ignore security and it'll go away
Showing 1 - 7 of 7 RSS Feed

CVE-2014-0139

Status Candidate

Overview

cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.

Related Files

Mandriva Linux Security Advisory 2015-213
Posted Apr 29, 2015
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2015-213 - lftp incorrectly validates wildcard SSL certificates containing literal IP addresses, so under certain conditions, it would allow and use a wildcard match specified in the CN field, allowing a malicious server to participate in a MITM attack or just fool users into believing that it is a legitimate site. lftp was affected by this issue as it uses code from cURL for checking SSL certificates. The curl package was fixed in MDVSA-2015:098.

tags | advisory
systems | linux, mandriva
advisories | CVE-2014-0139
MD5 | 13e85fe2b9ac6b66153224db7fbe831d
Mandriva Linux Security Advisory 2015-098
Posted Mar 30, 2015
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2015-098 - Paras Sethia discovered that libcurl would sometimes mix up multiple HTTP and HTTPS connections with NTLM authentication to the same server, sending requests for one user over the connection authenticated as a different user. libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP, causing a transfer that was initiated by an application to wrongfully re-use an existing connection to the same server that was authenticated using different credentials. Various other issues were also addressed.

tags | advisory, web, protocol
systems | linux, mandriva
advisories | CVE-2014-0015, CVE-2014-0138, CVE-2014-0139, CVE-2014-3613, CVE-2014-3620, CVE-2014-3707, CVE-2014-8150
MD5 | d3e6fd95838b2a36118b683c99ced795
Gentoo Linux Security Advisory 201406-21
Posted Jun 24, 2014
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201406-21 - Multiple vulnerabilities have been discovered in cURL, the worst of which could lead to man-in-the-middle attacks. Versions less than 7.36.0 are affected.

tags | advisory, vulnerability
systems | linux, gentoo
advisories | CVE-2014-0138, CVE-2014-0139
MD5 | c059da53f900f1203c11559402083992
Mandriva Linux Security Advisory 2014-110
Posted Jun 10, 2014
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2014-110 - Paras Sethia discovered that libcurl would sometimes mix up multiple HTTP and HTTPS connections with NTLM authentication to the same server, sending requests for one user over the connection authenticated as a different user. libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP, causing a transfer that was initiated by an application to wrongfully re-use an existing connection to the same server that was authenticated using different credentials. libcurl incorrectly validates wildcard SSL certificates containing literal IP addresses, so under certain conditions, it would allow and use a wildcard match specified in the CN field, allowing a malicious server to participate in a MITM attack or just fool users into believing that it is a legitimate site.

tags | advisory, web, protocol
systems | linux, mandriva
advisories | CVE-2014-0015, CVE-2014-0138, CVE-2014-0139
MD5 | db1f963c40f0fd41b1cddb8ce5d5f1d5
Debian Security Advisory 2902-1
Posted Apr 15, 2014
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2902-1 - Two vulnerabilities have been discovered in cURL, an URL transfer library.

tags | advisory, vulnerability
systems | linux, debian
advisories | CVE-2014-0138, CVE-2014-0139
MD5 | 93a39dba7f01d0e8df6c62479f51ea19
Ubuntu Security Notice USN-2167-1
Posted Apr 14, 2014
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2167-1 - Steve Holme discovered that libcurl incorrectly reused wrong connections when using protocols other than HTTP and FTP. This could lead to the use of unintended credentials, possibly exposing sensitive information. Richard Moore discovered that libcurl incorrectly validated wildcard SSL certificates that contain literal IP addresses. An attacker could possibly exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Various other issues were also addressed.

tags | advisory, web, protocol
systems | linux, ubuntu
advisories | CVE-2014-0138, CVE-2014-0139
MD5 | b886ba23f33ddd081591ac1cb3642690
Slackware Security Advisory - curl Updates
Posted Mar 29, 2014
Authored by Slackware Security Team | Site slackware.com

Slackware Security Advisory - New curl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.

tags | advisory
systems | linux, slackware
advisories | CVE-2014-0138, CVE-2014-0139, CVE-2014-1263, CVE-2014-2522
MD5 | ee1bbb1e2e224ff31d99742c4d8f1190
Page 1 of 1
Back1Next

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close