Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/curl/patches/010-CVE-2013-4545.patch
author Petr Nyc <Petr.Nyc@Oracle.COM>
Wed, 08 Oct 2014 05:29:12 -0700
branchs11u2-sru
changeset 3375 3724eda7445e
parent 2824 ed80ca124641
permissions -rw-r--r--
Added tag 0.175.2.4.0.2.0, S11.2SRU4.2 for changeset 76667b0a9357

CVE-2013-4545: Setting only CURLOPT_SSL_VERIFYHOST without 
CURLOPT_SSL_VERIFYPEER set should still verify that the host 
name fields in the server certificate is fine or return failure.

Bug: http://curl.haxx.se/mail/lib-2013-10/0002.html
Reported-by: Ishan SinghLevett

Relevant upstream patch at:
https://github.com/bagder/curl/commit/3c3622b6

--- lib/ssluse.c.orig	2013-11-18 06:59:53.408117483 -0800
+++ lib/ssluse.c	2013-11-18 07:00:26.212993187 -0800
@@ -2357,7 +2357,7 @@
    * operations.
    */
 
-  if(!data->set.ssl.verifypeer)
+  if(!data->set.ssl.verifypeer && !data->set.ssl.verifyhost)
     (void)servercert(conn, connssl, FALSE);
   else
     retcode = servercert(conn, connssl, TRUE);
upstream/oracle/userland-gate