Package name
curl
Date
2009-12-04
Advisory ID
MDVSA-2009:203-1
Affected versions
2008.0 i586 , 2008.0 x86_64

Problem description

A vulnerability has been found and corrected in curl:

lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is
used, does not properly handle a '\0' character in a domain name in
the subject's Common Name (CN) field of an X.509 certificate, which
allows man-in-the-middle attackers to spoof arbitrary SSL servers via
a crafted certificate issued by a legitimate Certification Authority,
a related issue to CVE-2009-2408 (CVE-2009-2417).

This update provides a solution to this vulnerability.

Update:

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

Updated packages

2008.0 i586

 d1711e92c3f50c541bad2ebc92e1997e  2008.0/i586/curl-7.16.4-2.2mdv2008.0.i586.rpm
 7483d1c5e09cbdaa4091f7e005f844a1  2008.0/i586/libcurl4-7.16.4-2.2mdv2008.0.i586.rpm
 59374804184515524a92e7032c15e27f  2008.0/i586/libcurl-devel-7.16.4-2.2mdv2008.0.i586.rpm 
 82c7f004df0b5410c1bd0e4f245abf17  2008.0/SRPMS/curl-7.16.4-2.2mdv2008.0.src.rpm

2008.0 x86_64

 60168194a95389f0eef488361e9c41c6  2008.0/x86_64/curl-7.16.4-2.2mdv2008.0.x86_64.rpm
 c7957352289282f49d0a749022d43309  2008.0/x86_64/lib64curl4-7.16.4-2.2mdv2008.0.x86_64.rpm
 53be863ff6e89077c114c87646bf6435  2008.0/x86_64/lib64curl-devel-7.16.4-2.2mdv2008.0.x86_64.rpm 
 82c7f004df0b5410c1bd0e4f245abf17  2008.0/SRPMS/curl-7.16.4-2.2mdv2008.0.src.rpm

References