CVE-2013-6422

Publication date 17 December 2013

Last updated 24 July 2024

Ubuntu priority

The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
curl	13.10 saucy	Fixed 7.32.0-1ubuntu1.2
	13.04 raring	Fixed 7.29.0-1ubuntu3.4
	12.10 quantal	Fixed 7.27.0-1ubuntu1.7
	12.04 LTS precise	Fixed 7.22.0-3ubuntu4.6
	10.04 LTS lucid	Not affected

How can I get the fixes?
What do statuses mean?

Notes

seth-arnold

Similar to but different from CVE-2013-4545

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-2058-1
curl vulnerability
18 December 2013

Other references

http://curl.haxx.se/docs/adv_20131217.html
https://www.cve.org/CVERecord?id=CVE-2013-6422