Ubuntu
curl package

CVE-2013-4545 - MitM attack/spoof

  1. Raring (13.04)
  2. Bug #1257872
Bug #1257872 reported by Ray Link
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
curl (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Low
Marc Deslauriers
Precise
Fix Released
Low
Marc Deslauriers
Quantal
Fix Released
Low
Marc Deslauriers
Raring
Fix Released
Low
Marc Deslauriers
Saucy
Fix Released
Low
Marc Deslauriers

Bug Description

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4545

From CVE report:
----------
cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
----------

From developer: http://curl.haxx.se/docs/adv_20131115.html

Debian security advisory: http://www.debian.org/security/2013/dsa-2798

Patch (same fix as upstream and Debian) against 7.22.0-3ubuntu4.3 (current Precise) attached.

See original description
Tags: patch

CVE References

Revision history for this message
Ray Link (rlink) wrote :
information type: Private Security → Public Security
description: updated
Revision history for this message
Luke Faraone (lfaraone) wrote :

Debian fixed this in 7.33.0-1 , and we have 7.33.0-1ubuntu1 in trusty.

tags: added: patch
Changed in curl (Ubuntu):
status: New → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I already have updates for this going through QA.

Changed in curl (Ubuntu Lucid):
status: New → Confirmed
importance: Undecided → Low
status: Confirmed → In Progress
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in curl (Ubuntu Precise):
status: New → In Progress
importance: Undecided → Low
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in curl (Ubuntu Quantal):
status: New → In Progress
Changed in curl (Ubuntu Raring):
status: New → In Progress
Changed in curl (Ubuntu Saucy):
status: New → In Progress
Changed in curl (Ubuntu Quantal):
importance: Undecided → Low
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in curl (Ubuntu Raring):
importance: Undecided → Low
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in curl (Ubuntu Saucy):
importance: Undecided → Low
assignee: nobody → Marc Deslauriers (mdeslaur)
Luke Faraone (lfaraone)
Changed in curl (Ubuntu Lucid):
status: In Progress → Fix Released
Changed in curl (Ubuntu Precise):
status: In Progress → Fix Released
Changed in curl (Ubuntu Quantal):
status: In Progress → Fix Released
Changed in curl (Ubuntu Raring):
status: In Progress → Fix Released
Changed in curl (Ubuntu Saucy):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.