CVE-2013-6422

The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPTSSLVERIFYPEER), also disables the CURLOPTSSLVERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.

References

http://curl.haxx.se/docs/adv_20131217.html
http://www.debian.org/security/2013/dsa-2824
http://www.ubuntu.com/usn/USN-2058-1
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322

CVE-2013-6422

Affected packages