Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22330
HistoryAug 17, 2009 - 12:00 a.m.

[ MDVSA-2009:203 ] curl

2009-08-1700:00:00
vulners.com
40
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mandriva Linux Security Advisory MDVSA-2009:203
http://www.mandriva.com/security/

Package : curl
Date : August 15, 2009
Affected: 2008.1, 2009.0, Corporate 3.0, Corporate 4.0,
Enterprise Server 5.0, Multi Network Firewall 2.0

Problem Description:

A vulnerability has been found and corrected in curl:

lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is
used, does not properly handle a '\0' character in a domain name in
the subject's Common Name (CN) field of an X.509 certificate, which
allows man-in-the-middle attackers to spoof arbitrary SSL servers via
a crafted certificate issued by a legitimate Certification Authority,
a related issue to CVE-2009-2408 (CVE-2009-2417).

This update provides a solution to this vulnerability.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417

Updated Packages:

Mandriva Linux 2008.1:
8e2ea8611aefeb2a40d77afd88277fb4 2008.1/i586/curl-7.18.0-1.2mdv2008.1.i586.rpm
c70570c0bb2c329c19bd9317f732623d 2008.1/i586/curl-examples-7.18.0-1.2mdv2008.1.i586.rpm
c2a33e1c57b106a4030abfc8e2d3cc92 2008.1/i586/libcurl4-7.18.0-1.2mdv2008.1.i586.rpm
85220b736085c4ed0d45a5352d70b81e 2008.1/i586/libcurl-devel-7.18.0-1.2mdv2008.1.i586.rpm
387a18822140e74b895cf64b735a95f1 2008.1/SRPMS/curl-7.18.0-1.2mdv2008.1.src.rpm

Mandriva Linux 2008.1/X86_64:
8bdfa65ac800bb2444b7bad1319a9ed2 2008.1/x86_64/curl-7.18.0-1.2mdv2008.1.x86_64.rpm
1db03c79d7f77ae66d96100af128a498 2008.1/x86_64/curl-examples-7.18.0-1.2mdv2008.1.x86_64.rpm
d3dc17d25cf42e331775cf3ad9f8011a 2008.1/x86_64/lib64curl4-7.18.0-1.2mdv2008.1.x86_64.rpm
40fe1718975e298ed247ed8184092616 2008.1/x86_64/lib64curl-devel-7.18.0-1.2mdv2008.1.x86_64.rpm
387a18822140e74b895cf64b735a95f1 2008.1/SRPMS/curl-7.18.0-1.2mdv2008.1.src.rpm

Mandriva Linux 2009.0:
892828128b099818d440a8407c229f6a 2009.0/i586/curl-7.19.0-2.3mdv2009.0.i586.rpm
d2401c2950c47eb04052c9cd79fbc179 2009.0/i586/curl-examples-7.19.0-2.3mdv2009.0.i586.rpm
421938c204416ad6a226f89cd67ebabb 2009.0/i586/libcurl4-7.19.0-2.3mdv2009.0.i586.rpm
7cb71ef8b449125765efed99af777eda 2009.0/i586/libcurl-devel-7.19.0-2.3mdv2009.0.i586.rpm
df4a805594f16bfce93b18a6e0777450 2009.0/SRPMS/curl-7.19.0-2.3mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
349b02bbda7eb662997f3183ef6d87c0 2009.0/x86_64/curl-7.19.0-2.3mdv2009.0.x86_64.rpm
9a09d4cb2c0ce21a78363ad7a07dd011 2009.0/x86_64/curl-examples-7.19.0-2.3mdv2009.0.x86_64.rpm
5e9eb5492801e1f31bba4343b25d8d6b 2009.0/x86_64/lib64curl4-7.19.0-2.3mdv2009.0.x86_64.rpm
438a1fb2bc30d993c533ca0ced47581d 2009.0/x86_64/lib64curl-devel-7.19.0-2.3mdv2009.0.x86_64.rpm
df4a805594f16bfce93b18a6e0777450 2009.0/SRPMS/curl-7.19.0-2.3mdv2009.0.src.rpm

Corporate 3.0:
1cb682e71b060c3e806651091692f319 corporate/3.0/i586/curl-7.11.0-2.4.C30mdk.i586.rpm
6e86a78de017172c73455f3bcc7be1fd corporate/3.0/i586/libcurl2-7.11.0-2.4.C30mdk.i586.rpm
49c2a0efd318ee51ac66ab4dacd58d44 corporate/3.0/i586/libcurl2-devel-7.11.0-2.4.C30mdk.i586.rpm
aeef3de8e19539e1e5cef22a3499cad7 corporate/3.0/SRPMS/curl-7.11.0-2.4.C30mdk.src.rpm

