[v2.7] curl: gnutsl backend issue (CVE-2013-6422)
The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.
•CONFIRM: http://curl.haxx.se/docs/adv\_20131217.html
•DEBIAN:DSA-2824
•URL: http://www.debian.org/security/2013/dsa-2824
•UBUNTU:USN-2058-1
•URL: http://www.ubuntu.com/usn/USN-2058-1
(from redmine: issue id 2565, created on 2014-01-08, closed on 2014-01-14)
- Relations:
- parent #2561 (closed)