Mandriva Linux Security Advisory : lftp (MDVSA-2015:213)
Medium Nessus Plugin ID 83155
SynopsisThe remote Mandriva Linux host is missing one or more security updates.
DescriptionUpdated lftp packages fix security vulnerability :
lftp incorrectly validates wildcard SSL certificates containing literal IP addresses, so under certain conditions, it would allow and use a wildcard match specified in the CN field, allowing a malicious server to participate in a MITM attack or just fool users into believing that it is a legitimate site (CVE-2014-0139).
lftp was affected by this issue as it uses code from cURL for checking SSL certificates. The curl package was fixed in MDVSA-2015:098.
SolutionUpdate the affected lftp, lib64lftp-devel and / or lib64lftp0 packages.