Your message dated Thu, 28 Nov 2013 22:18:17 +0000
with message-id <[email protected]>
and subject line Bug#729965: fixed in curl 7.21.0-2.1+squeeze6
has caused the Debian Bug report #729965,
regarding libcurl3 7.21.0-2.1+squeeze5 --insecure regression
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
729965: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729965
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libcurl3
Version: 7.21.0-2.1+squeeze5
Severity: important
Hi, I believe I've found a regression in the recent libcurl3 DSA update.
Basically, it doesn't seem to be respecting the --insecure option in all
cases.
This now fails:
# aptitude -PV install libcurl3=7.21.0-2.1+squeeze5
# curl -s -S --insecure https://backend-host-that-does-not-match-service-name >
/dev/null
curl: (51) SSL peer certificate or SSH remote key was not OK
But this succeeds:
# aptitude -PV install libcurl3=7.21.0-2.1+squeeze4
# curl -s -S --insecure https://backend-host-that-does-not-match-service-name >
/dev/null
Unfortunately, I haven't found a good test case for it at publicly
accessible internet sites. For instance, these still work as expected:
# curl -s -S --insecure https://74.125.225.40 > /dev/null
# curl -s -S https://74.125.225.40 > /dev/null
curl: (51) SSL: certificate subject name '*.google.com' does not match target
host name '74.125.225.40'
So, I guess poke me offline if you need some extra details to help track
this down.
I'll also note that wheezy versions don't seem to have this issue.
Thanks,
Brian
-- System Information:
Debian Release: 6.0.8
APT prefers oldstable
APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-0.bpo.2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libcurl3 depends on:
ii ca-certificates 20090814+nmu3squeeze1 Common CA certificates
ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib
ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze7 MIT Kerberos runtime libraries - k
ii libidn11 1.15-2 GNU Libidn library, implementation
ii libldap-2.4-2 2.4.23-7.3 OpenLDAP libraries
ii libssh2-1 1.2.6-1 SSH2 client-side library
ii libssl0.9.8 0.9.8o-4squeeze14 SSL shared libraries
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
libcurl3 recommends no packages.
libcurl3 suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: curl
Source-Version: 7.21.0-2.1+squeeze6
We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alessandro Ghedini <[email protected]> (supplier of updated curl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 19 Nov 2013 17:29:46 +0100
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl4-openssl-dev libcurl4-gnutls-dev
libcurl3-dbg
Architecture: source amd64
Version: 7.21.0-2.1+squeeze6
Distribution: oldstable-security
Urgency: low
Maintainer: Ramakrishnan Muthukrishnan <[email protected]>
Changed-By: Alessandro Ghedini <[email protected]>
Description:
curl - Get a file from an HTTP, HTTPS or FTP server
libcurl3 - Multi-protocol file transfer library (OpenSSL)
libcurl3-dbg - libcurl compiled with debug symbols
libcurl3-gnutls - Multi-protocol file transfer library (GnuTLS)
libcurl4-gnutls-dev - Development files and documentation for libcurl (GnuTLS)
libcurl4-openssl-dev - Development files and documentation for libcurl
(OpenSSL)
Closes: 729965
Changes:
curl (7.21.0-2.1+squeeze6) oldstable-security; urgency=low
.
