Upstream information

CVE-2013-4545 at MITRE

Description

cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

SUSE information

CVSS v2 Scores
  National Vulnerability Database
Base Score 4.30
Vector AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact Partial
Availability Impact None
SUSE Bugzilla entries: 849596 [RESOLVED / FIXED], 870444 [RESOLVED / FIXED], 880252 [RESOLVED / FIXED], 882520 [CLOSED / FIXED], 924250 [RESOLVED / ]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Desktop 11 SP2
  • curl >= 7.19.7-1.20.29.1
  • libcurl4 >= 7.19.7-1.20.29.1
  • libcurl4-32bit >= 7.19.7-1.20.29.1
Patchnames:
sledsp2-curl
SUSE Linux Enterprise Desktop 11 SP3
  • curl >= 7.19.7-1.30.1
  • libcurl4 >= 7.19.7-1.30.1
  • libcurl4-32bit >= 7.19.7-1.30.1
Patchnames:
sledsp3-curl
SUSE Linux Enterprise Desktop 12
  • curl >= 7.37.0-2.5
  • libcurl4 >= 7.37.0-2.5
  • libcurl4-32bit >= 7.37.0-2.5
Patchnames:
SUSE Linux Enterprise Desktop 12 GA curl
SUSE Linux Enterprise Desktop 12 SP1
  • curl >= 7.37.0-15.1
  • libcurl4 >= 7.37.0-15.1
  • libcurl4-32bit >= 7.37.0-15.1
Patchnames:
SUSE Linux Enterprise Desktop 12 SP1 GA curl
SUSE Linux Enterprise Desktop 12 SP2
  • curl >= 7.37.0-28.1
  • libcurl4 >= 7.37.0-28.1
  • libcurl4-32bit >= 7.37.0-28.1
Patchnames:
SUSE Linux Enterprise Desktop 12 SP2 GA curl
SUSE Linux Enterprise Server 11 SP2
  • curl >= 7.19.7-1.20.29.1
  • libcurl4 >= 7.19.7-1.20.29.1
  • libcurl4-32bit >= 7.19.7-1.20.29.1
  • libcurl4-x86 >= 7.19.7-1.20.31.1
Patchnames:
slessp2-curl
SUSE Linux Enterprise Server 11 SP3
  • curl >= 7.19.7-1.30.1
  • libcurl4 >= 7.19.7-1.30.1
  • libcurl4-32bit >= 7.19.7-1.30.1
  • libcurl4-x86 >= 7.19.7-1.38.1
Patchnames:
slessp3-curl
SUSE Linux Enterprise Server 11 SP4
  • curl >= 7.19.7-1.42.1
  • libcurl4 >= 7.19.7-1.42.1
  • libcurl4-32bit >= 7.19.7-1.42.1
  • libcurl4-x86 >= 7.19.7-1.42.1
Patchnames:
SUSE Linux Enterprise Server 11 SP4 GA curl
SUSE Linux Enterprise Server 12
  • curl >= 7.37.0-2.5
  • libcurl4 >= 7.37.0-2.5
  • libcurl4-32bit >= 7.37.0-2.5
Patchnames:
SUSE Linux Enterprise Server 12 GA curl
SUSE Linux Enterprise Server 12 SP1
  • curl >= 7.37.0-15.1
  • libcurl4 >= 7.37.0-15.1
  • libcurl4-32bit >= 7.37.0-15.1
Patchnames:
SUSE Linux Enterprise Server 12 SP1 GA curl
SUSE Linux Enterprise Server 12 SP2
  • curl >= 7.37.0-28.1
  • libcurl4 >= 7.37.0-28.1
  • libcurl4-32bit >= 7.37.0-28.1
Patchnames:
SUSE Linux Enterprise Server 12 SP2 GA curl
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
  • curl >= 7.37.0-28.1
  • libcurl4 >= 7.37.0-28.1
Patchnames:
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 GA curl
SUSE Linux Enterprise Server for VMWare 11 SP2
  • curl >= 7.19.7-1.20.29.1
  • libcurl4 >= 7.19.7-1.20.29.1
  • libcurl4-32bit >= 7.19.7-1.20.29.1
  • libcurl4-x86 >= 7.19.7-1.20.31.1
Patchnames:
slessp2-curl
SUSE Linux Enterprise Server for VMWare 11 SP3
  • curl >= 7.19.7-1.30.1
  • libcurl4 >= 7.19.7-1.30.1
  • libcurl4-32bit >= 7.19.7-1.30.1
  • libcurl4-x86 >= 7.19.7-1.38.1
Patchnames:
slessp3-curl
SUSE Linux Enterprise Software Development Kit 11 SP2
  • libcurl-devel >= 7.19.7-1.20.29.1
Patchnames:
sdksp2-curl
SUSE Linux Enterprise Software Development Kit 11 SP3
  • libcurl-devel >= 7.19.7-1.30.1
Patchnames:
sdksp3-curl
SUSE Linux Enterprise Software Development Kit 11 SP4
  • libcurl-devel >= 7.19.7-1.42.1
Patchnames:
