curl: gnutsl backend issue (CVE-2013-6422)
The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.
•CONFIRM: http://curl.haxx.se/docs/adv\_20131217.html
•DEBIAN:DSA-2824
•URL: http://www.debian.org/security/2013/dsa-2824
•UBUNTU:USN-2058-1
•URL: http://www.ubuntu.com/usn/USN-2058-1
(from redmine: issue id 2561, created on 2014-01-08, closed on 2014-01-14)
- Relations:
- child #2562 (closed)
- child #2563 (closed)
- child #2564 (closed)
- child #2565 (closed)
- Changesets:
- Revision 70ed1cdc on 2014-03-04T16:25:33Z:
main/php: security fix CVE-2013-6712. Fixes #2561