Bug 35874

Summary: curl: Multiple issues (3.2)
Product: UCS Reporter: Moritz Muehlenhoff <jmm>
Component: Security updatesAssignee: Janek Walkenhorst <walkenhorst>
Status: CLOSED FIXED QA Contact: Philipp Hahn <hahn>
Severity: normal    
Priority: P2 CC: gohmann, walkenhorst
Version: UCS 3.2   
Target Milestone: UCS 3.2-3-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:

Description Moritz Muehlenhoff univentionstaff 2014-09-10 23:18:11 CEST 
Information leak in cookie handling (CVE-2014-3613, CVE-2014-3620)
Comment 1 Janek Walkenhorst univentionstaff 2014-09-24 15:21:24 CEST 
(In reply to Moritz Muehlenhoff from comment #0)
> Information leak in cookie handling (CVE-2014-3613, CVE-2014-3620)
CVE-2014-3620 only affects versions 7.31.0 and later
Comment 2 Janek Walkenhorst univentionstaff 2014-10-17 14:28:12 CEST 
Tests (amd64): OK
Advisory: 2014-10-16-curl.yaml
Comment 3 Philipp Hahn univentionstaff 2014-10-23 10:20:20 CEST 
OK: announce_errata -V 2014-10-16-curl.yaml
OK: 2014-10-16-curl.yaml
FYI: "curl" is more then just a "HTTP lib": it supports DICT, FILE, FTP, FTPS, Gopher, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, Telnet and TFTP.
OK: /usr/share/doc/libcurl3/changelog.Debian.gz
OK: CVE-2014-3620 not affected
OK: dpkg-query -W libcurl\* curl
OK: amd64 i386
OK: curl https://www.univention.de/
OK: curl ftp://ftp.kernel.org/
OK: curl http://$USER:$PASSWORD@$HOST/$PATH/
OK: curl imaps://$USER:$PASSWORD@$HOST/
Comment 4 Janek Walkenhorst univentionstaff 2014-10-30 14:13:41 CET 
http://errata.univention.de/ucs/3.2/228.html