SciLinux: CVE-2009-2417 Moderate: curl SL5.x i386/x86_64
Summary
Date: Thu, 13 Aug 2009 16:46:56 -0500Reply-To: Troy DawsonSender: Security Errata for Scientific Linux From: Troy Dawson Subject: Security ERRATA Moderate: curl on SL5.x i386/x86_64Comments: To: "scientific-linux-errata@fnal.gov" Synopsis: Moderate: curl security updateIssue date: 2009-08-13CVE Names: CVE-2009-2417CVE-2009-2417 curl: incorrect verification of SSL certificate with NUL in nameScott Cantor reported that cURL is affected by the previously published"null prefix attack", caused by incorrect handling of NULL characters inX.509 certificates. If an attacker is able to get a carefully-craftedcertificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse cURL into accepting it by mistake. (CVE-2009-2417)All running applications using libcurl must be restarted for the update to take effect.SL 5.x SRPMS:curl-7.15.5-2.1.el5_3.5.src.rpm i386:curl-7.15.5-2.1.el5_3.5.i386.rpmcurl-devel-7.15.5-2.1.el5_3.5.i386.rpm x86_64:curl-7.15.5-2.1.el5_3.5.i386.rpmcurl-7.15.5-2.1.el5_3.5.x86_64.rpmcurl-devel-7.15.5-2.1.el5_3.5.i386.rpmcurl-devel-7.15.5-2.1.el5_3.5.x86_64.rpm-Connie Sieh-Troy Dawson