1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 2824-1] curl security update

    From Salvatore Bonaccorso@1:229/2 to All on Thu Dec 19 20:00:01 2013
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-2824-1 [email protected] http://www.debian.org/security/ Salvatore Bonaccorso December 19, 2013 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : curl
    Vulnerability : unchecked tls/ssl certificate host name
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2013-6422

    Marc Deslauriers discovered that curl, a file retrieval tool, would
    mistakenly skip verifying the CN and SAN name fields when digital
    signature verification was disabled in the libcurl GnuTLS backend.

    The default configuration for the curl package is not affected by this
    issue since the digital signature verification is enabled by default.

    The oldstable distribution (squeeze) is not affected by this problem.

    For the stable distribution (wheezy), this problem has been fixed in
    version 7.26.0-1+wheezy7.

    For the unstable distribution (sid), this problem has been fixed in
    version 7.34.0-1.

    We recommend that you upgrade your curl packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.12 (GNU/Linux)

    iQIcBAEBCgAGBQJSsz7uAAoJEAVMuPMTQ89EUL0P/3q6ONK4nK45k35+zxbcEUBA FrDS5AgVxSXf8J6RWtamnaQAZ4q0zwLLYm7rK0TuClzXf5DuwLOtTjmlXsA1OaP2 2/35FNHhPAv0NDkaMlg5GB3rZpKc76HNFJC20RT6CxsE504IfCUYil3j3ArMKr9X ohGWaAfjmPMzvopSTOFDyeLRz7nC3AG4rTfdEenEdjivrTeum7JuH10Orxkj7maz bZ5ywhxh7MPvn3QjK39MHDWf56pJg0vUoGvSUQ/8gTlPMXpjTC6XXANwoH0hcOx+ jit9c2cA/2euY9N/aX6HXc39tnzPFGXh0fF1LJW3I27DQEZWeBJCJac+njA5frjF zEbC1ss/8BcgQ8/NZPHM0WJqufE2CLiklOYh5ZIbRBgzfL7vgTVFjb2StazMUgH/ iGaiJYwszNrVz0AoCJtaZLGBxxZFCDdjVeFqsc0uUWUoW8Y1n1eqLKg/AgMANuUc qGPaVLhlkoWnIwj/28eiT6rosriQ2ojp0igpIr1iabFGe5ewFx93Kfzl3UKMqYh8 Z0iNIz4AYt+P/jQxh/Xjpw4p+yYExyx1n0f5rscp3tFx6JtMvJKFwUbVabTvO7QL SEGQajyc8Vj9d6Q6zYWe/LbP4BBx9HWyfXHQrukDb+9w3ZcQ92IlNDEKUYsdRjiR jd+9YksjvKXjEzGQGf4t
    =JY3g
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)