This script is Copyright (C) 2014 Tenable Network Security, Inc.
The remote FreeBSD host is missing a security-related update.
serf Development list reports :
Serf provides APIs to retrieve information about a certificate. These
APIs return the information as NUL terminated strings (commonly called
C strings). X.509 uses counted length strings which may include a NUL
byte. This means that a library user will interpret any information as
ending upon seeing this NUL byte and will only see a partial value for
Attackers could exploit this vulnerability to create a certificate
that a client will accept for a different hostname than the full
certificate is actually for by embedding a NUL byte in the
This can lead to a man-in-the-middle attack. There are no known
instances of this problem being exploited in the wild and in practice
it should be difficult to actually exploit this vulnerability.
See also :
Update the affected package.
Risk factor :
Medium / CVSS Base Score : 4.0