DSA-2798-2 curl -- unchecked ssl certificate host nameID: oval:org.secpod.oval:def:601151 | Date: (C)2014-01-08 (M)2022-10-10 |
Class: PATCH | Family: unix |
The update for curl in DSA-2798-1 uncovered a regression affecting the curl command line tool behaviour . This update disables host verification too when using the --insecure option. For the oldstable distribution , this problem has been fixed in version 7.21.0-2.1+squeeze6. For the stable distribution , this problem has been fixed in version 7.26.0-1+wheezy6. For the testing and unstable distributions, the curl command line tool behaves as expected with the --insecure option. For reference the original advisory text follows. Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust chain. The default configuration for the curl package is not affected by this issue since CURLOPT_SSLVERIFYPEER is enabled by default.
Platform: |
Debian 7.0 |
Debian 6.0 |