CVE-2013-4545

Priority
Medium
Description
cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables
the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST)
when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is
disabled, which allows man-in-the-middle attackers to spoof SSL servers via
an arbitrary valid certificate.
References
Notes
mdeslaur> GnuTLS backend also appears to be affected. Sent mail to
mdeslaur> curl-library list.
Assigned-to
mdeslaur
Package
Source: curl (LP Ubuntu Debian)
Upstream:released (7.33.0-1)
Ubuntu 10.04 LTS (Lucid Lynx):released (7.19.7-1ubuntu1.4)
Ubuntu 12.04 LTS (Precise Pangolin):released (7.22.0-3ubuntu4.4)
Ubuntu 12.10 (Quantal Quetzal):released (7.27.0-1ubuntu1.5)
Ubuntu 13.04 (Raring Ringtail):released (7.29.0-1ubuntu3.3)
Ubuntu 13.10 (Saucy Salamander):released (7.32.0-1ubuntu1.1)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (7.33.0-1ubuntu1)
Patches:
Upstream:https://github.com/bagder/curl/commit/3c3622b6
More Information

Valid XHTML 1.0 Strict

Updated: 2013-12-05 19:14:31 UTC (commit 7520)