Launchpad.net

CVE 2013-4545

cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Related bugs and status

CVE-2013-4545 (Candidate) is related to these bugs:

Bug #1257872: CVE-2013-4545 - MitM attack/spoof

		In	Importance	Status
1257872	CVE-2013-4545 - MitM attack/spoof	curl (Ubuntu)	Undecided	Fix Released
1257872	CVE-2013-4545 - MitM attack/spoof	curl (Ubuntu Lucid)	Low	Fix Released
1257872	CVE-2013-4545 - MitM attack/spoof	curl (Ubuntu Precise)	Low	Fix Released
1257872	CVE-2013-4545 - MitM attack/spoof	curl (Ubuntu Quantal)	Low	Fix Released
1257872	CVE-2013-4545 - MitM attack/spoof	curl (Ubuntu Raring)	Low	Fix Released
1257872	CVE-2013-4545 - MitM attack/spoof	curl (Ubuntu Saucy)	Low	Fix Released

Bug #1258366: curl -k breaks for some certificates after USN-2048-1

		In	Importance	Status
1258366	curl -k breaks for some certificates after USN-2048-1	curl (Ubuntu)	Undecided	Fix Released
1258366	curl -k breaks for some certificates after USN-2048-1	curl (Debian)	Unknown	Fix Released
1258366	curl -k breaks for some certificates after USN-2048-1	curl (Ubuntu Lucid)	Undecided	Fix Released
1258366	curl -k breaks for some certificates after USN-2048-1	curl (Ubuntu Precise)	Undecided	Fix Released
1258366	curl -k breaks for some certificates after USN-2048-1	curl (Ubuntu Quantal)	Undecided	Fix Released
1258366	curl -k breaks for some certificates after USN-2048-1	curl (Ubuntu Raring)	Undecided	Invalid
1258366	curl -k breaks for some certificates after USN-2048-1	curl (Ubuntu Saucy)	Undecided	Invalid

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2013-4545

Related bugs and status

Related bugs

References