ID
VAR-201402-0402
CVE
CVE-2014-1263
TITLE
Apple Mac OS X of curl Vulnerable to server impersonation
Trust: 0.8
DESCRIPTION
curl and libcurl 7.27.0 through 7.35.0, when using the SecureTransport/Darwinssl backend, as used in in Apple OS X 10.9.x before 10.9.2, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate. Apple Mac OS X is prone to multiple vulnerabilities. The update addresses new vulnerabilities that affect ATS, CFNetwork Cookies, CoreAnimation, CoreText, Date and Time, curl, QuickTime, QuickLook, Finder, and File Bookmark components. Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, and perform other attacks. Failed attacks may cause denial-of-service conditions. These issues affect OS X versions prior to 10.9.2. The vulnerability is caused by using curl to connect to an HTTPS URL containing an IP address that cannot be verified by the certificate. An attacker in a privileged network position could intercept user credentials or other sensitive information. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] curl (SSA:2014-086-01) New curl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/curl-7.36.0-i486-1_slack14.1.txz: Upgraded. This update fixes four security issues. For more information, see: http://curl.haxx.se/docs/adv_20140326A.html http://curl.haxx.se/docs/adv_20140326B.html http://curl.haxx.se/docs/adv_20140326C.html http://curl.haxx.se/docs/adv_20140326D.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0138 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0139 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1263 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2522 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/curl-7.36.0-i486-1_slack13.0.txz Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/curl-7.36.0-x86_64-1_slack13.0.txz Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/curl-7.36.0-i486-1_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/curl-7.36.0-x86_64-1_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/curl-7.36.0-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/curl-7.36.0-x86_64-1_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/curl-7.36.0-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/curl-7.36.0-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/curl-7.36.0-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/curl-7.36.0-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/curl-7.36.0-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/curl-7.36.0-x86_64-1.txz MD5 signatures: +-------------+ Slackware 13.0 package: f2bfd8ac585b27cecc518de2b33412c2 curl-7.36.0-i486-1_slack13.0.txz Slackware x86_64 13.0 package: 0f8dc655f260987c8d78d5bea833d8f7 curl-7.36.0-x86_64-1_slack13.0.txz Slackware 13.1 package: 7cf1f0ea7dedff527946299e7236e77e curl-7.36.0-i486-1_slack13.1.txz Slackware x86_64 13.1 package: 177375acc8683037988a13a398f1a29e curl-7.36.0-x86_64-1_slack13.1.txz Slackware 13.37 package: 606c382d315b1067ef1fd3b7845bb9e6 curl-7.36.0-i486-1_slack13.37.txz Slackware x86_64 13.37 package: 8ec5e086ae682d778a5c2c986dd79906 curl-7.36.0-x86_64-1_slack13.37.txz Slackware 14.0 package: dd7126a5f92f7f94df9115ffcdb40012 curl-7.36.0-i486-1_slack14.0.txz Slackware x86_64 14.0 package: a8e496fec60861ce499a349343073468 curl-7.36.0-x86_64-1_slack14.0.txz Slackware 14.1 package: 2bbd15ebfb4c4b97c5a0d9962e9b1e5d curl-7.36.0-i486-1_slack14.1.txz Slackware x86_64 14.1 package: c8dc094b835d8c34a9637abd84b3c89b curl-7.36.0-x86_64-1_slack14.1.txz Slackware -current package: 06673155a798e92a4b2cdc5a52dba87f n/curl-7.36.0-i486-1.txz Slackware x86_64 -current package: a52032963ab98107a50675b4f212481b n/curl-7.36.0-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg curl-7.36.0-i486-1_slack14.1.txz +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. | +------------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlM176AACgkQakRjwEAQIjOcAACeOQryVvuABStufS/APbJg03IP v8YAn3/+kqsJ9+Di3VLAO9jvwb+jDIKY =rbfp -----END PGP SIGNATURE-----
Trust: 2.07
AFFECTED PRODUCTS
| vendor: | apple | model: | mac os x | scope: | eq | version: | 10.9 | Trust: 1.6 |
| vendor: | apple | model: | mac os x | scope: | lte | version: | 10.9.1 | Trust: 1.0 |
| vendor: | apple | model: | mac os x | scope: | eq | version: | v10.9 | Trust: 0.8 |
| vendor: | apple | model: | mac os x | scope: | eq | version: | v10.9.1 | Trust: 0.8 |
| vendor: | apple | model: | mac os x | scope: | eq | version: | 10.9.1 | Trust: 0.6 |
| vendor: | slackware | model: | linux | scope: | eq | version: | 13.37 | Trust: 0.3 |
| vendor: | slackware | model: | linux | scope: | eq | version: | 13.1 | Trust: 0.3 |
| vendor: | slackware | model: | linux | scope: | eq | version: | 13.0 | Trust: 0.3 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-310 | Trust: 1.9 |
