Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1653.2 curl security update 21 November 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: curl Publisher: Debian Operating System: Debian GNU/Linux 6 Debian GNU/Linux 7 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-4545 Original Bulletin: http://www.debian.org/security/2013/dsa-2798 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running curl check for an updated version of the software for their operating system. Revision History: November 21 2013: Updated to reflect curl regression and fix November 18 2013: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2798-2 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso November 20, 2013 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : curl Vulnerability : unchecked ssl certificate host name Problem type : remote Debian-specific: no CVE ID : CVE-2013-4545 The update for curl in DSA-2798-1 uncovered a regression affecting the curl command line tool behaviour (#729965). This update disables host verification too when using the --insecure option. For the oldstable distribution (squeeze), this problem has been fixed in version 7.21.0-2.1+squeeze6. For the stable distribution (wheezy), this problem has been fixed in version 7.26.0-1+wheezy6. For the testing (jessie) and unstable (sid) distributions, the curl command line tool behaves as expected with the --insecure option. For reference the original advisory text follows. Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust chain. The default configuration for the curl package is not affected by this issue since CURLOPT_SSLVERIFYPEER is enabled by default. For the oldstable distribution (squeeze), this problem has been fixed in version 7.21.0-2.1+squeeze5. For the stable distribution (wheezy), this problem has been fixed in version 7.26.0-1+wheezy5. For the testing (jessie) and unstable (sid) distributions, this problem has been fixed in version 7.33.0-1. We recommend that you upgrade your curl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSjTSeAAoJEAVMuPMTQ89E+bMP/jxYqQsDtXJxFvefUBDI4Mki 3j6l+WsSd+GhEx/Sp7CYpUYmNjfybYZl2MdXeOfyB3czF3saBhpEo4/wXeLEJuQD PjA52GRvnfE4/pDnAIcHhbkfrI2MSJMU+NUpC2d2Zy2YAgQoeSBftSb91xZ9B1SI jbuiKNrSgIgcusBSmNFCXb4TdkCVhGi37B7J7NO9rPR6n6yBvX1xsIEJYOGJeMxL S9OWwbmcwjCdN6feNVK99YgfmEmRGLTpMosAmJSNN4KXa+OSr+g9Y+NHkve+CYy/ GmKX/MInXaWdcRk4LoyEdQ8idhWdJEdPe7ZEoLttSGnfLUyXBzTVKbK5Ugx6RYM8 1NbKYZVGYfQAOwjIbKgGn0F5eQDi+OiXh1JleyLa7y8pvk+7tq6pOKAsa9H2rDsn nVTVzOs6qIDdjESndLEUNG+JJJpkpB/MOAfdAx4KHKS7GQ+quMg99azUdSmDRFbC EN8XA8JrC0LOSeUJiiZTdRgOpjlTKgXUHKrr9Z0Ft/U/uWxK9pX5nTcaw/WwI+vQ Ms7yx0i0WrTvGkTXLHx+JeGrPcvjNxX8muTEq07ZkceDjZIefmZs0J139Xd+OSn1 M506eYcVgf4WNj8swR0h20S8eTA0BsNxXVOHmn113bwd95GxaTM4pKtANHuKLV3l Jq399e4/SnX3FWtSPFuK =v0Ra - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2798-1 security@debian.org http://www.debian.org/security/ Michael Gilbert November 17, 2013 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : