Computer Security
[EN] securityvulns.ru no-pyccku


cURL certificates spoofing
updated since 26.11.2013
Published:23.12.2013
Source:
SecurityVulns ID:13420
Type:library
Threat Level:
4/10
Description:Имя хоста не проверяется при включенном CURLOPT_SSL_VERIFYPEER.
Affected:CURL : cURL 7.32
CVE:CVE-2013-6422 (The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.)
 CVE-2013-4545 (cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.)
Original documentdocumentUBUNTU, [USN-2058-1] curl vulnerability (23.12.2013)
 documentMANDRIVA, [ MDVSA-2013:276 ] curl (26.11.2013)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod