Home / mailings [USN-2048-2] curl regression
Posted on 06 December 2013
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-2048-2
December 06, 2013
curl regression
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
USN-2048-1 introduced a regression in curl.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
USN-2048-1 fixed a vulnerability in curl. The security fix uncovered a bu=
g
in the curl command line tool which resulted in the --insecure (-k) optio=
n
not working as intended. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Scott Cantor discovered that libcurl incorrectly verified CN and SAN nam=
e
fields when digital signature verification was disabled. When libcurl is=
being used in this uncommon way by specific applications, an attacker co=
uld
exploit this to perform a man in the middle attack to view sensitive
information or alter encrypted communications.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libcurl3 7.27.0-1ubuntu1.6
Ubuntu 12.04 LTS:
libcurl3 7.22.0-3ubuntu4.5
Ubuntu 10.04 LTS:
libcurl3 7.19.7-1ubuntu1.5
In general, a standard system update will make all the necessary changes.=
References:
http://www.ubuntu.com/usn/usn-2048-2
http://www.ubuntu.com/usn/usn-2048-1
https://launchpad.net/bugs/1258366
Package Information:
https://launchpad.net/ubuntu/+source/curl/7.27.0-1ubuntu1.6
https://launchpad.net/ubuntu/+source/curl/7.22.0-3ubuntu4.5
https://launchpad.net/ubuntu/+source/curl/7.19.7-1ubuntu1.5
