CVE-2014-3504
Published: 12 August 2014
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
Priority
Status
Package | Release | Status |
---|---|---|
serf Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
precise |
Released
(1.0.0-2ubuntu0.1)
|
|
trusty |
Released
(1.3.3-1ubuntu0.1)
|
|
upstream |
Released
(1.3.7)
|
|
Patches: upstream: https://code.google.com/p/serf/source/detail?r=2392 upstream: https://code.google.com/p/serf/source/detail?r=2398 upstream: https://code.google.com/p/serf/source/detail?r=2393 upstream: https://code.google.com/p/serf/source/detail?r=2399 |