Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1653.2
curl security update
21 November 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: curl
Publisher: Debian
Operating System: Debian GNU/Linux 6
Debian GNU/Linux 7
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-4545
Original Bulletin:
http://www.debian.org/security/2013/dsa-2798
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running curl check for an updated version of the software for their
operating system.
Revision History: November 21 2013: Updated to reflect curl regression and fix
November 18 2013: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2798-2 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
November 20, 2013 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : curl
Vulnerability : unchecked ssl certificate host name
Problem type : remote
Debian-specific: no
CVE ID : CVE-2013-4545
The update for curl in DSA-2798-1 uncovered a regression affecting the
curl command line tool behaviour (#729965). This update disables host
verification too when using the --insecure option.
For the oldstable distribution (squeeze), this problem has been fixed in
version 7.21.0-2.1+squeeze6.
For the stable distribution (wheezy), this problem has been fixed in
version 7.26.0-1+wheezy6.
For the testing (jessie) and unstable (sid) distributions, the curl
command line tool behaves as expected with the --insecure option.
For reference the original advisory text follows.
Scott Cantor discovered that curl, a file retrieval tool, would disable
the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting
was disabled. This would also disable ssl certificate host name checks
when it should have only disabled verification of the certificate trust
chain.
The default configuration for the curl package is not affected by this
issue since CURLOPT_SSLVERIFYPEER is enabled by default.
For the oldstable distribution (squeeze), this problem has been fixed in
version 7.21.0-2.1+squeeze5.
For the stable distribution (wheezy), this problem has been fixed in
version 7.26.0-1+wheezy5.
For the testing (jessie) and unstable (sid) distributions, this problem
has been fixed in version 7.33.0-1.
We recommend that you upgrade your curl packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQIcBAEBCgAGBQJSjTSeAAoJEAVMuPMTQ89E+bMP/jxYqQsDtXJxFvefUBDI4Mki
3j6l+WsSd+GhEx/Sp7CYpUYmNjfybYZl2MdXeOfyB3czF3saBhpEo4/wXeLEJuQD
PjA52GRvnfE4/pDnAIcHhbkfrI2MSJMU+NUpC2d2Zy2YAgQoeSBftSb91xZ9B1SI
jbuiKNrSgIgcusBSmNFCXb4TdkCVhGi37B7J7NO9rPR6n6yBvX1xsIEJYOGJeMxL
S9OWwbmcwjCdN6feNVK99YgfmEmRGLTpMosAmJSNN4KXa+OSr+g9Y+NHkve+CYy/
GmKX/MInXaWdcRk4LoyEdQ8idhWdJEdPe7ZEoLttSGnfLUyXBzTVKbK5Ugx6RYM8
1NbKYZVGYfQAOwjIbKgGn0F5eQDi+OiXh1JleyLa7y8pvk+7tq6pOKAsa9H2rDsn
nVTVzOs6qIDdjESndLEUNG+JJJpkpB/MOAfdAx4KHKS7GQ+quMg99azUdSmDRFbC
EN8XA8JrC0LOSeUJiiZTdRgOpjlTKgXUHKrr9Z0Ft/U/uWxK9pX5nTcaw/WwI+vQ
Ms7yx0i0WrTvGkTXLHx+JeGrPcvjNxX8muTEq07ZkceDjZIefmZs0J139Xd+OSn1
M506eYcVgf4WNj8swR0h20S8eTA0BsNxXVOHmn113bwd95GxaTM4pKtANHuKLV3l
Jq399e4/SnX3FWtSPFuK
=v0Ra
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2798-1 security@debian.org
http://www.debian.org/security/ Michael Gilbert
November 17, 2013 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : curl
Vulnerability : unchecked ssl certificate host name
Problem type : remote
Debian-specific: no
CVE ID : CVE-2013-4545
Scott Cantor discovered that curl, a file retrieval tool, would disable
the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting
was disabled. This would also disable ssl certificate host name checks
when it should have only disabled verification of the certificate trust
chain.
The default configuration for the curl package is not affected by this
issue since CURLOPT_SSLVERIFYPEER is enabled by default.
For the oldstable distribution (squeeze), this problem has been fixed in
version 7.21.0-2.1+squeeze5.
For the stable distribution (wheezy), this problem has been fixed in
version 7.26.0-1+wheezy5.
For the testing (jessie) and unstable (sid) distributions, this problem
has been fixed in version 7.33.0-1.
