[v2.5] CVE-2013-4545: libcurl cert name check ignore
- THE SOLUTION
libcurl 7.33.0 makes sure that both options independently will cause the operation to fail unless the criteria is fulfilled.The fix was committed, pushed and released without the full security implications being properly realized. - RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:• A - Upgrade to curl and libcurl 7.33.0
B - Apply (https://github.com/bagder/curl/commit/3c3622b6) and rebuild
libcurl
C - Make sure CURLOPT_SSL_VERIFYPEER is not disabled
D - Build libcurl with another TLS backend than OpenSSL*
(from redmine: issue id 2378, created on 2013-11-21, closed on 2013-12-02)
- Relations:
- parent #2376 (closed)
- Changesets:
- Revision 357aaad8 by Natanael Copa on 2013-11-25T14:16:34Z:
main/curl: security upgrade to 7.33.0 (CVE-2013-4545)
fixes #2378