Bug 1079149 (CVE-2014-0139)
Summary: | CVE-2014-0139 curl: IP address wildcard certificate validation issue in libcurl | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | carnil, jkurik, jrusnack, kdudka, pfrields, security-response-team, yselkowi |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | curl 7.36.0 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-07-07 11:26:39 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1080880, 1080891 | ||
Bug Blocks: | 1053909 |
Description
Murray McAllister
2014-03-21 05:02:15 UTC
Fixed now upstream in curl version 7.36.0. External References: http://curl.haxx.se/docs/adv_20140326B.html Created mingw32-curl tracking bugs for this issue: Affects: epel-5 [bug 1080891] Created mingw-curl tracking bugs for this issue: Affects: fedora-all [bug 1080880] Upstream commit: https://github.com/bagder/curl/commit/5019c78 Statement: This issue did not affect the versions of curl as shipped with Red Hat Enterprise Linux 6 and 7 because it uses the NSS backend, not OpenSSL. It does affect Red Hat Enterprise Linux 5 which uses the OpenSSL backend. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. It seems this also affects lftp and is fixed in 4.6.2: https://github.com/lavv17/lftp/commit/6357bed2583171b7515af6bb6585cf56d2117e3f |