Packages
- curl - HTTP, HTTPS, and FTP client and client libraries
Details
Scott Cantor discovered that libcurl incorrectly verified CN and SAN name
fields when digital signature verification was disabled. When libcurl is
being used in this uncommon way by specific applications, an attacker could
exploit this to perform a machine-in-the-middle attack to view sensitive
information or alter encrypted communications.
Scott Cantor discovered that libcurl incorrectly verified CN and SAN name
fields when digital signature verification was disabled. When libcurl is
being used in this uncommon way by specific applications, an attacker could
exploit this to perform a machine-in-the-middle attack to view sensitive
information or alter encrypted communications.
Update instructions
In general, a standard system update will make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 13.10 saucy | libcurl3 – 7.32.0-1ubuntu1.1 | ||
| 13.04 raring | libcurl3 – 7.29.0-1ubuntu3.3 | ||
| 12.10 quantal | libcurl3 – 7.27.0-1ubuntu1.5 | ||
| 12.04 precise | libcurl3 – 7.22.0-3ubuntu4.4 | ||
| 10.04 lucid | libcurl3 – 7.19.7-1ubuntu1.4 | ||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.