CVE-2013-4545 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4545): cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Let's stabilize curl-7.33.0. It has been in the tree since Oct 15 and no bugs. Keywords for net-misc/curl: | | u | | a a p s | n | | l m h i m m p s p | u s | r | p d a p a 6 i p c 3 a x | s l | e | h 6 r p 6 8 p p 6 9 s r 8 | e o | p | a 4 m a 4 k s c 4 0 h c 6 | d t | o ----------+---------------------------+-----+------- [I]7.31.0 | + + + + + o ~ + + + + + + | o 0 | gentoo 7.33.0 | ~ ~ ~ ~ ~ o ~ ~ ~ ~ ~ ~ ~ | # | gentoo 7.34.0 | ~ ~ ~ ~ ~ o ~ ~ ~ ~ ~ ~ ~ | o | gentoo TARGET="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" sh and s390 are now ~arch only. I'm cc-ing them to alert that we are leaving KEYWORDS="~s390 ~sh" when I remove 7.31.0. Remove yourselves from the CC list if you are okay with that.
Stable for HPPA.
stable ppc and ppc64
Stable arm
amd64 stable
alpha stable
x86 stable
sparc stable
ia64 stable. Added to existing glsa drfat. Maintainer(s), please cleanup.
(In reply to Mikle Kolyada from comment #9) > ia64 stable. > > Added to existing glsa drfat. > > Maintainer(s), please cleanup. Cleanup done.
This issue was resolved and addressed in GLSA 201401-14 at http://security.gentoo.org/glsa/glsa-201401-14.xml by GLSA coordinator Sergey Popov (pinkbyte).