curl -k breaks for some certificates after USN-2048-1
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| curl (Debian) |
Fix Released
|
Unknown
|
||
| curl (Ubuntu) |
Undecided
|
Unassigned | ||
| Lucid |
Undecided
|
Marc Deslauriers | ||
| Precise |
Undecided
|
Marc Deslauriers | ||
| Quantal |
Undecided
|
Marc Deslauriers | ||
| Raring |
Undecided
|
Unassigned | ||
| Saucy |
Undecided
|
Unassigned |
Bug Description
The bug:
ubuntu@
* About to connect() to jenkins.musta.ch port 443 (#0)
* Trying 10.147.129.217... connected
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-
* Server certificate:
* subject: O=*.airbnb.com; OU=Domain Control Validated; CN=*.airbnb.com
* start date: 2012-10-23 18:01:55 GMT
* expire date: 2013-10-24 18:33:00 GMT
* subjectAltName does not match jenkins.musta.ch
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
* SSL peer certificate or SSH remote key was not OK
curl: (51) SSL peer certificate or SSH remote key was not OK
The fix:
--- a/src/main.c
+++ b/src/main.c
@@ -5375,7 +5375,7 @@ operate(struct Configurable *config, int argc, argv_item_t argv[])
/* new stuff needed for libcurl 7.10 */
- my_setopt(curl, CURLOPT_
+ my_setopt(curl, CURLOPT_
}
else {
char *home = homedir();
CVE References
tags: | added: regression-update |
Changed in curl (Ubuntu Raring): | |
status: | New → Invalid |
Changed in curl (Ubuntu Saucy): | |
status: | New → Invalid |
Changed in curl (Ubuntu): | |
status: | Confirmed → Invalid |
Changed in curl (Ubuntu Lucid): | |
status: | New → Confirmed |
Changed in curl (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in curl (Ubuntu Quantal): | |
status: | New → Confirmed |
Changed in curl (Ubuntu Lucid): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in curl (Ubuntu Precise): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in curl (Ubuntu Quantal): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in curl (Debian): | |
status: | Unknown → Fix Released |
Launchpad Janitor (janitor) wrote : | #3 |
This bug was fixed in the package curl - 7.27.0-1ubuntu1.6
---------------
curl (7.27.0-1ubuntu1.6) quantal-security; urgency=low
* SECURITY REGRESSION: can't disable cert checking in command line tool
(LP: #1258366)
- debian/
verification when insecure mode is used in src/tool_operate.c.
- CVE-2013-4545
-- Marc Deslauriers <email address hidden> Fri, 06 Dec 2013 07:47:06 -0500
Changed in curl (Ubuntu Quantal): | |
status: | Confirmed → Fix Released |
Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package curl - 7.19.7-1ubuntu1.5
---------------
curl (7.19.7-1ubuntu1.5) lucid-security; urgency=low
* SECURITY REGRESSION: can't disable cert checking in command line tool
(LP: #1258366)
- debian/
verification when insecure mode is used in src/main.c.
- CVE-2013-4545
-- Marc Deslauriers <email address hidden> Fri, 06 Dec 2013 07:52:56 -0500
Changed in curl (Ubuntu Lucid): | |
status: | Confirmed → Fix Released |
Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package curl - 7.22.0-3ubuntu4.5
---------------
curl (7.22.0-3ubuntu4.5) precise-security; urgency=low
* SECURITY REGRESSION: can't disable cert checking in command line tool
(LP: #1258366)
- debian/
verification when insecure mode is used in src/main.c.
- CVE-2013-4545
-- Marc Deslauriers <email address hidden> Fri, 06 Dec 2013 07:50:32 -0500
Changed in curl (Ubuntu Precise): | |
status: | Confirmed → Fix Released |
description: | updated |
Changed in curl (Ubuntu): | |
status: | Invalid → Fix Released |
Status changed to 'Confirmed' because the bug affects multiple users.