PublicDateAtUSN: 2013-11-23
Candidate: CVE-2013-4545
PublicDate: 2013-11-23 11:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4545
 http://curl.haxx.se/mail/lib-2013-10/0002.html
 http://curl.haxx.se/docs/adv_20131115.html
 http://www.debian.org/security/2013/dsa-2798
 https://ubuntu.com/security/notices/USN-2048-1
Description:
 cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables
 the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST)
 when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is
 disabled, which allows man-in-the-middle attackers to spoof SSL servers via
 an arbitrary valid certificate.
Ubuntu-Description:
Notes:
 mdeslaur> GnuTLS backend also appears to be affected. Sent mail to
 mdeslaur> curl-library list.
Bugs:
Priority: medium
Discovered-by: Scott Cantor
Assigned-to: mdeslaur
CVSS: 

Patches_curl:
 upstream: https://github.com/bagder/curl/commit/3c3622b6
upstream_curl: released (7.33.0-1)
lucid_curl: released (7.19.7-1ubuntu1.4)
precise_curl: released (7.22.0-3ubuntu4.4)
quantal_curl: released (7.27.0-1ubuntu1.5)
raring_curl: released (7.29.0-1ubuntu3.3)
saucy_curl: released (7.32.0-1ubuntu1.1)
devel_curl: not-affected (7.33.0-1ubuntu1)