Summary: | <net-misc/curl-7.34.0-r1 - MitM vulnerability (CVE-2013-6422) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | blueness, gregkh |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | C4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2014-01-05 02:56:13 UTC
(In reply to GLSAMaker/CVETool Bot from comment #0) > CVE-2013-6422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6422): > The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital > signature verification (CURLOPT_SSL_VERIFYPEER), also disables the > CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it > easier for remote attackers to spoof servers and conduct man-in-the-middle > (MITM) attacks. > > > Pretty sure that 7.33.0 is vulnerable, in which case we need to stable > 7.34.0-r1. Is it ready to stable? It is a bit early, but we did clobber a bug with upstream. So let's do it. TARGET="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" Stable for HPPA. amd64 stable x86 stable alpha stable sparc stable ppc64 stable arm stable ppc stable ia64 stable. Maintainer(s), please cleanup. Added to existing GLSA draft (In reply to Sergey Popov from comment #11) > Added to existing GLSA draft 7.33.0 is off the tree. 7.34.0-r1 is fully stabilize wrt the arches. This issue was resolved and addressed in GLSA 201401-14 at http://security.gentoo.org/glsa/glsa-201401-14.xml by GLSA coordinator Sergey Popov (pinkbyte). |