* Disable host verification too when using the --insecure option
(Closes: #729965)
Checksums-Sha1:
f8d897027656a87e4cf22a3afd7fcf219c7f0a64 2168 curl_7.21.0-2.1+squeeze6.dsc
29418d5d1384606abedae2a67f6cf81bdf1e4311 102994
curl_7.21.0-2.1+squeeze6.debian.tar.gz
f22bb99b4e57a8fa643ad4d7e0f35d46cb5041ca 229330
curl_7.21.0-2.1+squeeze6_amd64.deb
240f1133044846ac473f79b007d5590c65b40008 285344
libcurl3_7.21.0-2.1+squeeze6_amd64.deb
dd82a38aefe54989d67342f2d4916cbe176445c3 266276
libcurl3-gnutls_7.21.0-2.1+squeeze6_amd64.deb
4e59af6422deb75174e84a6cb9fb1704033455b5 1100190
libcurl4-openssl-dev_7.21.0-2.1+squeeze6_amd64.deb
2aa243514422938c49471b7a376e2e8f2bde8d6b 1075878
libcurl4-gnutls-dev_7.21.0-2.1+squeeze6_amd64.deb
d89b6e5354157792472c1cbc74eaea266f5620fa 106890
libcurl3-dbg_7.21.0-2.1+squeeze6_amd64.deb
Checksums-Sha256:
a0fba34c99df4650239feace47959fca9108db8c386f5c63cfbfdea3d588be3e 2168
curl_7.21.0-2.1+squeeze6.dsc
b655c2f459c5e4afdd3830633fac720efe973df93d5c1b9b07f7cd729bc87570 102994
curl_7.21.0-2.1+squeeze6.debian.tar.gz
9c01307aeca965d9404fec87cb23a51dfed3ebb16d8bd29e0dd5f34f19b14a27 229330
curl_7.21.0-2.1+squeeze6_amd64.deb
e8d7996e2cffbb9cd1b339627b81a9b3cf83c2173cc5ea85fd4b027bc8b9381a 285344
libcurl3_7.21.0-2.1+squeeze6_amd64.deb
9bb35324bf02ed6dfc539e0ecc58e0ad4c7b1cc0a147c974eab8a256d228b2f4 266276
libcurl3-gnutls_7.21.0-2.1+squeeze6_amd64.deb
81ebbf33f8e5f5a48b9895dd22b4a06a991f8accc592409c4802863a745993eb 1100190
libcurl4-openssl-dev_7.21.0-2.1+squeeze6_amd64.deb
d995c7f1b5574437b91742c0d7c95d8a158526a2c69dde95c65aa315843c80ad 1075878
libcurl4-gnutls-dev_7.21.0-2.1+squeeze6_amd64.deb
496989b6b0dbdada79d0234802a2ed0d07a735b44e790f0f5d0005b3288130ce 106890
libcurl3-dbg_7.21.0-2.1+squeeze6_amd64.deb
Files:
2a120418329b8d24eb7fd59247e80639 2168 web optional curl_7.21.0-2.1+squeeze6.dsc
6c01a1f22089f2607a4bb5070f37810f 102994 web optional
curl_7.21.0-2.1+squeeze6.debian.tar.gz
44850f4af52a6094ef43d95eff8ff6b4 229330 web optional
curl_7.21.0-2.1+squeeze6_amd64.deb
945a7694dfd79958f80ec4a1c8d8dff1 285344 libs optional
libcurl3_7.21.0-2.1+squeeze6_amd64.deb
b6d0504035dea25b1aa1c2b35a002ad7 266276 libs optional
libcurl3-gnutls_7.21.0-2.1+squeeze6_amd64.deb
c5d2ba9f500022987a08e4a29e49f659 1100190 libdevel optional
libcurl4-openssl-dev_7.21.0-2.1+squeeze6_amd64.deb
8097e32dbcf61ce410dad4e60f0cce69 1075878 libdevel optional
libcurl4-gnutls-dev_7.21.0-2.1+squeeze6_amd64.deb
a8b725be4ea19cbc32ad748234155226 106890 debug extra
libcurl3-dbg_7.21.0-2.1+squeeze6_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQIcBAEBAgAGBQJSi5jMAAoJEK+lG9bN5XPLdRgP/RTSC7DX1ilAkxyIlkt/sP1B
6yuItnkwrR2upTqvoItckAuJl7W9m0ZNFeNZpQ9xaVgxDomZ6945/1K5SESuEIQg
q6lugaQRlNSBdnMhc/raVz6KPJ/nbNndYnsykcGbvhXRsB7vxA8EI9JQP0atZJfE
+/dgjtYB17qOm7YdwKfLcNjt9+zojgcj5s6GuGDJEAlzj2aqlXUNWci3PtcphUH+
yctupJXA7ptWQue4ySa9HW3N8mMnBO9SfrGkEkD2QhZsSXj6eNDMpTrGSgnStNKF
cHjLcduY8hqZTOhWxqfMIkpzn8u51NBYujCaz2y+DpNTh1xl890Xxu9PGlAgLkre
QlmZUYlEuA2fwCRMucsly3opF6upvVBi73FbZJchHuQBW3ipu3dvTXlemuguU9JB
UVEf8n33U3Z8f1A3v6WgbHUBmKhZiYlpi84zh2W8d5TzAR0kBezvXGfqTtpwLWJb
azTf27bZ/8hKozvoxirAZ0ZNHTbOMMr/ShWx/j80SM8uiMLjU6c1Cp2vTpSaK8Zc
OSbXuqanq8bTC5yvZkMSNmlUoLhgBMH4in1QxH2BXP+z44MMn4Vsb31D/4niTj1n
mMmr36xfQ03HdoXuHSO6QgpjsV7nMaumeK5sJ4kNto9QUYtyA/mASa5JCy4MrcJr
O/NbYVDSDQO8c2J3C0+z
=rnEi
-----END PGP SIGNATURE-----
--- End Message ---