We recommend that you upgrade your curl packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQQcBAEBCgAGBQJSiQsLAAoJELjWss0C1vRzQGIgALaZ2hMss994mMwamhfBl4qA
OU9sxfNCQyJ58GZ+77BYgHxDAnsbBCuD6agfmWADePmo+HUghUkorDrlqyZCaZvH
lwnlJUadnwYphTx4qV0S2eSP2h9nf2gOCSA15sX5vPZqtEPLwhTiHqHKMKpWu0W3
Lxx1WqP8n/ZWc4eZ2+cYdLsGrYyqU5xuB7oFbWb4pzTirJrlzEl/dx+26hEYOYB7
6gEBDRXFq1TmbLXNUxaTFDiK97rZ45dFPKkU1M0gDJw0IVOOzRN8k9zy0ol5efRP
nHGozCQsigrRHxeqHCpEjBcitnVza14A1X3f4JEs2/g9rkMl6yBZJHVARJZjhrK+
Jryd+2bI5Ta+OVJqPc9wQXMI4Qg9dpv0wFmf3JBUXkNdCBHxoFkKaUZ/CA7rDln7
DAI71oVDMln5GKBTsR8HbXaTWSq0joBe2vpsk0EA9zSBjLmPx0o9pnagbfSs7OIC
D0POv0ndtl7bazzF5mXEZ/9GRO5jLLfSvOcDFiTYURGUl1UhIjGD7CAKH/CL8OLF
hKN8RErebomruGZxzfA94DwsmFp41/QhMI93/3tZAa8CfqogAgIzC8+sqeunQDZD
aVuF6w6ZVOr4p1h67pQq1gq0QgOSxCDRcukoNcC7pr4V48GjLZhN4XwCZRsAF+ey
Wy3iPsNgWPYHrqTqDYx9qosYeWkbUWc8YaqrVCIZDzEsOscrABhEkChJDb3Liptw
BHnU+L10SUaX4sVQT2GjeAR9CC4/AmZ2ZE09G5dDFH+p1YuSWeprAQZUzTVgPKk3
/An5jXNSR1lv3nGxulCHovEB3vQnsgg4Ne6gTVD9Jkb+L8zBPZs51nEHdbKdYX52
SB43OhJG3idwvnKhy1AEEzsNBBbUcPYaRFTYhC4XEr7aoqky2GM9bCtoDwX0j48l
voGAnpjXkSrZhmLNFUrReDvtPPrsWaWR4QGXeQ+5v+Hl8shnbDLmbYyHvt+UDkjI
JW/cyBlVbIIG5NXajQt/fo8Mjh65PhJ77nLuk3JWlWKP/Li5fpK230Rvkl6KQD6x
lEefVVbpHnvAlJ0Y+KWHTBcmJoSQk1SmgyXvp+EjSKZeDYD3U5UzrPKlIwy4HLaK
mca1leHii8OGOdysuL+wbeSAFy2NzjC9GtJBPeKhxq5/gjo/rGIvI+4grMvitPUQ
CVDCsCoxDcSnmkW6tWJvoIUyeZgHDDdYJ6g8JuWGbrx6xJgnXeLIHKrkzYDsYBx5
P0hs1l9thof02cZXJ2ehWNwEvBvOldKU6gSsB7/xK5H8Pen0QNWeaKFbKBn9++Bz
DvlZM7Rp/Nm3cfYojuc8oeydPPyO5TwIpgXcJe6n3xbTQM2FlJ01/5PHTnf+mSo=
=6NFF
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUo1yQBLndAQH1ShLAQLTAhAAlMaTdprmlr+wtmEPlBDgC1OH7Ycqj8xp
xp4DhIA474DvVDe+A0CM4y3PGWJjBzOzuPNpn8cfkuTO0REwb8PdwpNbXcjaxmef
nsM5rqpYufU/vMw41CeL2q1l/zGwuxBHdwshkMB2PhQbxs99AVUUbiYYIt0V0Bus
xz0B+JPLDUG8WSiogS65zEBELfSfbCEFMHjNNtunQYMF8QydjZw6bPdLpSdU8ded
ei6itI1zhu6yvnc3voM1f6SUDTuXdKnjeIyuOzbYxepy2L95OMtI1N5xUx9vV/7b
bTFaQsZNct+dNyKQJE0yqCOR1XOoOdjogJ3h5FQrb/GPdBfQM0lbSWOeUpIaDsDn
kzYELo8UlzPJQvddAT1PHq7wi8GijXhDCEUzkvTdlK/YPBr7tkOonr+E1BdaDP4x
Fs8Hv4FcBJLZsRd5CuxPwnj8U7GNrOKgiWuorzJsBFyRhYkxgTknAqepWvc042GC
gUnUG+UTygONTR6m8XWNkUbucqFjD9jv0knusK0k14eSJby9djomueP/8LKMDmYd
2BMaUjEKgsAs4U6XzZIIRHy/fRneko+zB6iIK9+IU6r3dNvPvEp85rhzPy45T4Sp
YhGKylU082ZWHQvfT2dAt5Oqz3GP7owCHjeD587XPnKyxLyyGd0XFE1eezFevMGk
FTr7/NqoECA=
=WouB
-----END PGP SIGNATURE-----