[Bug 1257872] [NEW] CVE-2013-4545 - MitM attack/spoof

Ray Link rlink+launchpad at cs.cmu.edu
Wed Dec 4 18:47:12 UTC 2013 

*** This bug is a security vulnerability ***

Public security bug reported:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4545

>From CVE report:
----------
cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
----------

>From developer:  http://curl.haxx.se/docs/adv_20131115.html

Debian security advisory:  http://www.debian.org/security/2013/dsa-2798

Patch (same fix as upstream and Debian) against 7.22.0-3ubuntu4.3
(current Precise) attached.

** Affects: curl (Ubuntu)
     Importance: Undecided
         Status: New

** Patch added: "CVE-2013-4545.patch"
   https://bugs.launchpad.net/bugs/1257872/+attachment/3923282/+files/CVE-2013-4545.patch

** Information type changed from Private Security to Public Security

** Description changed:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4545
  
  From CVE report:
  ----------
- cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. 
+ cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
  ----------
  
  From developer:  http://curl.haxx.se/docs/adv_20131115.html
  
  Debian security advisory:  http://www.debian.org/security/2013/dsa-2798
  
- Patch (same fix as upstream and Debian) attached.
+ Patch (same fix as upstream and Debian) against 7.22.0-3ubuntu4.3
+ (current Precise) attached.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/1257872

Title:
  CVE-2013-4545 - MitM attack/spoof

Status in “curl” package in Ubuntu:
  New

Bug description:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4545

  From CVE report:
  ----------
  cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
  ----------

  From developer:  http://curl.haxx.se/docs/adv_20131115.html

  Debian security advisory:
  http://www.debian.org/security/2013/dsa-2798

  Patch (same fix as upstream and Debian) against 7.22.0-3ubuntu4.3
  (current Precise) attached.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1257872/+subscriptions

More information about the foundations-bugs mailing list