|
|
Subscribe / Log in / New account

Mageia alert MGASA-2015-0165 (lftp)



From:
    	      Mageia Updates <buildsystem-daemon@mageia.org> 


To:
    	      updates-announce@ml.mageia.org 


Subject:
    	      [updates-announce] MGASA-2015-0165: Updated lftp packages fix CVE-2014-0139 


Date:
    	      Thu, 23 Apr 2015 23:14:51 +0200


Message-ID:
    	      <20150423211451.809695AF4F@valstar.mageia.org>


MGASA-2015-0165 - Updated lftp packages fix CVE-2014-0139

Publication date: 23 Apr 2015
URL: http://advisories.mageia.org/MGASA-2015-0165.html

Type: security
Affected Mageia releases: 4
CVE: CVE-2014-0139

Description:
Updated lftp packages fix security vulnerability:

lftp incorrectly validates wildcard SSL certificates containing literal
IP addresses, so under certain conditions, it would allow and use a wildcard
match specified in the CN field, allowing a malicious server to participate
in a MITM attack or just fool users into believing that it is a legitimate
site (CVE-2014-0139).

lftp was affected by this issue as it uses code from cURL for checking SSL
certificates.  The curl package was fixed in MGASA-2014-0153.

References:
- https://bugs.mageia.org/show_bug.cgi?id=15716

- http://advisories.mageia.org/MGASA-2014-0153.html

- http://lftp.yar.ru/news.html

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0139


SRPMS:
- 4/core/lftp-4.4.14-1.1.mga4
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds