Mandriva Linux Security Advisory 2013-276 - Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust chain.
2c78af201db1bef05c4d5d012d53ff1328f14122e461d40a5c38c8ccb71ff218-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2013:276
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : curl
Date : November 21, 2013
Affected: Business Server 1.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Updated curl packages fix security vulnerability:
Scott Cantor discovered that curl, a file retrieval tool, would disable
the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER
setting was disabled. This would also disable ssl certificate host
name checks when it should have only disabled verification of the
certificate trust chain (CVE-2013-4545).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4545
http://advisories.mageia.org/MGASA-2013-0338.html
_______________________________________________________________________
Updated Packages:
Mandriva Enterprise Server 5:
8f84022018a0be9caba70cc8cf6b98d1 mes5/i586/curl-7.19.0-2.8mdvmes5.2.i586.rpm
e86ae32c140ab086117a626b1dc4247c mes5/i586/curl-examples-7.19.0-2.8mdvmes5.2.i586.rpm
af24903c9f5de553fb3608bd58218f24 mes5/i586/libcurl4-7.19.0-2.8mdvmes5.2.i586.rpm
bf050fb57bfcdf91bb8b60f3b0c0e25f mes5/i586/libcurl-devel-7.19.0-2.8mdvmes5.2.i586.rpm
dfb61d68c4c646ab7bd0a9d3a1c39469 mes5/SRPMS/curl-7.19.0-2.8mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
4ccbd52d83d96e492d15463f39e4592e mes5/x86_64/curl-7.19.0-2.8mdvmes5.2.x86_64.rpm
9c4dd21c21347ef24faa736eec23f8d1 mes5/x86_64/curl-examples-7.19.0-2.8mdvmes5.2.x86_64.rpm
1ec84b9e08af585ec52115c780f8f7ad mes5/x86_64/lib64curl4-7.19.0-2.8mdvmes5.2.x86_64.rpm
d9ca888f8a41efdbed7413c08b0a3c6c mes5/x86_64/lib64curl-devel-7.19.0-2.8mdvmes5.2.x86_64.rpm
dfb61d68c4c646ab7bd0a9d3a1c39469 mes5/SRPMS/curl-7.19.0-2.8mdvmes5.2.src.rpm
Mandriva Business Server 1/X86_64:
1c6d38ad16cfbbd7c08ac4db92c3c322 mbs1/x86_64/curl-7.24.0-2.3.mbs1.x86_64.rpm
47944d2322c89eb7e167ff2cfaaa0c21 mbs1/x86_64/curl-examples-7.24.0-2.3.mbs1.x86_64.rpm
6b2c3b949347f726bb1a68700d3de178 mbs1/x86_64/lib64curl4-7.24.0-2.3.mbs1.x86_64.rpm
1b2449e78f76b8af262fa990317cc6f4 mbs1/x86_64/lib64curl-devel-7.24.0-2.3.mbs1.x86_64.rpm
5158e7b7a60bad696d90178ec462c6a0 mbs1/SRPMS/curl-7.24.0-2.3.mbs1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFSjdjzmqjQ0CJFipgRAixLAJ41ILVt778Lt5wIF9Jwom7KBcuW5gCffIDn
M5ZuM4EwtuqxlZfXqbsmaJI=
=iHkm
-----END PGP SIGNATURE-----
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed