Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust chain. The default configuration for the curl package is not affected by this issue since CURLOPT_SSLVERIFYPEER is enabled by default.

For the oldstable distribution (squeeze), this problem has been fixed in version 7.21.0-2.1+squeeze5. For the stable distribution (wheezy), this problem has been fixed in version 7.26.0-1+wheezy5. For the testing (jessie) and unstable (sid) distributions, this problem has been fixed in version 7.33.0-1. We recommend that you upgrade your curl packages.

curl is a client to get files from servers using any of the supported protocols. The command is designed to work without user interaction or any kind of interactivity.

curl on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2013/dsa-2798.html

---

Updated on 2015-03-25