[Secure-testing-team] Bug#541991: CVE-2009-2417: OpenSSL NULL Character Spoofing Vulnerability
Giuseppe Iuculano
giuseppe at iuculano.it
Mon Aug 17 08:33:28 UTC 2009
Package: curl
Severity: serious
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for curl.
CVE-2009-2417[0]:
A vulnerability has been reported in cURL, which can be exploited by
malicious people to conduct spoofing attacks.
The vulnerability is caused due to an error when processing
certificate fields containing NULL ('\0') characters. This can be
exploited to e.g. conduct Man-in-the-Middle (MitM) attacks via
specially crafted certificates.
The vulnerability is reported in versions prior to 7.19.6.
Note: This only affects cURL versions with enabled OpenSSL support.
Upstream advisory:
http://curl.haxx.se/docs/adv_20090812.txt
Backported patches for various curl versions:
http://curl.haxx.se/CVE-2009-2417/
Upstream bug report:
http://curl.haxx.se/bug/view.cgi?id=2829955
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417
http://security-tracker.debian.net/tracker/CVE-2009-2417
Cheers,
Giuseppe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqJFdUACgkQNxpp46476aqVdQCgiWQZqdcHchwCtte8vJrz5zqS
mo8Ani2XAt4EZk1AhPC+0+JX+MbGVVty
=fEKN
-----END PGP SIGNATURE-----
More information about the Secure-testing-team
mailing list