Bug 849596 (CVE-2013-4545) - VUL-0: CVE-2013-4545: curl: ssl cert checks unclear behaviour
Summary: VUL-0: CVE-2013-4545: curl: ssl cert checks unclear behaviour
Status: RESOLVED FIXED
Alias: CVE-2013-4545
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2013-12-16
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:running:55300:moderate maint:re...
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-08 15:08 UTC by Marcus Meissner
Modified: 2018-10-19 18:16 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 5 Marcus Meissner 2013-11-27 21:05:40 UTC 
was made public inbetween

http://curl.haxx.se/docs/security.html


libcurl is vulnerable to a case of missing out the checking of the certificate CN or SAN name field when the digital signature verification is turned off - when built to use OpenSSL.

libcurl offers two separate and independent options for verifying a server's TLS certificate. CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST. The first one tells libcurl to verify the trust chain using a CA cert bundle, while the second tells libcurl to make sure that the name fields in the server certificate meets the criteria. Both options are enabled by default.

This flaw had the effect that when an application disabled CURLOPT_SSL_VERIFYPEER, libcurl mistakenly also disabled the CURLOPT_SSL_VERIFYHOST check. Applications can disable CURLOPT_SSL_VERIFYPEER and still achieve security by doing the check on its own using other means. 

https://github.com/bagder/curl/commit/3c3622b6
Comment 6 Bernhard Wiedemann 2013-11-29 20:00:10 UTC 
This is an autogenerated message for OBS integration:
This bug (849596) was mentioned in
https://build.opensuse.org/request/show/208934 Factory / curl
Comment 8 Swamp Workflow Management 2013-12-02 12:33:14 UTC 
The SWAMPID for this issue is 55299.
This issue was rated as moderate.
Please submit fixed packages until 2013-12-16.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 9 Swamp Workflow Management 2013-12-02 12:33:23 UTC 
The SWAMPID for this issue is 55300.
This issue was rated as moderate.
Please submit fixed packages until 2013-12-16.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 11 Bernhard Wiedemann 2013-12-02 16:00:22 UTC 
This is an autogenerated message for OBS integration:
This bug (849596) was mentioned in
https://build.opensuse.org/request/show/209177 13.1+12.2+12.3 / curl
Comment 15 Marcus Meissner 2013-12-04 15:45:26 UTC 
SUSE Linux Enterprise 10 and 9 are not affected by this problem.

as only curl >= 7.18.0 have the problem, http://curl.haxx.se/docs/security.html#20131115


back to security-tgeam
Comment 16 Swamp Workflow Management 2013-12-12 17:04:29 UTC 
openSUSE-SU-2013:1859-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 849596
CVE References: CVE-2013-4545
Sources used:
openSUSE 13.1 (src):    curl-7.32.0-2.4.1
openSUSE 12.3 (src):    curl-7.28.1-4.21.1
openSUSE 12.2 (src):    curl-7.25.0-2.20.1
Comment 17 Swamp Workflow Management 2013-12-12 18:04:23 UTC 
openSUSE-SU-2013:1865-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 849596
CVE References: CVE-2013-4545
Sources used:
openSUSE 11.4 (src):    curl-7.21.2-37.1
Comment 18 Swamp Workflow Management 2014-01-02 16:04:22 UTC 
Update released for: curl, curl-debuginfo, curl-debugsource, libcurl-devel, libcurl4, libcurl4-32bit
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 19 Swamp Workflow Management 2014-01-02 17:51:44 UTC 
Update released for: curl, curl-debuginfo, curl-debugsource, libcurl-devel, libcurl4, libcurl4-32bit, libcurl4-x86
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-STUDIOONSITE 1.3 (x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 20 Swamp Workflow Management 2014-01-02 18:51:15 UTC 
Update released for: curl, curl-debuginfo, curl-debugsource, libcurl-devel, libcurl4, libcurl4-32bit, libcurl4-x86
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 21 Swamp Workflow Management 2014-01-02 21:04:36 UTC 
SUSE-SU-2014:0002-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 810760,849596
CVE References: CVE-2013-4545
Sources used:
SUSE Studio Onsite 1.3 (src):    curl-7.19.7-1.20.29.1
SUSE Linux Enterprise Software Development Kit 11 SP2 (src):    curl-7.19.7-1.20.29.1
SUSE Linux Enterprise Server 11 SP2 for VMware (src):    curl-7.19.7-1.20.29.1
SUSE Linux Enterprise Server 11 SP2 (src):    curl-7.19.7-1.20.29.1
SUSE Linux Enterprise Desktop 11 SP2 (src):    curl-7.19.7-1.20.29.1
Comment 22 Swamp Workflow Management 2014-01-02 22:04:37 UTC 
SUSE-SU-2014:0004-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 849596
CVE References: CVE-2013-4545
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    curl-7.19.7-1.30.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    curl-7.19.7-1.30.1
SUSE Linux Enterprise Server 11 SP3 (src):    curl-7.19.7-1.30.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    curl-7.19.7-1.30.1