CVE-2014-3504

Publication date 12 August 2014

Last updated 24 July 2024

Ubuntu priority

The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject’s Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
serf	14.04 LTS trusty	Fixed 1.3.3-1ubuntu0.1
	12.04 LTS precise	Fixed 1.0.0-2ubuntu0.1
	10.04 LTS lucid	Ignored end of life

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
serf	Upstream: https://code.google.com/p/serf/source/detail?r=2392 Upstream: https://code.google.com/p/serf/source/detail?r=2398 Upstream: https://code.google.com/p/serf/source/detail?r=2393 Upstream: https://code.google.com/p/serf/source/detail?r=2399

References

Related Ubuntu Security Notices (USN)

USN-2315-1
serf vulnerability
14 August 2014

CVE-2014-3504

Status

Patch details

References

Related Ubuntu Security Notices (USN)

Other references