Comment 1 Anthony Basile 2014-01-05 13:40:53 UTC

(In reply to GLSAMaker/CVETool Bot from comment #0)
> CVE-2013-6422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6422):
>   The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital
>   signature verification (CURLOPT_SSL_VERIFYPEER), also disables the
>   CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it
>   easier for remote attackers to spoof servers and conduct man-in-the-middle
>   (MITM) attacks.
> 
> 
> Pretty sure that 7.33.0 is vulnerable, in which case we need to stable
> 7.34.0-r1. Is it ready to stable?

It is a bit early, but we did clobber a bug with upstream.  So let's do it.

  TARGET="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Comment 2 Jeroen Roovers (RETIRED) 2014-01-05 23:55:25 UTC

Stable for HPPA.

Comment 3 Agostino Sarubbo 2014-01-06 09:24:17 UTC

amd64 stable

Comment 4 Agostino Sarubbo 2014-01-06 09:24:31 UTC

x86 stable

Comment 5 Agostino Sarubbo 2014-01-06 09:25:12 UTC

alpha stable

Comment 6 Agostino Sarubbo 2014-01-06 09:25:54 UTC

sparc stable

Comment 7 Agostino Sarubbo 2014-01-06 09:26:54 UTC

ppc64 stable

Comment 8 Agostino Sarubbo 2014-01-06 09:42:20 UTC

arm stable

Comment 9 Agostino Sarubbo 2014-01-06 09:42:43 UTC

ppc stable

Comment 10 Agostino Sarubbo 2014-01-12 13:18:40 UTC

ia64 stable.

Maintainer(s), please cleanup.

Comment 11 Sergey Popov 2014-01-20 09:03:06 UTC

Added to existing GLSA draft

Comment 12 Anthony Basile 2014-01-20 13:11:11 UTC

(In reply to Sergey Popov from comment #11)
> Added to existing GLSA draft

7.33.0 is off the tree.  7.34.0-r1 is fully stabilize wrt the arches.

Comment 13 GLSAMaker/CVETool Bot 2014-01-20 14:11:31 UTC

This issue was resolved and addressed in
 GLSA 201401-14 at http://security.gentoo.org/glsa/glsa-201401-14.xml
by GLSA coordinator Sergey Popov (pinkbyte).