THREAT TYPE
remote
Trust: 0.6
TYPE
encryption problem
Trust: 0.6
CONFIGURATIONS
PATCH
| title: | APPLE-SA-2014-02-25-1 | url: | http://lists.apple.com/archives/security-announce/2014/Feb/msg00000.html | Trust: 0.8 |
| title: | HT6150 | url: | http://support.apple.com/kb/HT6150 | Trust: 0.8 |
| title: | HT6150 | url: | http://support.apple.com/kb/HT6150?viewlocale=ja_JP | Trust: 0.8 |
| title: | Enterprise Chef 1.4.9 Release | url: | http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/ | Trust: 0.8 |
| title: | Enterprise Chef 11.1.3 Release | url: | http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/ | Trust: 0.8 |
| title: | Chef Server 11.0.12 Release | url: | http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/ | Trust: 0.8 |
| title: | libcurl not verifying certs for TLS to IP address / Darwinssl | url: | http://curl.haxx.se/docs/adv_20140326C.html | Trust: 0.8 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2014-1263 | Trust: 2.9 |
| db: | SECUNIA | id: | 57836 | Trust: 1.1 |
| db: | SECUNIA | id: | 57968 | Trust: 1.1 |
| db: | SECUNIA | id: | 57966 | Trust: 1.1 |
| db: | JVN | id: | JVNVU95868425 | Trust: 0.8 |
| db: | JVNDB | id: | JVNDB-2014-001489 | Trust: 0.8 |
| db: | CNNVD | id: | CNNVD-201402-454 | Trust: 0.7 |
| db: | BID | id: | 65777 | Trust: 0.3 |
| db: | VULHUB | id: | VHN-69202 | Trust: 0.1 |
| db: | PACKETSTORM | id: | 125935 | Trust: 0.1 |
REFERENCES
| url: | http://support.apple.com/kb/ht6150 | Trust: 1.7 |
| url: | http://twitter.com/agl__/statuses/437029812046422016 | Trust: 1.7 |
| url: | http://twitter.com/okoeroo/statuses/437272014043496449 | Trust: 1.7 |
| url: | https://gist.github.com/rmoriz/fb2b0a6a0ce10550ab73 | Trust: 1.7 |
| url: | http://curl.haxx.se/docs/adv_20140326c.html | Trust: 1.2 |
| url: | http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/ | Trust: 1.1 |
| url: | http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/ | Trust: 1.1 |
| url: | http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/ | Trust: 1.1 |
| url: | http://secunia.com/advisories/57836 | Trust: 1.1 |
| url: | http://secunia.com/advisories/57966 | Trust: 1.1 |
| url: | http://secunia.com/advisories/57968 | Trust: 1.1 |
| url: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1263 | Trust: 0.9 |
| url: | http://jvn.jp/vu/jvnvu95868425/ | Trust: 0.8 |
| url: | http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1263 | Trust: 0.8 |
| url: | http://www.apple.com/macosx/ | Trust: 0.3 |
| url: | http://curl.haxx.se/docs/adv_20140326a.html | Trust: 0.1 |
| url: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2522 | Trust: 0.1 |
| url: | http://curl.haxx.se/docs/adv_20140326d.html | Trust: 0.1 |
| url: | http://slackware.com | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2014-0138 | Trust: 0.1 |
| url: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0139 | Trust: 0.1 |
| url: | http://osuosl.org) | Trust: 0.1 |
| url: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0138 | Trust: 0.1 |
| url: | http://slackware.com/gpg-key | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2014-1263 | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2014-0139 | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2014-2522 | Trust: 0.1 |
| url: | http://curl.haxx.se/docs/adv_20140326b.html | Trust: 0.1 |
CREDITS
Roland Moriz of Moriz GmbH, Felix Groebert of the Google Security Team, Meder Kydyraliev of the Google Security Team, Rob Ansaldo of Amherst College, Graham Bennett Karl Smith of NCC Group, Apple, Lucas Apa and Carlos Mario Penagos of IOActive Labs, Tom Ga
Trust: 0.3
SOURCES
| db: | VULHUB | id: | VHN-69202 |
| db: | BID | id: | 65777 |
| db: | JVNDB | id: | JVNDB-2014-001489 |
| db: | PACKETSTORM | id: | 125935 |
| db: | CNNVD | id: | CNNVD-201402-454 |
| db: | NVD | id: | CVE-2014-1263 |
LAST UPDATE DATE
2025-04-13T21:21:40.576000+00:00
SOURCES UPDATE DATE
| db: | VULHUB | id: | VHN-69202 | date: | 2014-05-05T00:00:00 |
| db: | BID | id: | 65777 | date: | 2014-04-17T00:49:00 |
| db: | JVNDB | id: | JVNDB-2014-001489 | date: | 2014-05-14T00:00:00 |
| db: | CNNVD | id: | CNNVD-201402-454 | date: | 2014-06-17T00:00:00 |
| db: | NVD | id: | CVE-2014-1263 | date: | 2025-04-12T10:46:40.837 |
SOURCES RELEASE DATE
| db: | VULHUB | id: | VHN-69202 | date: | 2014-02-27T00:00:00 |
| db: | BID | id: | 65777 | date: | 2014-02-25T00:00:00 |
| db: | JVNDB | id: | JVNDB-2014-001489 | date: | 2014-02-28T00:00:00 |
| db: | PACKETSTORM | id: | 125935 | date: | 2014-03-29T12:12:00 |
| db: | CNNVD | id: | CNNVD-201402-454 | date: | 2014-02-28T00:00:00 |
| db: | NVD | id: | CVE-2014-1263 | date: | 2014-02-27T01:55:04.070 |