*** This bug is a security vulnerability *** Public security bug reported:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4545 >From CVE report: ---------- cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. ---------- >From developer: http://curl.haxx.se/docs/adv_20131115.html Debian security advisory: http://www.debian.org/security/2013/dsa-2798 Patch (same fix as upstream and Debian) against 7.22.0-3ubuntu4.3 (current Precise) attached. ** Affects: curl (Ubuntu) Importance: Undecided Status: New ** Patch added: "CVE-2013-4545.patch" https://bugs.launchpad.net/bugs/1257872/+attachment/3923282/+files/CVE-2013-4545.patch ** Information type changed from Private Security to Public Security ** Description changed: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4545 From CVE report: ---------- - cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. + cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. ---------- From developer: http://curl.haxx.se/docs/adv_20131115.html Debian security advisory: http://www.debian.org/security/2013/dsa-2798 - Patch (same fix as upstream and Debian) attached. + Patch (same fix as upstream and Debian) against 7.22.0-3ubuntu4.3 + (current Precise) attached. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1257872 Title: CVE-2013-4545 - MitM attack/spoof To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1257872/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
