Lucene search

K
mageiaGentoo FoundationMGASA-2015-0165
HistoryApr 24, 2015 - 12:14 a.m.

Updated lftp packages fix CVE-2014-0139

2015-04-2400:14:25
Gentoo Foundation
advisories.mageia.org
23

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

EPSS

0.002

Percentile

57.0%

Updated lftp packages fix security vulnerability: lftp incorrectly validates wildcard SSL certificates containing literal IP addresses, so under certain conditions, it would allow and use a wildcard match specified in the CN field, allowing a malicious server to participate in a MITM attack or just fool users into believing that it is a legitimate site (CVE-2014-0139). lftp was affected by this issue as it uses code from cURL for checking SSL certificates. The curl package was fixed in MGASA-2014-0153.

OSVersionArchitecturePackageVersionFilename
Mageia4noarchlftp< 4.4.14-1.1lftp-4.4.14-1.1.mga4

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

EPSS

0.002

Percentile

57.0%