Summary
The remote host is missing an update to curl
announced via advisory DSA 1869-1.
Solution
https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201869-1
Insight
It was discovered that curl, a client and library to get files from servers using HTTP, HTTPS or FTP, is vulnerable to the Null Prefix Attacks Against SSL/TLS Certificates recently published at the Blackhat conference. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the Common Name field.
For the oldstable distribution (etch), this problem has been fixed in version 7.15.5-1etch3.
For the stable distribution (lenny), this problem has been fixed in version 7.18.2-8lenny3.
For the testing (squeeze) and unstable (sid) distribution, this problem will be fixed soon.
We recommend that you upgrade your curl packages.
Severity
Classification
-
CVE CVE-2009-2417 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities