CVE-2013-6422

Publication date 17 December 2013

Last updated 24 July 2024

Ubuntu priority

The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.

Read the notes from the security team

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
curl	13.10 saucy	Fixed 7.32.0-1ubuntu1.2
	13.04 raring	Fixed 7.29.0-1ubuntu3.4
	12.10 quantal	Fixed 7.27.0-1ubuntu1.7
	12.04 LTS precise	Fixed 7.22.0-3ubuntu4.6
	10.04 LTS lucid	Not affected

How can I get the fixes?
What do statuses mean?

Notes

seth-arnold

Similar to but different from CVE-2013-4545

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-2058-1
curl vulnerability
18 December 2013

Other references

http://curl.haxx.se/docs/adv_20131217.html
https://www.cve.org/CVERecord?id=CVE-2013-6422