Advisories ยป MGASA-2015-0165

Updated lftp packages fix CVE-2014-0139

Publication date: 23 Apr 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-0139


Updated lftp packages fix security vulnerability:

lftp incorrectly validates wildcard SSL certificates containing literal
IP addresses, so under certain conditions, it would allow and use a wildcard
match specified in the CN field, allowing a malicious server to participate
in a MITM attack or just fool users into believing that it is a legitimate
site (CVE-2014-0139).

lftp was affected by this issue as it uses code from cURL for checking SSL
certificates.  The curl package was fixed in MGASA-2014-0153.