Security Information / 2013 / Security Information -- DSA-2824-1 curl

Debian Security Advisory

DSA-2824-1 curl -- unchecked tls/ssl certificate host name

Date Reported:

19 Dec 2013

Affected Packages:

curl

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2013-6422.

More information:

Marc Deslauriers discovered that curl, a file retrieval tool, would mistakenly skip verifying the CN and SAN name fields when digital signature verification was disabled in the libcurl GnuTLS backend.

The default configuration for the curl package is not affected by this issue since the digital signature verification is enabled by default.

The oldstable distribution (squeeze) is not affected by this problem.

For the stable distribution (wheezy), this problem has been fixed in version 7.26.0-1+wheezy7.

For the unstable distribution (sid), this problem has been fixed in version 7.34.0-1.

We recommend that you upgrade your curl packages.