Bug#729965: marked as done (libcurl3 7.21.0-2.1+squeeze5 --insecure regression)

Debian Bug Tracking System Thu, 28 Nov 2013 13:51:39 -0800

Your message dated Thu, 28 Nov 2013 21:49:06 +0000
with message-id <[email protected]>
and subject line Bug#729965: fixed in curl 7.26.0-1+wheezy6
has caused the Debian Bug report #729965,
regarding libcurl3 7.21.0-2.1+squeeze5 --insecure regression
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
729965: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729965
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: libcurl3
Version: 7.21.0-2.1+squeeze5
Severity: important


Hi, I believe I've found a regression in the recent libcurl3 DSA update.  
Basically, it doesn't seem to be respecting the --insecure option in all 
cases.

This now fails:

# aptitude -PV install libcurl3=7.21.0-2.1+squeeze5
# curl -s -S --insecure https://backend-host-that-does-not-match-service-name > 
/dev/null
curl: (51) SSL peer certificate or SSH remote key was not OK

But this succeeds:

# aptitude -PV install libcurl3=7.21.0-2.1+squeeze4
# curl -s -S --insecure https://backend-host-that-does-not-match-service-name > 
/dev/null


Unfortunately, I haven't found a good test case for it at publicly 
accessible internet sites.  For instance, these still work as expected:

# curl -s -S --insecure https://74.125.225.40 > /dev/null
# curl -s -S https://74.125.225.40 > /dev/null
curl: (51) SSL: certificate subject name '*.google.com' does not match target 
host name '74.125.225.40'

So, I guess poke me offline if you need some extra details to help track 
this down.

I'll also note that wheezy versions don't seem to have this issue.

Thanks,
Brian

-- System Information:
Debian Release: 6.0.8
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-0.bpo.2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libcurl3 depends on:
ii  ca-certificates    20090814+nmu3squeeze1 Common CA certificates
ii  libc6              2.11.3-4              Embedded GNU C Library: Shared lib
ii  libgssapi-krb5-2   1.8.3+dfsg-4squeeze7  MIT Kerberos runtime libraries - k
ii  libidn11           1.15-2                GNU Libidn library, implementation
ii  libldap-2.4-2      2.4.23-7.3            OpenLDAP libraries
ii  libssh2-1          1.2.6-1               SSH2 client-side library
ii  libssl0.9.8        0.9.8o-4squeeze14     SSL shared libraries
ii  zlib1g             1:1.2.3.4.dfsg-3      compression library - runtime

libcurl3 recommends no packages.

libcurl3 suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: curl
Source-Version: 7.26.0-1+wheezy6

