Mercurial Mercurial > upstream > oracle > userland-gate / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/curl/patches/010-CVE-2013-4545.patch
branchs11-update
changeset 2824 ed80ca124641
equal deleted inserted replaced
2823:4650282513ce 2824:ed80ca124641 
       
     1 CVE-2013-4545: Setting only CURLOPT_SSL_VERIFYHOST without 
       
     2 CURLOPT_SSL_VERIFYPEER set should still verify that the host 
       
     3 name fields in the server certificate is fine or return failure.
 
       
     4 
       
     5 Bug: http://curl.haxx.se/mail/lib-2013-10/0002.html
 
       
     6 Reported-by: Ishan SinghLevett
 
       
     7 
       
     8 Relevant upstream patch at:
 
       
     9 https://github.com/bagder/curl/commit/3c3622b6
 
       
    10 
       
    11 --- lib/ssluse.c.orig	2013-11-18 06:59:53.408117483 -0800
 
       
    12 +++ lib/ssluse.c	2013-11-18 07:00:26.212993187 -0800
 
       
    13 @@ -2357,7 +2357,7 @@
 
       
    14     * operations.
 
       
    15     */
 
       
    16  
       
    17 -  if(!data->set.ssl.verifypeer)
 
       
    18 +  if(!data->set.ssl.verifypeer && !data->set.ssl.verifyhost)
 
       
    19      (void)servercert(conn, connssl, FALSE);
 
       
    20    else
 
       
    21      retcode = servercert(conn, connssl, TRUE);
upstream/oracle/userland-gate