CVE-2013-6422

Priority
Medium
Description
The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital
signature verification (CURLOPT_SSL_VERIFYPEER), also disables the
CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it
easier for remote attackers to spoof servers and conduct man-in-the-middle
(MITM) attacks.
References
Notes
sarnold> Similar to but different from CVE-2013-4545
Assigned-to
mdeslaur
Package
Source: curl (LP Ubuntu Debian)
Upstream:pending (7.34.0-1)
Ubuntu 10.04 LTS (Lucid Lynx):not-affected (7.19.7-1ubuntu1.3)
Ubuntu 12.04 LTS (Precise Pangolin):released (7.22.0-3ubuntu4.6)
Ubuntu 12.10 (Quantal Quetzal):released (7.27.0-1ubuntu1.7)
Ubuntu 13.04 (Raring Ringtail):released (7.29.0-1ubuntu3.4)
Ubuntu 13.10 (Saucy Salamander):released (7.32.0-1ubuntu1.2)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (7.34.0-1ubuntu1)
More Information

Valid XHTML 1.0 Strict

Updated: 2014-01-08 15:14:45 UTC (commit 7610)