Fyinfo archivar php dev Am 20.11.2013 23:18 schrieb "Salvatore Bonaccorso" <[email protected]>:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > - ------------------------------------------------------------------------- > Debian Security Advisory DSA-2798-2 [email protected] > http://www.debian.org/security/ Salvatore Bonaccorso > November 20, 2013 http://www.debian.org/security/faq > - ------------------------------------------------------------------------- > > Package : curl > Vulnerability : unchecked ssl certificate host name > Problem type : remote > Debian-specific: no > CVE ID : CVE-2013-4545 > > The update for curl in DSA-2798-1 uncovered a regression affecting the > curl command line tool behaviour (#729965). This update disables host > verification too when using the --insecure option. > > For the oldstable distribution (squeeze), this problem has been fixed in > version 7.21.0-2.1+squeeze6. > > For the stable distribution (wheezy), this problem has been fixed in > version 7.26.0-1+wheezy6. > > For the testing (jessie) and unstable (sid) distributions, the curl > command line tool behaves as expected with the --insecure option. > > For reference the original advisory text follows. > > Scott Cantor discovered that curl, a file retrieval tool, would disable > the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting > was disabled. This would also disable ssl certificate host name checks > when it should have only disabled verification of the certificate trust > chain. > > The default configuration for the curl package is not affected by this > issue since CURLOPT_SSLVERIFYPEER is enabled by default. > > For the oldstable distribution (squeeze), this problem has been fixed in > version 7.21.0-2.1+squeeze5. > > For the stable distribution (wheezy), this problem has been fixed in > version 7.26.0-1+wheezy5. > > For the testing (jessie) and unstable (sid) distributions, this problem > has been fixed in version 7.33.0-1. > > We recommend that you upgrade your curl packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: http://www.debian.org/security/ > > Mailing list: [email protected] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.15 (GNU/Linux) > > iQIcBAEBCgAGBQJSjTSeAAoJEAVMuPMTQ89E+bMP/jxYqQsDtXJxFvefUBDI4Mki > 3j6l+WsSd+GhEx/Sp7CYpUYmNjfybYZl2MdXeOfyB3czF3saBhpEo4/wXeLEJuQD > PjA52GRvnfE4/pDnAIcHhbkfrI2MSJMU+NUpC2d2Zy2YAgQoeSBftSb91xZ9B1SI > jbuiKNrSgIgcusBSmNFCXb4TdkCVhGi37B7J7NO9rPR6n6yBvX1xsIEJYOGJeMxL > S9OWwbmcwjCdN6feNVK99YgfmEmRGLTpMosAmJSNN4KXa+OSr+g9Y+NHkve+CYy/ > GmKX/MInXaWdcRk4LoyEdQ8idhWdJEdPe7ZEoLttSGnfLUyXBzTVKbK5Ugx6RYM8 > 1NbKYZVGYfQAOwjIbKgGn0F5eQDi+OiXh1JleyLa7y8pvk+7tq6pOKAsa9H2rDsn > nVTVzOs6qIDdjESndLEUNG+JJJpkpB/MOAfdAx4KHKS7GQ+quMg99azUdSmDRFbC > EN8XA8JrC0LOSeUJiiZTdRgOpjlTKgXUHKrr9Z0Ft/U/uWxK9pX5nTcaw/WwI+vQ > Ms7yx0i0WrTvGkTXLHx+JeGrPcvjNxX8muTEq07ZkceDjZIefmZs0J139Xd+OSn1 > M506eYcVgf4WNj8swR0h20S8eTA0BsNxXVOHmn113bwd95GxaTM4pKtANHuKLV3l > Jq399e4/SnX3FWtSPFuK > =v0Ra > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact > [email protected] > Archive: http://lists.debian.org/[email protected] > >
