CVE-2013-6422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6422): The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks. Pretty sure that 7.33.0 is vulnerable, in which case we need to stable 7.34.0-r1. Is it ready to stable?
(In reply to GLSAMaker/CVETool Bot from comment #0) > CVE-2013-6422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6422): > The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital > signature verification (CURLOPT_SSL_VERIFYPEER), also disables the > CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it > easier for remote attackers to spoof servers and conduct man-in-the-middle > (MITM) attacks. > > > Pretty sure that 7.33.0 is vulnerable, in which case we need to stable > 7.34.0-r1. Is it ready to stable? It is a bit early, but we did clobber a bug with upstream. So let's do it. TARGET="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Stable for HPPA.
amd64 stable
x86 stable
alpha stable
sparc stable
ppc64 stable
arm stable
ppc stable
ia64 stable. Maintainer(s), please cleanup.
Added to existing GLSA draft
(In reply to Sergey Popov from comment #11) > Added to existing GLSA draft 7.33.0 is off the tree. 7.34.0-r1 is fully stabilize wrt the arches.
This issue was resolved and addressed in GLSA 201401-14 at http://security.gentoo.org/glsa/glsa-201401-14.xml by GLSA coordinator Sergey Popov (pinkbyte).