Bug 868629 - (CVE-2014-0139) VUL-0: CVE-2014-0139: curl: IP address wildcard certificate validation
(CVE-2014-0139)
VUL-0: CVE-2014-0139: curl: IP address wildcard certificate validation
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle10-sp3:57019 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-17 08:24 UTC by Marcus Meissner
Modified: 2018-10-19 18:22 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Swamp Workflow Management 2014-03-17 23:00:30 UTC
bugbot adjusting priority
Comment 3 Bernhard Wiedemann 2014-03-26 10:00:34 UTC
This is an autogenerated message for OBS integration:
This bug (868629) was mentioned in
https://build.opensuse.org/request/show/227556 13.1+12.3 / curl
Comment 4 Bernhard Wiedemann 2014-03-26 11:00:20 UTC
This is an autogenerated message for OBS integration:
This bug (868629) was mentioned in
https://build.opensuse.org/request/show/227560 13.1+12.3 / curl
Comment 5 Bernhard Wiedemann 2014-04-10 13:00:32 UTC
This is an autogenerated message for OBS integration:
This bug (868629) was mentioned in
https://build.opensuse.org/request/show/229615 13.1+12.3 / curl
Comment 8 Swamp Workflow Management 2014-04-11 14:04:36 UTC
openSUSE-RU-2014:0514-1: An update that fixes two vulnerabilities is now available.

Category: recommended (moderate)
Bug References: 868627,868629
CVE References: CVE-2014-0138,CVE-2014-0139
Sources used:
openSUSE 13.1 (src):    curl-7.32.0-2.16.1
openSUSE 12.3 (src):    curl-7.28.1-4.33.1
Comment 12 Alexander Bergmann 2014-04-14 15:56:32 UTC
CVE-2014-0139 is Public:

libcurl IP address wildcard certificate validation
==================================================
 
Project cURL Security Advisory, Match 26th 2014
http://curl.haxx.se/docs/security.html
 
1. VULNERABILITY
 
  libcurl incorrectly validates wildcard SSL certificates containing literal
  IP addresses.
 
  RFC 2818 covers the requirements for matching Common Names (CNs) and
  subjectAltNames in order to establish valid SSL connections. It first
  discusses CNs that are for hostnames, and the rules for wildcards in this
  case. The next paragraph in the RFC then discusses CNs that are IP
  addresses:
 
  'In some cases, the URI is specified as an IP address rather than a
  hostname. In this case, the iPAddress subjectAltName must be present in the
  certificate and must exactly match the IP in the URI.'
 
  The intention of the RFC is clear in that you should not be able to use
  wildcards with IP addresses (in order to avoid the ability to perform
  man-in-the-middle attacks). Unfortunately libcurl fails to adhere to this
  rule under certain conditions, and subsequently it would allow and use a
  wildcard match specified in the CN field.
 
  Exploiting this flaw, a malicious server could participate in a MITM attack
  or just easier fool users that it is a legitimate site for whatever purpose,
  when it actually isn't.
 
  A good CA should refuse to issue a certificate with the CN as indicated,
  however there only need be one CA to issue one in error for this issue to
  result in the user getting no warning at all and being vulnerable to MITM.
 
  This flaw is only present in libcurl when built to use one out of a few
  specific TLS libraries: OpenSSL, axtls, qsossl or gskit.
 
  This problem is similar to the one previously reported by Richard Moore,
  found in multiple browsers [1].
 
  The Common Vulnerabilities and Exposures (CVE) project has assigned the name
  CVE-2014-0139 to this issue.
 
2. AFFECTED VERSIONS
 
  This flaw has existed ever since libcurl started to support SSL or TLS with
  OpenSSL
 
  Affected versions: from libcurl 7.1 to and including 7.35.0
  Not affected versions: libcurl >= 7.36.0
 
  libcurl is used by many applications, but not always advertised as such!
 
3. THE SOLUTION
 
  libcurl 7.36.0 has an improved host name verification function that rejects
  wild card matching against IP addresses.
 
  A patch for this problem is available at:
 
    http://curl.haxx.se/libcurl-reject-cert-ip-wildcards.patch
 
4. RECOMMENDATIONS
 
  We suggest you take one of the following actions immediately, in order of
  preference:
 
  A - Upgrade to curl and libcurl 7.36.0
 
  B - Apply the patch and rebuild libcurl
 
  C - Build libcurl to use a different TLS backend
 
5. TIME LINE
 
  It was reported to the curl project on February 22nd 2014. We contacted
  distros@openwall on March 16th 2014.
 
  libcurl 7.36.0 was released on March 26th 2014, coordinated with the
  publication of this advisory.
 
