If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a bug in curl [CVE-2016-3739] that allows an attacker to bypass the full certificate check by presenting any valid certificate.
So, you might think are connecting to https://example.com, when in fact the attacker has a certificate for any other domain. We don't package mbedTLS, but I still think we should provide the fixed source code. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3739 https://curl.haxx.se/docs/adv_20160518.html Leo Famulari (1): gnu: curl: Replace with 7.49.1 [fixes CVE-2016-3739]. gnu/packages/curl.scm | 15 +++++++++++++++ 1 file changed, 15 insertions(+) -- 2.8.4
