-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2013:276 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : curl Date : November 21, 2013 Affected: Business Server 1.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Updated curl packages fix security vulnerability: Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust chain (CVE-2013-4545). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4545 http://advisories.mageia.org/MGASA-2013-0338.html _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: 8f84022018a0be9caba70cc8cf6b98d1 mes5/i586/curl-7.19.0-2.8mdvmes5.2.i586.rpm e86ae32c140ab086117a626b1dc4247c mes5/i586/curl-examples-7.19.0-2.8mdvmes5.2.i586.rpm af24903c9f5de553fb3608bd58218f24 mes5/i586/libcurl4-7.19.0-2.8mdvmes5.2.i586.rpm bf050fb57bfcdf91bb8b60f3b0c0e25f mes5/i586/libcurl-devel-7.19.0-2.8mdvmes5.2.i586.rpm dfb61d68c4c646ab7bd0a9d3a1c39469 mes5/SRPMS/curl-7.19.0-2.8mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 4ccbd52d83d96e492d15463f39e4592e mes5/x86_64/curl-7.19.0-2.8mdvmes5.2.x86_64.rpm 9c4dd21c21347ef24faa736eec23f8d1 mes5/x86_64/curl-examples-7.19.0-2.8mdvmes5.2.x86_64.rpm 1ec84b9e08af585ec52115c780f8f7ad mes5/x86_64/lib64curl4-7.19.0-2.8mdvmes5.2.x86_64.rpm d9ca888f8a41efdbed7413c08b0a3c6c mes5/x86_64/lib64curl-devel-7.19.0-2.8mdvmes5.2.x86_64.rpm dfb61d68c4c646ab7bd0a9d3a1c39469 mes5/SRPMS/curl-7.19.0-2.8mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: 1c6d38ad16cfbbd7c08ac4db92c3c322 mbs1/x86_64/curl-7.24.0-2.3.mbs1.x86_64.rpm 47944d2322c89eb7e167ff2cfaaa0c21 mbs1/x86_64/curl-examples-7.24.0-2.3.mbs1.x86_64.rpm 6b2c3b949347f726bb1a68700d3de178 mbs1/x86_64/lib64curl4-7.24.0-2.3.mbs1.x86_64.rpm 1b2449e78f76b8af262fa990317cc6f4 mbs1/x86_64/lib64curl-devel-7.24.0-2.3.mbs1.x86_64.rpm 5158e7b7a60bad696d90178ec462c6a0 mbs1/SRPMS/curl-7.24.0-2.3.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSjdjzmqjQ0CJFipgRAixLAJ41ILVt778Lt5wIF9Jwom7KBcuW5gCffIDn M5ZuM4EwtuqxlZfXqbsmaJI= =iHkm -----END PGP SIGNATURE-----