://github.com/bagder/curl/commit/5019c780958c3a8dbe64123aa90e6eaff1b84cfa Upstream: https://github.com/bagder/curl/commit/965690f67e190b5069cb0b16eef6917cb0d8ae18 Upstream: https://github.com/bagder/curl/commit/4d06b27921bde6d0caba0c84c1e50f8495ed48ee Upstream: https://github.com/bagder/curl/commit/7cb763cf576e9d6ab93fcc1fbfb02c95766a1334 |