Summary
Marc Deslauriers discovered that curl, a file retrieval tool, would mistakenly skip verifying the CN and SAN name fields when digital signature verification was disabled in the libcurl GnuTLS backend.
The default configuration for the curl package is not affected by this issue since the digital signature verification is enabled by default.
The oldstable distribution (squeeze) is not affected by this problem.
Solution
For the stable distribution (wheezy), this problem has been fixed in version 7.26.0-1+wheezy7.
For the unstable distribution (sid), this problem has been fixed in version 7.34.0-1.
We recommend that you upgrade your curl packages.
Insight
curl is a command line tool for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP.
Affected
curl on Debian Linux
Detection
This check tests the installed software version using the apt package manager.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2013-6422 -
CVSS Base Score: 4.0
AV:N/AC:H/Au:N/C:P/I:P/A:N
Related Vulnerabilities