MDVSA-2009:203-1
- Package name
- curl
- Date
- 2009-12-04
- Advisory ID
- MDVSA-2009:203-1
- Affected versions
- 2008.0 i586 , 2008.0 x86_64
Problem description
A vulnerability has been found and corrected in curl:
lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is
used, does not properly handle a '\0' character in a domain name in
the subject's Common Name (CN) field of an X.509 certificate, which
allows man-in-the-middle attackers to spoof arbitrary SSL servers via
a crafted certificate issued by a legitimate Certification Authority,
a related issue to CVE-2009-2408 (CVE-2009-2417).
This update provides a solution to this vulnerability.
Update:
Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers
Updated packages
2008.0 i586
d1711e92c3f50c541bad2ebc92e1997e 2008.0/i586/curl-7.16.4-2.2mdv2008.0.i586.rpm 7483d1c5e09cbdaa4091f7e005f844a1 2008.0/i586/libcurl4-7.16.4-2.2mdv2008.0.i586.rpm 59374804184515524a92e7032c15e27f 2008.0/i586/libcurl-devel-7.16.4-2.2mdv2008.0.i586.rpm 82c7f004df0b5410c1bd0e4f245abf17 2008.0/SRPMS/curl-7.16.4-2.2mdv2008.0.src.rpm
2008.0 x86_64
60168194a95389f0eef488361e9c41c6 2008.0/x86_64/curl-7.16.4-2.2mdv2008.0.x86_64.rpm c7957352289282f49d0a749022d43309 2008.0/x86_64/lib64curl4-7.16.4-2.2mdv2008.0.x86_64.rpm 53be863ff6e89077c114c87646bf6435 2008.0/x86_64/lib64curl-devel-7.16.4-2.2mdv2008.0.x86_64.rpm 82c7f004df0b5410c1bd0e4f245abf17 2008.0/SRPMS/curl-7.16.4-2.2mdv2008.0.src.rpm