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessandro Ghedini <[email protected]> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 19 Nov 2013 17:15:32 +0100
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev 
libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg
Architecture: source amd64
Version: 7.26.0-1+wheezy6
Distribution: stable-security
Urgency: low
Maintainer: Alessandro Ghedini <[email protected]>
Changed-By: Alessandro Ghedini <[email protected]>
Description: 
 curl       - command line tool for transferring data with URL syntax
 libcurl3   - easy-to-use client-side URL transfer library (OpenSSL flavour)
 libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours)
 libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
 libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
 libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS 
flavour)
 libcurl4-nss-dev - development files and documentation for libcurl (NSS 
flavour)
 libcurl4-openssl-dev - development files and documentation for libcurl 
(OpenSSL flavour)
Closes: 729965
Changes: 
 curl (7.26.0-1+wheezy6) stable-security; urgency=low
 .
   * Disable host verification too when using the --insecure option
     (Closes: #729965)
Checksums-Sha1: 
 4533ab5c53f8005445f4cc887093405fd1214b65 2531 curl_7.26.0-1+wheezy6.dsc
 3eb7b43bfc05e1b544026c2d5dcf041e289f15be 34532 
curl_7.26.0-1+wheezy6.debian.tar.gz
 3cd87052d983f72c8d459666d15b99c359af2613 270238 curl_7.26.0-1+wheezy6_amd64.deb
 78b6386a74a0aea6afa9999d5c47e8fb91f05487 331156 
libcurl3_7.26.0-1+wheezy6_amd64.deb
 93892d29cc02d1b174fbc31ae792fe685f8f374a 321934 
libcurl3-gnutls_7.26.0-1+wheezy6_amd64.deb
 5df64a56208d1e646235eabe7a62b2ad2e70285c 328630 
libcurl3-nss_7.26.0-1+wheezy6_amd64.deb
 8cf7720572cbf2a630ba7cb64392496ad3d8fc58 1271008 
libcurl4-openssl-dev_7.26.0-1+wheezy6_amd64.deb
 7d843d38c42307f8ec103a5ccef7a4813e77900d 1259080 
libcurl4-gnutls-dev_7.26.0-1+wheezy6_amd64.deb
 e47fa8bf7e83869787dee9d9d9c98e731a998050 1266716 
libcurl4-nss-dev_7.26.0-1+wheezy6_amd64.deb
 f79135c0a5eadcae86a3ad2b6f2265777d12f4eb 3296150 
libcurl3-dbg_7.26.0-1+wheezy6_amd64.deb
Checksums-Sha256: 
 2cb57c79a1fca4428ee35b727baff581e333fbf6d0fbd71a9d755ad4c30911ad 2531 
curl_7.26.0-1+wheezy6.dsc
 ddd2ad95e6401532a6797e87a58ef3aa5f6e616448209659509510b326c3b76c 34532 
curl_7.26.0-1+wheezy6.debian.tar.gz
 920236aae790937861e9f44f64d7b085e9c4ecde14a5be464a1e595d8ce8c00b 270238 
curl_7.26.0-1+wheezy6_amd64.deb
 d2511cd8510db010eaaacd7ac0fb5dcd307274c6149bd4d686fe687ebd797249 331156 
libcurl3_7.26.0-1+wheezy6_amd64.deb
 6207640af9b03d6e49ac673cd45462e602ec52737626583887cc2a3e6809d093 321934 
libcurl3-gnutls_7.26.0-1+wheezy6_amd64.deb
 996ea9b2586e82f948a3fec8c96dbb02d58f951493c0238ea389420df6a7108f 328630 
libcurl3-nss_7.26.0-1+wheezy6_amd64.deb
 748e6ec836caa7b74ce8eb7da5a21fa9e3a74686de55fad9379d04472cc31856 1271008 
libcurl4-openssl-dev_7.26.0-1+wheezy6_amd64.deb
 145bb5b88dc886bf78050144aaebb3f5353d9cc2748ec8fb219c5e8fe4826c1e 1259080 
libcurl4-gnutls-dev_7.26.0-1+wheezy6_amd64.deb
 ac500fcb30cfa198f769c313fcb566e0247ae1420c660dd03b9d8843c17a3e67 1266716 
libcurl4-nss-dev_7.26.0-1+wheezy6_amd64.deb
 ca78b77661a0d50798432dc29466e4de9da94c971dd799c46382d0530a261469 3296150 
libcurl3-dbg_7.26.0-1+wheezy6_amd64.deb
Files: 
 02c4f0bcda8d64747bd80887b56d83cb 2531 web optional curl_7.26.0-1+wheezy6.dsc
 e823fcd3a27e0e466d1e0632184386a9 34532 web optional 
curl_7.26.0-1+wheezy6.debian.tar.gz
 04063869adf79d408db20837061d5da5 270238 web optional 
curl_7.26.0-1+wheezy6_amd64.deb
 3183590882ffeb35f00eb0ddbfe74929 331156 libs optional 
libcurl3_7.26.0-1+wheezy6_amd64.deb
 5087f506500b3d5a919562ca9dcd22ad 321934 libs optional 
libcurl3-gnutls_7.26.0-1+wheezy6_amd64.deb
 9a90a8159610989307eca4637e0131ac 328630 libs optional 
libcurl3-nss_7.26.0-1+wheezy6_amd64.deb
 71b55f157ca81cea745fc243c8500b75 1271008 libdevel optional 
libcurl4-openssl-dev_7.26.0-1+wheezy6_amd64.deb
 357520230f1bdb0f2d98ef3b1f03f05c 1259080 libdevel optional 
libcurl4-gnutls-dev_7.26.0-1+wheezy6_amd64.deb
 defa80ace457917119c09795e306b387 1266716 libdevel optional 
libcurl4-nss-dev_7.26.0-1+wheezy6_amd64.deb
 a2b51465725fd9ecfaffc72640afa3cb 3296150 debug extra 
libcurl3-dbg_7.26.0-1+wheezy6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSi5hiAAoJEK+lG9bN5XPLZ0kP/iZR3YsznsKgluGeOTIhtF6Q
IWOoR1V2lwrRWDhwKoj8g2TZDNeJev8Apo5KhzVgezntG/xO9BMBEIdTs9wH8vzy
YgwvrkeNmKGc0dmbrPGK5apHNqS0Tm1QimmS6D5LFmBPJLeCwSHKwITci9fjrP9Z
4LbJ4oNxjIFEAN+p8bgQLxzEIL2vYyMxC+VBMmAcQFXX3SyLzoJPcJtOo4XrqRmt
tWbgHizIKLokcyqF7IkMv37o07RzhaXJSS+MLPD+IPFYR4jiZljYKtqomoQ7eSzl
pjpJT1hbrYtEUAJg/Kqt6ePeCcjsmEyDCHioXFchc4RNem7RGcKv0Ub4zVlekTgt
P9xyNC11yxAtxcK127N839AkWhYUIaYVr9zA5mJHZmNuKOazCtC/JUTqtR3Zb0XH
UscW8W5QrWOUAG4LW5N0+LAI6eF18BU+GuQcB80eviwl1V0gd1CXF43frQfJtTI3
U5wM3TdnLtXmNWzEk6hxdpqj5lmlDxUxqjzhtVsKvDSEdcBenC7NoOQD4JE3n1RI
5HNkf252jlJ3SycEqhfXO5fy9O+5RDr3ePqH3Ps0EunNu8tjYm/FC36JjiYiAlLo
du74W2LK0m+EYGiWu2WX1i2k4nQRY6y1D4Ntj51DBtaCGEGQoBUxGsvDkduxC2mm
V2M7Ivd0+hd6cKtT8QpU
=Rmrr
-----END PGP SIGNATURE-----

--- End Message ---

Bug#729965: marked as done (libcurl3 7.21.0-2.1+squeeze5 --insecure regression)

Reply via email to