 
6. CREDITS
 
  Problem reported and patiently explained to us by Richard Moore from
  Westpoint Ltd. Patch written by Daniel Stenberg.
 
  Thanks a lot!
 
  [1] = http://www.westpoint.ltd.uk/advisories/wp-10-0001.txt
Comment 13 SMASH SMASH 2014-04-14 16:05:11 UTC
Affected packages:

SLE-9-SP3-TERADATA: curl
SLE-10-SP3-TERADATA: curl
SLE-11-SP1: curl
SLE-11-SP3: curl
Comment 14 Swamp Workflow Management 2014-04-14 16:06:23 UTC
The SWAMPID for this issue is 57016.
This issue was rated as moderate.
Please submit fixed packages until 2014-04-28.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 16 Swamp Workflow Management 2014-04-15 20:04:30 UTC
openSUSE-SU-2014:0530-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 868627,868629
CVE References: CVE-2014-0138,CVE-2014-0139,CVE-2014-138,CVE-2014-139
Sources used:
openSUSE 11.4 (src):    curl-7.21.2-45.1
Comment 17 Swamp Workflow Management 2014-04-25 01:06:30 UTC
SUSE-OU-2014:0571-1: An update that solves two vulnerabilities and has 5 fixes is now available.

Category: optional (low)
Bug References: 843697,861014,862623,864912,868627,868629,870444
CVE References: CVE-2014-0138,CVE-2014-0139
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    openldap2-2.4.26-0.28.5, openldap2-client-2.4.26-0.28.5
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    openldap2-2.4.26-0.28.5, openldap2-client-2.4.26-0.28.5
SUSE Linux Enterprise Server 11 SP3 (src):    openldap2-2.4.26-0.28.5, openldap2-client-2.4.26-0.28.5
SUSE Linux Enterprise Security Module 11 SP3 (src):    curl-openssl1-7.19.7-0.38.1, cyrus-sasl-openssl1-2.1.22-0.27.6, openldap2-client-openssl1-2.4.26-0.28.8
SUSE Linux Enterprise Desktop 11 SP3 (src):    openldap2-client-2.4.26-0.28.5
Comment 18 Swamp Workflow Management 2014-05-02 13:07:15 UTC
openSUSE-SU-2014:0598-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 868627,868629
CVE References: CVE-2014-0138,CVE-2014-0139
Sources used:
openSUSE 13.1 (src):    curl-7.32.0-2.23.1
openSUSE 12.3 (src):    curl-7.28.1-4.39.1
Comment 19 Marcus Meissner 2014-05-20 16:32:29 UTC
released
Comment 20 Swamp Workflow Management 2014-05-20 19:04:24 UTC
Update released for: curl, curl-debuginfo, curl-debugsource, libcurl-devel, libcurl4
Products:
SLE-DEBUGINFO 11-SP1-TERADATA (x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 21 Swamp Workflow Management 2014-05-20 19:04:48 UTC
Update released for: curl, curl-devel
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 22 Swamp Workflow Management 2014-05-20 19:05:11 UTC
Update released for: compat-curl2, compat-curl2-debuginfo
Products:
SLE-DEBUGINFO 10-SP3-TERADATA (x86_64)
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 23 Swamp Workflow Management 2014-05-20 19:05:53 UTC
Update released for: curl, curl-debuginfo, curl-devel
Products:
SLE-DEBUGINFO 10-SP3-TERADATA (x86_64)
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 24 Swamp Workflow Management 2014-05-21 01:50:55 UTC
Update released for: curl, curl-debuginfo, curl-debugsource, libcurl-devel, libcurl4, libcurl4-32bit, libcurl4-64bit, libcurl4-x86
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 25 Swamp Workflow Management 2014-05-21 05:05:11 UTC
SUSE-SU-2014:0691-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 868627,868629,870444
CVE References: CVE-2014-0138,CVE-2014-0139
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    curl-7.19.7-1.38.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    curl-7.19.7-1.38.1
SUSE Linux Enterprise Server 11 SP3 (src):    curl-7.19.7-1.38.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    curl-7.19.7-1.38.1