ALT Linux Team

Package curl update in sisyphus on 2013-12-17

ALT-PU-2013-1298-1

Package curl updated to version 7.34.0-alt1 for branch sisyphus in task 110632.

Closed vulnerabilities

Published: 2015-04-28
Modified: 2021-03-23

BDU:2015-09726

Уязвимости операционной системы Gentoo Linux, позволяющие удаленному злоумышленнику нарушить конфиденциальность, целостность и доступность защищаемой информации

Severity: HIGH (7.5) Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
References:
Published: 2013-11-23
Modified: 2025-04-11

CVE-2013-4545

cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Severity: MEDIUM (4.3) Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
References:
Published: 2013-12-23
Modified: 2025-04-11

CVE-2013-6422

The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.

Severity: MEDIUM (4.0) Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.2
Back to top