CVE-2009-2417

Name	CVE-2009-2417
Description	lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-1869-1
Debian Bugs	541991

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
curl (PTS)	jessie, jessie (lts)	7.38.0-4+deb8u28	fixed
	stretch (security)	7.52.1-5+deb9u16	fixed
	stretch (lts), stretch	7.52.1-5+deb9u22	fixed
	buster, buster (lts)	7.64.0-4+deb10u10	fixed
	buster (security)	7.64.0-4+deb10u9	fixed
	bullseye	7.74.0-1.3+deb11u13	fixed
	bullseye (security)	7.74.0-1.3+deb11u14	fixed
	bookworm	7.88.1-10+deb12u8	fixed
	bookworm (security)	7.88.1-10+deb12u5	fixed
	sid, trixie	8.11.0-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
curl	source	etch	7.15.5-1etch3		DSA-1869-1
curl	source	lenny	7.18.2-8lenny3		DSA-1869-1
curl	source	(unstable)	7.19.5-1.1	medium		541991