SB2014041724 - Cryptographic issues in curl (Alpine package)
Published: April 17, 2014
Security Bulletin ID
SB2014041724
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cryptographic issues (CVE-ID: CVE-2014-0139)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=e57c1f8b95e9a6aecc75e9eaae6c7bf9e259adb6
- https://git.alpinelinux.org/aports/commit/?id=81797c691fdcca7f9b1373c27992ccf283075fe9
- https://git.alpinelinux.org/aports/commit/?id=c06e486361bfb260c36b661c47d03ff912df9539
- https://git.alpinelinux.org/aports/commit/?id=39696e7a1a7079578ea07cb9514fd0c50105340e
- https://git.alpinelinux.org/aports/commit/?id=0b5317d5717ad95fbe3c5737438b3f62f5457f61
- https://git.alpinelinux.org/aports/commit/?id=4bdd777b8634c3c2ef8d4bb6254f22cea78b46d6
- https://git.alpinelinux.org/aports/commit/?id=048866caef02c40bdbde05133737726cf92b0e42
- https://git.alpinelinux.org/aports/commit/?id=b40a99c8c0a04a119db0f5fad7fbe186981f054c
- https://git.alpinelinux.org/aports/commit/?id=d22f56928998d4f1d0de70ae7b6517b512e7b9b3