Debian Security Advisory
DSA-2824-1 curl -- unchecked tls/ssl certificate host name
- Date Reported:
- 19 Dec 2013
- Affected Packages:
- curl
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2013-6422.
- More information:
-
Marc Deslauriers discovered that curl, a file retrieval tool, would mistakenly skip verifying the CN and SAN name fields when digital signature verification was disabled in the libcurl GnuTLS backend.
The default configuration for the curl package is not affected by this issue since the digital signature verification is enabled by default.
The oldstable distribution (squeeze) is not affected by this problem.
For the stable distribution (wheezy), this problem has been fixed in version 7.26.0-1+wheezy7.
For the unstable distribution (sid), this problem has been fixed in version 7.34.0-1.
We recommend that you upgrade your curl packages.