CVE-2014-3522 Information

Description

The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

Reference

http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.html http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.html http://secunia.com/advisories/59432 http://secunia.com/advisories/59584 http://secunia.com/advisories/60100 http://secunia.com/advisories/60722 http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html http://www.osvdb.org/109996 http://www.securityfocus.com/bid/69237 http://www.ubuntu.com/usn/USN-2316-1 https://exchange.xforce.ibmcloud.com/vulnerabilities/95090 https://exchange.xforce.ibmcloud.com/vulnerabilities/95311 https://security.gentoo.org/glsa/201610-05 https://subversion.apache.org/security/CVE-2014-3522-advisory.txt https://support.apple.com/HT204427