Cryptographic Issues Affecting curl package, versions <7.36.0-1
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN11-CURL-520525
- published 15 Apr 2014
- disclosed 15 Apr 2014
Introduced: 15 Apr 2014
CVE-2014-0139 Open this link in a new tabHow to fix?
Upgrade Debian:11 curl to version 7.36.0-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian:11.
See How to fix? for Debian:11 relevant fixed versions and status.
cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
References
- ADVISORY
- CVE Details
- Debian Security Advisory
- http://advisories.mageia.org/MGASA-2015-0165.html
- http://curl.haxx.se/docs/adv_20140326B.html
- http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095862
- http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/
- http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/
- http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/
- IBM Security Bulletin
- OpenSuse Security Update
- Oracle Security Bulletin
- Secunia Advisory
- Secunia Advisory
- Secunia Advisory
- Secunia Advisory
- Secunia Advisory
- Ubuntu CVE Tracker
- Ubuntu Security Advisory