Advisories » MGASA-2015-0165

Updated lftp packages fix CVE-2014-0139

Publication date: 23 Apr 2015
Modification date: 23 Apr 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-0139

Description

Updated lftp packages fix security vulnerability:

lftp incorrectly validates wildcard SSL certificates containing literal
IP addresses, so under certain conditions, it would allow and use a wildcard
match specified in the CN field, allowing a malicious server to participate
in a MITM attack or just fool users into believing that it is a legitimate
site (CVE-2014-0139).

lftp was affected by this issue as it uses code from cURL for checking SSL
certificates.  The curl package was fixed in MGASA-2014-0153.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=15716
• http://advisories.mageia.org/MGASA-2014-0153.html
• http://lftp.yar.ru/news.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0139

SRPMS

4/core

• lftp-4.4.14-1.1.mga4