Upstream information

CVE-2014-3504 at MITRE

Description

The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 4
Vector AV:N/AC:H/Au:N/C:P/I:P/A:N
Access Vector Network
Access Complexity High
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact None
SUSE Bugzilla entries: 890510 [RESOLVED / FIXED], 890511 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Module for Basesystem 15
  • libserf-1-1 >= 1.3.9-2.31
  • libserf-devel >= 1.3.9-2.31
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 GA libserf-1-1
SUSE Linux Enterprise Software Development Kit 12
  • libserf-1-1 >= 1.3.7-1.37
Patchnames:
SUSE Linux Enterprise Software Development Kit 12 GA libserf-1-1
SUSE Linux Enterprise Software Development Kit 12 SP1
  • libserf-1-1 >= 1.3.7-1.37
Patchnames:
SUSE Linux Enterprise Software Development Kit 12 SP1 GA libserf-1-1
SUSE Linux Enterprise Software Development Kit 12 SP2
  • libserf-1-1 >= 1.3.7-1.8
Patchnames:
SUSE Linux Enterprise Software Development Kit 12 SP2 GA libserf-1-1
SUSE Linux Enterprise Software Development Kit 12 SP3
  • libserf-1-1 >= 1.3.7-1.8
Patchnames:
SUSE Linux Enterprise Software Development Kit 12 SP3 GA libserf-1-1
openSUSE 13.1
  • libserf >= 1.3.7-16.1
  • libserf-1-1 >= 1.3.7-16.1
  • libserf-1-1-debuginfo >= 1.3.7-16.1
  • libserf-debugsource >= 1.3.7-16.1
  • libserf-devel >= 1.3.7-16.1
  • libsvn_auth_gnome_keyring-1-0 >= 1.8.10-2.29.1
  • libsvn_auth_gnome_keyring-1-0-debuginfo >= 1.8.10-2.29.1
  • libsvn_auth_kwallet-1-0 >= 1.8.10-2.29.1
  • libsvn_auth_kwallet-1-0-debuginfo >= 1.8.10-2.29.1
  • subversion >= 1.8.10-2.29.1
  • subversion-bash-completion >= 1.8.10-2.29.1
  • subversion-debuginfo >= 1.8.10-2.29.1
  • subversion-debugsource >= 1.8.10-2.29.1
  • subversion-devel >= 1.8.10-2.29.1
  • subversion-perl >= 1.8.10-2.29.1
  • subversion-perl-debuginfo >= 1.8.10-2.29.1
  • subversion-python >= 1.8.10-2.29.1
  • subversion-python-debuginfo >= 1.8.10-2.29.1
  • subversion-ruby >= 1.8.10-2.29.1
  • subversion-ruby-debuginfo >= 1.8.10-2.29.1
  • subversion-server >= 1.8.10-2.29.1
  • subversion-server-debuginfo >= 1.8.10-2.29.1
  • subversion-tools >= 1.8.10-2.29.1
  • subversion-tools-debuginfo >= 1.8.10-2.29.1
Patchnames:
openSUSE-2014-511
openSUSE Leap 42.1
  • libserf-1-1 >= 1.3.8-4.2
Patchnames:
openSUSE Leap 42.1 GA libserf-1-1
openSUSE Leap 42.2
  • libserf-1-1 >= 1.3.8-5.5
  • libserf-devel >= 1.3.8-5.5
Patchnames:
openSUSE Leap 42.2 GA libserf-1-1
openSUSE Leap 42.3
  • libserf-1-1 >= 1.3.9-1.1
  • libserf-devel >= 1.3.9-1.1
Patchnames:
openSUSE Leap 42.3 GA libserf-1-1
openSUSE Tumbleweed
  • libserf-1-1 >= 1.3.9-1.2
  • libserf-devel >= 1.3.9-1.2
Patchnames:
openSUSE Tumbleweed GA libserf-1-1