Debian Security Advisory
DSA-2798-1 curl -- unchecked ssl certificate host name
- Date Reported:
- 17 Nov 2013
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2013-4545.
- More information:
Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust chain.
The default configuration for the curl package is not affected by this issue since CURLOPT_SSLVERIFYPEER is enabled by default.
For the oldstable distribution (squeeze), this problem has been fixed in version 7.21.0-2.1+squeeze5.
For the stable distribution (wheezy), this problem has been fixed in version 7.26.0-1+wheezy5.
For the testing (jessie) and unstable (sid) distributions, this problem has been fixed in version 7.33.0-1.
We recommend that you upgrade your curl packages.