curl -k breaks for some certificates after USN-2048-1

Bug #1258366 reported by Pierre Carrier on 2013-12-06
26
This bug affects 5 people
Affects Status Importance Assigned to Milestone
curl (Debian)
Fix Released
Unknown
curl (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Marc Deslauriers
Precise
Undecided
Marc Deslauriers
Quantal
Undecided
Marc Deslauriers
Raring
Undecided
Unassigned
Saucy
Undecided
Unassigned

Bug Description

The bug:

ubuntu@i-60bcba0e:~$ curl -sS -v -k https://jenkins.musta.ch/
* About to connect() to jenkins.musta.ch port 443 (#0)
* Trying 10.147.129.217... connected
* successfully set certificate verify locations:
* CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-SHA
* Server certificate:
* subject: O=*.airbnb.com; OU=Domain Control Validated; CN=*.airbnb.com
* start date: 2012-10-23 18:01:55 GMT
* expire date: 2013-10-24 18:33:00 GMT
* subjectAltName does not match jenkins.musta.ch
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
* SSL peer certificate or SSH remote key was not OK
curl: (51) SSL peer certificate or SSH remote key was not OK

The fix:

--- a/src/main.c
+++ b/src/main.c
@@ -5375,7 +5375,7 @@ operate(struct Configurable *config, int argc, argv_item_t argv[])
         if(config->insecure_ok) {
           /* new stuff needed for libcurl 7.10 */
           my_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
- my_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);
+ my_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
         }
         else {
           char *home = homedir();

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in curl (Ubuntu):
status: New → Confirmed
Philipp Kern (pkern) on 2013-12-06
tags: added: regression-update
Changed in curl (Ubuntu Raring):
status: New → Invalid
Changed in curl (Ubuntu Saucy):
status: New → Invalid
Changed in curl (Ubuntu):
status: Confirmed → Invalid
Changed in curl (Ubuntu Lucid):
status: New → Confirmed
Changed in curl (Ubuntu Precise):
status: New → Confirmed
Changed in curl (Ubuntu Quantal):
status: New → Confirmed
Changed in curl (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in curl (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in curl (Ubuntu Quantal):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in curl (Debian):
status: Unknown → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package curl - 7.27.0-1ubuntu1.6

---------------
curl (7.27.0-1ubuntu1.6) quantal-security; urgency=low

  * SECURITY REGRESSION: can't disable cert checking in command line tool
    (LP: #1258366)
    - debian/patches/CVE-2013-4545.patch: properly disable host
      verification when insecure mode is used in src/tool_operate.c.
    - CVE-2013-4545
 -- Marc Deslauriers <email address hidden> Fri, 06 Dec 2013 07:47:06 -0500

Changed in curl (Ubuntu Quantal):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package curl - 7.19.7-1ubuntu1.5

---------------
curl (7.19.7-1ubuntu1.5) lucid-security; urgency=low

  * SECURITY REGRESSION: can't disable cert checking in command line tool
    (LP: #1258366)
    - debian/patches/CVE-2013-4545.patch: properly disable host
      verification when insecure mode is used in src/main.c.
    - CVE-2013-4545
 -- Marc Deslauriers <email address hidden> Fri, 06 Dec 2013 07:52:56 -0500

Changed in curl (Ubuntu Lucid):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package curl - 7.22.0-3ubuntu4.5

---------------
curl (7.22.0-3ubuntu4.5) precise-security; urgency=low

  * SECURITY REGRESSION: can't disable cert checking in command line tool
    (LP: #1258366)
    - debian/patches/CVE-2013-4545.patch: properly disable host
      verification when insecure mode is used in src/main.c.
    - CVE-2013-4545
 -- Marc Deslauriers <email address hidden> Fri, 06 Dec 2013 07:50:32 -0500

Changed in curl (Ubuntu Precise):
status: Confirmed → Fix Released
description: updated
gail (crittersgranny) on 2013-12-07
Changed in curl (Ubuntu):
status: Invalid → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.