Corporate 3.0/X86_64:
c36bd07602a95362d5f8096076af96ff corporate/3.0/x86_64/curl-7.11.0-2.4.C30mdk.x86_64.rpm
94d4e28bf08697f658c9532bc8ef67ed corporate/3.0/x86_64/lib64curl2-7.11.0-2.4.C30mdk.x86_64.rpm
7ef2d495db13d134014f013379d43093 corporate/3.0/x86_64/lib64curl2-devel-7.11.0-2.4.C30mdk.x86_64.rpm
aeef3de8e19539e1e5cef22a3499cad7 corporate/3.0/SRPMS/curl-7.11.0-2.4.C30mdk.src.rpm

Corporate 4.0:
37ca03172a8b502f16a582d139ee3077 corporate/4.0/i586/curl-7.14.0-2.4.20060mlcs4.i586.rpm
4a7453f3ad0959dc987fb7988920fb29 corporate/4.0/i586/libcurl3-7.14.0-2.4.20060mlcs4.i586.rpm
34f9357fdc46b5814d15a0d67ac5c97a corporate/4.0/i586/libcurl3-devel-7.14.0-2.4.20060mlcs4.i586.rpm
76b72bc8938fdfc1bd425483a15a75f9 corporate/4.0/SRPMS/curl-7.14.0-2.4.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
688129530500a0cbfd405992da4b9377 corporate/4.0/x86_64/curl-7.14.0-2.4.20060mlcs4.x86_64.rpm
ca17056e48cb81012c5bd7a7d35b8d49 corporate/4.0/x86_64/lib64curl3-7.14.0-2.4.20060mlcs4.x86_64.rpm
51d0e70dd8230538eb484e15b70320b7 corporate/4.0/x86_64/lib64curl3-devel-7.14.0-2.4.20060mlcs4.x86_64.rpm
76b72bc8938fdfc1bd425483a15a75f9 corporate/4.0/SRPMS/curl-7.14.0-2.4.20060mlcs4.src.rpm

Mandriva Enterprise Server 5:
a374ff5beddecedf918904a67b208c00 mes5/i586/curl-7.19.0-2.3mdvmes5.i586.rpm
262a4e29d7c8ef7f451c87b7bc8e2c66 mes5/i586/curl-examples-7.19.0-2.3mdvmes5.i586.rpm
e86cc1febe979624999393b80c846715 mes5/i586/libcurl4-7.19.0-2.3mdvmes5.i586.rpm
ba7da37dd0c8c5e4ea8b94a123ba351c mes5/i586/libcurl-devel-7.19.0-2.3mdvmes5.i586.rpm
92e3583395a1ef3e8cd947e4ddded60d mes5/SRPMS/curl-7.19.0-2.3mdvmes5.src.rpm

Mandriva Enterprise Server 5/X86_64:
4e66472f996cda47aaad865b7e9a2a9a mes5/x86_64/curl-7.19.0-2.3mdvmes5.x86_64.rpm
cb61278d082c2d15bdd209189f4eaaea mes5/x86_64/curl-examples-7.19.0-2.3mdvmes5.x86_64.rpm
231221eeb4a18060b32d0f5dcac2179e mes5/x86_64/lib64curl4-7.19.0-2.3mdvmes5.x86_64.rpm
5b2fa79ff88f193caaffce7a2fc0b127 mes5/x86_64/lib64curl-devel-7.19.0-2.3mdvmes5.x86_64.rpm
92e3583395a1ef3e8cd947e4ddded60d mes5/SRPMS/curl-7.19.0-2.3mdvmes5.src.rpm

Multi Network Firewall 2.0:
d9faa6984ea90caba24d8dd4924bde9c mnf/2.0/i586/curl-7.11.0-2.4.C30mdk.i586.rpm
93742023ff49d812df74fe370370b0c5 mnf/2.0/i586/libcurl2-7.11.0-2.4.C30mdk.i586.rpm
17709107a56bbee9b5bbee8e19354dc9 mnf/2.0/i586/libcurl2-devel-7.11.0-2.4.C30mdk.i586.rpm
9765888e1bffb0ebd83d1ec71574de2b mnf/2.0/SRPMS/curl-7.11.0-2.4.C30mdk.src.rpm

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKhq5AmqjQ0CJFipgRAkEjAKC6q4dguKEvsveWuP/zFZO2cki0MgCfSOef
0Y5QKEEUwQ/yEEgINNXRvIA=
=43oN
-----END PGP SIGNATURE-----

