Sicherheit: Mangelnde Prüfung von Zertifikaten in curl

Lesezeichen hinzufügen

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============2634779563320844627==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="RLlsfxXwhkqFneADAFlrlfIBvXC0sp8Rw"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--RLlsfxXwhkqFneADAFlrlfIBvXC0sp8Rw
Content-Type: text/plain; charset=UTF-
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-2058-1
December 18, 2013

curl vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.10
- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

Fraudulent security certificates could allow sensitive information to be
exposed when accessing the Internet.

Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Marc Deslauriers discovered that libcurl incorrectly verified CN and SAN
name fields when digital signature verification was disabled in the GnuTLS
backend. When libcurl is being used in this uncommon way by specific
applications, an attacker could exploit this to perform a man in the middle
attack to view sensitive information or alter encrypted communications.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.10:
libcurl3-gnutls 7.32.0-1ubuntu1.2

Ubuntu 13.04:
libcurl3-gnutls 7.29.0-1ubuntu3.4

Ubuntu 12.10:
libcurl3-gnutls 7.27.0-1ubuntu1.7

Ubuntu 12.04 LTS:
libcurl3-gnutls 7.22.0-3ubuntu4.6

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2058-1
CVE-2013-6422

Package Information:
https://launchpad.net/ubuntu/+source/curl/7.32.0-1ubuntu1.2
https://launchpad.net/ubuntu/+source/curl/7.29.0-1ubuntu3.4
https://launchpad.net/ubuntu/+source/curl/7.27.0-1ubuntu1.7
https://launchpad.net/ubuntu/+source/curl/7.22.0-3ubuntu4.6

--RLlsfxXwhkqFneADAFlrlfIBvXC0sp8Rw
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJSsZ9EAAoJEGVp2FWnRL6TZ2gP/1lOYT/BEn9YFIZHlvGyrwE2
HBusIaxRbSfGfPeUrftUm5T4EFW9Okgfrn1jQmcutHwwDWLe1+pGWK7nnJeA2UTA
Kv0QsFyrt1wQMfbqrGTd4DfnU5v2SzWQGg0v/fukpyHWoNkitxd5iblTmj9Rnrr6
nY1mQlcp/KmcwoDoYkxF2GdglHA9AUgP8Y8jAgNSWKhc2lvPTMri1+481WQNn3Z3
2flkrTta6etFNnT55/24v6YuQl/m8sNDRUuHA6lsdNMyL+TKzc2e4tgFuG20arEf
W7X9N2/v28MJitP+C8nfD+n8Y4Q9E5HH6Lgo8H3YRvcKwaFTOZV59JKj4G9jcGpv
CZLnBMPUkwN+Uym6gAxHtAchjoM2v1nicBBvLaXCqZJDSbeoSiqsbOvfCOGArDdw
0mYrX/lbg7koDcXfKdpO/y/8ayUKt2rF2axIELdT77DrH4ueefAqPK8E23AmK4Tk
G5s0gPi0SZzKZlKx2onlKjW6p8tnJXOXgpr+EVEB6hCICjzPhbyySue71O8iKX7g
tRuWhMurOZ3KZmYbNXJM7ktC+gKFhVlQ1dQ47UVjRQOVLA/NN4wev6RyD1zhhOKW
FfgHyB+s+4zG6BHlqlJ+LK1W7tqM/RqOTSlkHFKdtYfk9LlpWqna/FMgKPCtwmmu
BkaMMcm3AhZjvCOfjqJt
=XKq5
-----END PGP SIGNATURE-----

--RLlsfxXwhkqFneADAFlrlfIBvXC0sp8Rw--

--===============2634779563320844627==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============2634779563320844627==--