curl: gnutsl backend issue (CVE-2013-6422)
The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.
(from redmine: issue id 2561, created on 2014-01-08, closed on 2014-01-14)
- Revision 70ed1cdc on 2014-03-04T16:25:33Z:
main/php: security fix CVE-2013-6712. Fixes #2561