curl Vulnerability : unchecked ssl certificate host name Problem type : remote Debian-specific: no CVE ID : CVE-2013-4545 Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust chain. The default configuration for the curl package is not affected by this issue since CURLOPT_SSLVERIFYPEER is enabled by default. For the oldstable distribution (squeeze), this problem has been fixed in version 7.21.0-2.1+squeeze5. For the stable distribution (wheezy), this problem has been fixed in version 7.26.0-1+wheezy5. For the testing (jessie) and unstable (sid) distributions, this problem has been fixed in version 7.33.0-1. We recommend that you upgrade your curl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQQcBAEBCgAGBQJSiQsLAAoJELjWss0C1vRzQGIgALaZ2hMss994mMwamhfBl4qA OU9sxfNCQyJ58GZ+77BYgHxDAnsbBCuD6agfmWADePmo+HUghUkorDrlqyZCaZvH lwnlJUadnwYphTx4qV0S2eSP2h9nf2gOCSA15sX5vPZqtEPLwhTiHqHKMKpWu0W3 Lxx1WqP8n/ZWc4eZ2+cYdLsGrYyqU5xuB7oFbWb4pzTirJrlzEl/dx+26hEYOYB7 6gEBDRXFq1TmbLXNUxaTFDiK97rZ45dFPKkU1M0gDJw0IVOOzRN8k9zy0ol5efRP nHGozCQsigrRHxeqHCpEjBcitnVza14A1X3f4JEs2/g9rkMl6yBZJHVARJZjhrK+ Jryd+2bI5Ta+OVJqPc9wQXMI4Qg9dpv0wFmf3JBUXkNdCBHxoFkKaUZ/CA7rDln7 DAI71oVDMln5GKBTsR8HbXaTWSq0joBe2vpsk0EA9zSBjLmPx0o9pnagbfSs7OIC D0POv0ndtl7bazzF5mXEZ/9GRO5jLLfSvOcDFiTYURGUl1UhIjGD7CAKH/CL8OLF hKN8RErebomruGZxzfA94DwsmFp41/QhMI93/3tZAa8CfqogAgIzC8+sqeunQDZD aVuF6w6ZVOr4p1h67pQq1gq0QgOSxCDRcukoNcC7pr4V48GjLZhN4XwCZRsAF+ey Wy3iPsNgWPYHrqTqDYx9qosYeWkbUWc8YaqrVCIZDzEsOscrABhEkChJDb3Liptw BHnU+L10SUaX4sVQT2GjeAR9CC4/AmZ2ZE09G5dDFH+p1YuSWeprAQZUzTVgPKk3 /An5jXNSR1lv3nGxulCHovEB3vQnsgg4Ne6gTVD9Jkb+L8zBPZs51nEHdbKdYX52 SB43OhJG3idwvnKhy1AEEzsNBBbUcPYaRFTYhC4XEr7aoqky2GM9bCtoDwX0j48l voGAnpjXkSrZhmLNFUrReDvtPPrsWaWR4QGXeQ+5v+Hl8shnbDLmbYyHvt+UDkjI JW/cyBlVbIIG5NXajQt/fo8Mjh65PhJ77nLuk3JWlWKP/Li5fpK230Rvkl6KQD6x lEefVVbpHnvAlJ0Y+KWHTBcmJoSQk1SmgyXvp+EjSKZeDYD3U5UzrPKlIwy4HLaK mca1leHii8OGOdysuL+wbeSAFy2NzjC9GtJBPeKhxq5/gjo/rGIvI+4grMvitPUQ CVDCsCoxDcSnmkW6tWJvoIUyeZgHDDdYJ6g8JuWGbrx6xJgnXeLIHKrkzYDsYBx5 P0hs1l9thof02cZXJ2ehWNwEvBvOldKU6gSsB7/xK5H8Pen0QNWeaKFbKBn9++Bz DvlZM7Rp/Nm3cfYojuc8oeydPPyO5TwIpgXcJe6n3xbTQM2FlJ01/5PHTnf+mSo= =6NFF - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUo1yQBLndAQH1ShLAQLTAhAAlMaTdprmlr+wtmEPlBDgC1OH7Ycqj8xp xp4DhIA474DvVDe+A0CM4y3PGWJjBzOzuPNpn8cfkuTO0REwb8PdwpNbXcjaxmef nsM5rqpYufU/vMw41CeL2q1l/zGwuxBHdwshkMB2PhQbxs99AVUUbiYYIt0V0Bus xz0B+JPLDUG8WSiogS65zEBELfSfbCEFMHjNNtunQYMF8QydjZw6bPdLpSdU8ded ei6itI1zhu6yvnc3voM1f6SUDTuXdKnjeIyuOzbYxepy2L95OMtI1N5xUx9vV/7b bTFaQsZNct+dNyKQJE0yqCOR1XOoOdjogJ3h5FQrb/GPdBfQM0lbSWOeUpIaDsDn kzYELo8UlzPJQvddAT1PHq7wi8GijXhDCEUzkvTdlK/YPBr7tkOonr+E1BdaDP4x Fs8Hv4FcBJLZsRd5CuxPwnj8U7GNrOKgiWuorzJsBFyRhYkxgTknAqepWvc042GC gUnUG+UTygONTR6m8XWNkUbucqFjD9jv0knusK0k14eSJby9djomueP/8LKMDmYd 2BMaUjEKgsAs4U6XzZIIRHy/fRneko+zB6iIK9+IU6r3dNvPvEp85rhzPy45T4Sp YhGKylU082ZWHQvfT2dAt5Oqz3GP7owCHjeD587XPnKyxLyyGd0XFE1eezFevMGk FTr7/NqoECA= =WouB -----END PGP SIGNATURE-----