Related

securityvulns 4
ubuntucve 9
prion 19
openvas 60
cve 17
debiancve 8
nessus 57
altlinux 2
mozilla 1
slackware 1
debian 3
redhat 1
oraclelinux 1
exploitdb 1
threatpost 1
seebug 2
veracode 2
gentoo 1
centos 1
ubuntu 1
talos 1
f5 5
amazon 1
securityvulns
securityvulns
cURL / libcurl SSL certificate spoofing
2009-08-17 00:00:00
Mozilla Foundation Security Advisory 2009-42
2009-08-07 00:00:00
[ MDVSA-2009:225 ] qt4
2009-09-09 00:00:00
ubuntucve
ubuntucve
CVE-2009-2417
2009-08-14 00:00:00
CVE-2009-2408
2009-07-30 00:00:00
CVE-2013-4238
2013-08-17 00:00:00
prion
prion
Design/Logic Flaw
2009-08-14 15:16:00
Code injection
2009-07-30 19:30:00
Design/Logic Flaw
2010-01-04 21:30:00
openvas
openvas
Mandriva Security Advisory MDVSA-2009:203-1 (curl)
2009-12-10 00:00:00
Mandrake Security Advisory MDVSA-2009:203 (curl)
2009-09-02 00:00:00
Mandrake Security Advisory MDVSA-2009:203 (curl)
2009-09-02 00:00:00
cve
cve
CVE-2009-2417
2009-08-14 15:16:00
CVE-2009-2408
2009-07-30 19:30:00
CVE-2013-4238
2013-08-18 02:52:00
debiancve
debiancve
CVE-2009-2417
2009-08-14 15:16:00
CVE-2009-2408
2009-07-30 19:30:00
CVE-2009-3767
2009-10-23 19:30:00
nessus
nessus
Mandriva Linux Security Advisory : curl (MDVSA-2009:203-1)
2009-08-17 00:00:00
openSUSE Security Update : MozillaThunderbird (MozillaThunderbird-1303)
2009-09-18 00:00:00
Mozilla Thunderbird < 2.0.0.23 Certificate Authority (CA) Common Name Null Byte Handling SSL MiTM Weakness
2009-08-21 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 6 package curl version 7.19.6-alt1
2009-08-13 00:00:00
Security fix for the ALT Linux 8 package curl version 7.19.6-alt1
2009-08-13 00:00:00
mozilla
mozilla
Compromise of SSL-protected communication — Mozilla
2009-08-01 00:00:00
slackware
slackware
curl
2009-08-14 15:21:33
debian
debian
[SECURITY] [DSA 1869-1] New curl packages fix SSL certificate verification weakness
2009-08-19 21:22:07
[Backports-security-announce] Security Update for proftpd-dfsg
2010-01-26 21:30:08
[Backports-security-announce] Security Update for proftpd-dfsg
2010-01-26 21:06:44
redhat
redhat
(RHSA-2009:1209) Moderate: curl security update
2009-08-13 00:00:00
oraclelinux
oraclelinux
curl security update
2009-08-13 00:00:00
exploitdb
exploitdb
Mozilla NSS NULL Character CA SSL Certificate Validation Security Bypass Vulnerability
2009-06-30 00:00:00
threatpost
threatpost
Apple Safari
2009-12-29 21:50:26
seebug
seebug
Mozilla Firefox NULL字符CA SSL证书验证安全绕过漏洞
2009-07-31 00:00:00
Randombit Botan Library X509 Certificate Validation Bypass Vulnerability(CVE-2017-2801)
2017-09-19 00:00:00
veracode
veracode
Man-in-the-Middle (MitM)
2020-04-10 00:33:40
Man-in-the-Middle (MitM)
2020-04-10 00:35:32
gentoo
gentoo
cURL: Certificate validation error
2009-09-25 00:00:00
centos
centos
curl security update
2009-08-14 02:34:58
ubuntu
ubuntu
curl vulnerability
2009-08-17 00:00:00
talos
talos
Randombit Botan Library X509 Certificate Validation Bypass Vulnerability
2017-04-28 00:00:00
f5
f5
SOL15683 - Ruby vulnerability CVE-2013-4073
2014-10-09 00:00:00
SOL15638 - Python vulnerability CVE-2013-4238
2014-09-29 00:00:00
SOL14909 - OpenSSL vulnerability CVE-2013-4248
2014-01-15 00:00:00
amazon
amazon
Medium: python27
2013-09-04 13:31:00
JSON
Related for SECURITYVULNS:DOC:22330
securityvulns4ubuntucve9prion19openvas60cve17debiancve8nessus57altlinux2mozilla1slackware1debian3redhat1oraclelinux1exploitdb1threatpost1seebug2veracode2gentoo1centos1ubuntu1talos1f55amazon1