{"id":"MGASA-2015-0165","summary":"Updated lftp packages fix CVE-2014-0139","details":"Updated lftp packages fix security vulnerability:\n\nlftp incorrectly validates wildcard SSL certificates containing literal\nIP addresses, so under certain conditions, it would allow and use a wildcard\nmatch specified in the CN field, allowing a malicious server to participate\nin a MITM attack or just fool users into believing that it is a legitimate\nsite (CVE-2014-0139).\n\nlftp was affected by this issue as it uses code from cURL for checking SSL\ncertificates.  The curl package was fixed in MGASA-2014-0153.\n","modified":"2026-04-16T06:25:09.782161920Z","published":"2015-04-23T21:14:25Z","upstream":["CVE-2014-0139"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2015-0165.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=15716"},{"type":"ADVISORY","url":"http://advisories.mageia.org/MGASA-2014-0153.html"},{"type":"WEB","url":"http://lftp.yar.ru/news.html"}],"affected":[{"package":{"name":"lftp","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/lftp?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.4.14-1.1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0165.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}