It appears to be, per https://gist.github.com/rmoriz/fb2b0a6a0ce10550ab73 (and my own testing on OS X 10.9.1).

Not in 10.9.2 which is using the same curl version: http://pastebin.com/AZ38WYaB

Why in release note of Apple it wasn't mentioned?

The patch isn't ready for OS X. It will be in the next minor OS update.

Bad Apple.

I'm able to reproduce your results with cURL. However, Safari on OS X correctly shows a warning. Can anybody explain that?

OK, the answer to that is at the end of Adam Lengley's analysis: https://www.imperialviolet.org/2014/02/22/applebug.html

The lack of hostname checking for IP addresses in Apple's cURL is a completely different problem.

cURL uses OpenSSL, Safari uses Apple's Secure Transport.

That's not correct. The cURL version shipped with OS X uses SecureTransport.

No but it says something about the quality I can expect from the black boxes that Apple provide me with. And its not a good thing.

Lock screen has been vulnerable with a bypass exploit on several occasions so caution is probably a good idea. Way too many times to give me any sort of confidence.