cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables
the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST)
when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is
disabled, which allows man-in-the-middle attackers to spoof SSL servers via
an arbitrary valid certificate.
Let's stabilize curl-7.33.0. It has been in the tree since Oct 15 and no bugs.
Keywords for net-misc/curl:
| | u |
| a a p s | n |
| l m h i m m p s p | u s | r
| p d a p a 6 i p c 3 a x | s l | e
| h 6 r p 6 8 p p 6 9 s r 8 | e o | p
| a 4 m a 4 k s c 4 0 h c 6 | d t | o
[I]7.31.0 | + + + + + o ~ + + + + + + | o 0 | gentoo
7.33.0 | ~ ~ ~ ~ ~ o ~ ~ ~ ~ ~ ~ ~ | # | gentoo
7.34.0 | ~ ~ ~ ~ ~ o ~ ~ ~ ~ ~ ~ ~ | o | gentoo
TARGET="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
sh and s390 are now ~arch only. I'm cc-ing them to alert that we are leaving KEYWORDS="~s390 ~sh" when I remove 7.31.0. Remove yourselves from the CC list if you are okay with that.
Stable for HPPA.
stable ppc and ppc64
Added to existing glsa drfat.
Maintainer(s), please cleanup.
(In reply to Mikle Kolyada from comment #9)
> ia64 stable.
> Added to existing glsa drfat.
> Maintainer(s), please cleanup.
This issue was resolved and addressed in
GLSA 201401-14 at http://security.gentoo.org/glsa/glsa-201401-14.xml
by GLSA coordinator Sergey Popov (pinkbyte).