thr3ads.net - Secure testing team - [Secure-testing-team] Bug#541991: CVE-2009-2417: OpenSSL NULL Character Spoofing Vulnerability [Aug 2009]

If this information is useful, please help other people find it:
Share via:

Giuseppe Iuculano

2009-Aug-17 08:33 UTC

[Secure-testing-team] Bug#541991: CVE-2009-2417: OpenSSL NULL Character Spoofing Vulnerability

Package: curl
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for curl.

CVE-2009-2417[0]:
A vulnerability has been reported in cURL, which can be exploited by
malicious people to conduct spoofing attacks.

The vulnerability is caused due to an error when processing
certificate fields containing NULL (''\0'') characters. This can
be
exploited to e.g. conduct Man-in-the-Middle (MitM) attacks via
specially crafted certificates.

The vulnerability is reported in versions prior to 7.19.6.

Note: This only affects cURL versions with enabled OpenSSL support.


Upstream advisory:
http://curl.haxx.se/docs/adv_20090812.txt

Backported patches for various curl versions:
http://curl.haxx.se/CVE-2009-2417/

Upstream bug report:
http://curl.haxx.se/bug/view.cgi?id=2829955

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417
    http://security-tracker.debian.net/tracker/CVE-2009-2417

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqJFdUACgkQNxpp46476aqVdQCgiWQZqdcHchwCtte8vJrz5zqS
mo8Ani2XAt4EZk1AhPC+0+JX+MbGVVty
=fEKN
-----END PGP SIGNATURE-----

Secure testing team - Aug 2009 - Bug#541991: CVE-2009-2417: OpenSSL NULL Character Spoofing Vulnerability

[Secure-testing-team] Bug#541991: CVE-2009-2417: OpenSSL NULL Character Spoofing Vulnerability