SUSE Linux Enterprise Software Development Kit 11 SP4 GA libcurl-devel
SUSE Linux Enterprise Software Development Kit 12
  • libcurl-devel >= 7.37.0-2.5
Patchnames:
SUSE Linux Enterprise Software Development Kit 12 GA libcurl-devel
SUSE Linux Enterprise Software Development Kit 12 SP1
  • libcurl-devel >= 7.37.0-15.1
Patchnames:
SUSE Linux Enterprise Software Development Kit 12 SP1 GA libcurl-devel
SUSE Linux Enterprise Software Development Kit 12 SP2
  • libcurl-devel >= 7.37.0-28.1
Patchnames:
SUSE Linux Enterprise Software Development Kit 12 SP2 GA libcurl-devel
SUSE Studio Onsite 1.3
  • libcurl-devel >= 7.19.7-1.20.29.1
Patchnames:
slestso13-curl
SUSE Linux Enterprise Software Development Kit 11 SP2
SUSE Studio Onsite 1.3
  • libcurl-devel >= 7.19.7-1.20.29.1
Builds
SAT Patch Nr: 8621
SUSE Linux Enterprise Desktop 11 SP2
SUSE Linux Enterprise Server 11 SP2
SUSE Linux Enterprise Server 11 SP2 for VMware
  • curl >= 7.19.7-1.20.29.1
  • libcurl4 >= 7.19.7-1.20.29.1
Builds
SAT Patch Nr: 8621
SUSE Linux Enterprise Desktop 11 SP2
SUSE Linux Enterprise Server 11 SP2
SUSE Linux Enterprise Server 11 SP2 for VMware
  • curl >= 7.19.7-1.20.29.1
  • libcurl4 >= 7.19.7-1.20.29.1
  • libcurl4-32bit >= 7.19.7-1.20.29.1
Builds
SAT Patch Nr: 8621
SUSE Linux Enterprise Server 11 SP2
  • curl >= 7.19.7-1.20.29.1
  • libcurl4 >= 7.19.7-1.20.29.1
  • libcurl4-x86 >= 7.19.7-1.20.29.1
Builds
SAT Patch Nr: 8621
SUSE Linux Enterprise Software Development Kit 11 SP3
  • libcurl-devel >= 7.19.7-1.30.1
Builds
SAT Patch Nr: 8617
SUSE Linux Enterprise Desktop 11 SP3
SUSE Linux Enterprise Server 11 SP3
SUSE Linux Enterprise Server 11 SP3 for VMware
  • curl >= 7.19.7-1.30.1
  • libcurl4 >= 7.19.7-1.30.1
Builds
SAT Patch Nr: 8617
SUSE Linux Enterprise Desktop 11 SP3
SUSE Linux Enterprise Server 11 SP3
SUSE Linux Enterprise Server 11 SP3 for VMware
  • curl >= 7.19.7-1.30.1
  • libcurl4 >= 7.19.7-1.30.1
  • libcurl4-32bit >= 7.19.7-1.30.1
Builds
SAT Patch Nr: 8617
SUSE Linux Enterprise Server 11 SP3
  • curl >= 7.19.7-1.30.1
  • libcurl4 >= 7.19.7-1.30.1
  • libcurl4-x86 >= 7.19.7-1.30.1
Builds
SAT Patch Nr: 8617
openSUSE 13.1
  • curl >= 7.32.0-2.4.1
  • curl-debuginfo >= 7.32.0-2.4.1
  • curl-debugsource >= 7.32.0-2.4.1
  • libcurl-devel >= 7.32.0-2.4.1
  • libcurl4 >= 7.32.0-2.4.1
  • libcurl4-32bit >= 7.32.0-2.4.1
  • libcurl4-debuginfo >= 7.32.0-2.4.1
  • libcurl4-debuginfo-32bit >= 7.32.0-2.4.1
Patchnames:
openSUSE-2013-964
openSUSE 13.2
  • curl >= 7.38.0-1.2
  • libcurl-devel >= 7.38.0-1.2
  • libcurl4 >= 7.38.0-1.2
Patchnames:
openSUSE 13.2 GA curl
openSUSE Evergreen 11.4
  • curl >= 7.21.2-37.1
  • curl-debuginfo >= 7.21.2-37.1
  • libcurl-devel >= 7.21.2-37.1
  • libcurl4 >= 7.21.2-37.1
  • libcurl4-32bit >= 7.21.2-37.1
  • libcurl4-debuginfo >= 7.21.2-37.1
  • libcurl4-debuginfo-32bit >= 7.21.2-37.1
  • libcurl4-debuginfo-x86 >= 7.21.2-37.1
  • libcurl4-x86 >= 7.21.2-37.1
Patchnames:
2013-168
openSUSE Leap 42.1
  • curl >= 7.37.0-5.2
  • libcurl-devel >= 7.37.0-5.2
  • libcurl4 >= 7.37.0-5.2
Patchnames:
openSUSE Leap 42.1 GA curl
openSUSE Leap 42.2
  • curl >= 7.37.0-15.1
  • libcurl-devel >= 7.37.0-15.1
  • libcurl4 >= 7.37.0-15.1
Patchnames:
openSUSE Leap 42.2 GA curl
openSUSE Tumbleweed
  • curl >= 7.51.0-1.1
  • libcurl-devel >= 7.51.0-1.1
  • libcurl-devel-32bit >= 7.51.0-1.1
  • libcurl4 >= 7.51.0-1.1
  • libcurl4-32bit >= 7.51.0-1.1
Patchnames:
openSUSE Tumbleweed GA curl