USN-2315-1: serf vulnerability
14 August 2014
Fraudulent security certificates could allow sensitive information to be exposed when accessing the Internet.
- serf - high-performance asynchronous HTTP client library
Ben Reser discovered that serf did not correctly handle SSL certificates
with NUL bytes in the CommonName or SubjectAltNames fields. A remote
attacker could exploit this to perform a machine-in-the-middle attack to view
sensitive information or alter encrypted communications.