Debian: DSA-2798-2 Moderate: Curl SSL Host Verification Issue
debian
November 20, 2013
The update for curl in DSA-2798-1 uncovered a regression affecting the curl command line tool behaviour (#729965)
Topics Covered
Summary
For the oldstable distribution (squeeze), this problem has been fixed in
version 7.21.0-2.1+squeeze6.
For the stable distribution (wheezy), this problem has been fixed in
version 7.26.0-1+wheezy6.
For the testing (jessie) and unstable (sid) distributions, the curl
command line tool behaves as expected with the --insecure option.
For reference the original advisory text follows.
Scott Cantor discovered that curl, a file retrieval tool, would disable
the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting
was disabled. This would also disable ssl certificate host name checks
when it should have only disabled verification of the certificate trust
chain.
The default configuration for the curl package is not affected by this
issue since CURLOPT_SSLVERIFYPEER is enabled by default.
For the oldstable distribution (squeeze), this problem has been fixed in
version 7.21.0-2.1+squeeze5.
For the stable distribution (wheezy), this problem has been fixed in
version 7.26.0-1+wheezy5.
For the testin...
PREVIOUS
NEXT
Package: curl
CVE ID: CVE-2013-4545
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!