Bug 36468

Summary: curl: Multiple issues (3.2)
Product: UCS Reporter: Moritz Muehlenhoff <jmm>
Component: Security updatesAssignee: Janek Walkenhorst <walkenhorst>
Status: CLOSED FIXED QA Contact: Arvid Requate <requate>
Severity: normal    
Priority: P5 CC: best, requate
Version: UCS 3.2Flags: requate: Patch_Available+
Target Milestone: UCS 3.2-6-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:

Description Moritz Muehlenhoff univentionstaff 2014-11-05 23:36:19 CET 
Information leak in curl_easy_duphandle() (CVE-2014-3707)
Comment 1 Moritz Muehlenhoff univentionstaff 2015-01-08 15:01:04 CET 
CVE-2014-8150

When libcurl sends a request to a server via a HTTP proxy, it copies the entire URL into the request and sends if off.

If the given URL contains line feeds and carriage returns those will be sent along to the proxy too, which allows the program to for example send a separate HTTP request injected embedded in the URL.
Comment 2 Arvid Requate univentionstaff 2015-04-24 12:12:19 CEST 
* Re-using authenticated connection when unauthenticated (CVE-2015-3143)
* Negotiate not treated as connection-oriented (CVE-2015-3148)
Comment 3 Arvid Requate univentionstaff 2015-04-30 19:29:55 CEST 
Fix available in Debian version 7.21.0-2.1+squeeze12
Comment 4 Arvid Requate univentionstaff 2015-06-03 11:19:51 CEST 
Followup to Bug 37257
Comment 5 Janek Walkenhorst univentionstaff 2015-06-03 19:25:18 CEST 
7.21.0-2.1+squeeze12 built as 7.21.0-7.53.201506031709.

Advisory: 2015-06-03-curl.yaml
Comment 6 Arvid Requate univentionstaff 2015-06-04 18:07:09 CEST 
Ok, 7.21.0-2.1+squeeze12 has been imported and built in errata3.2-6.

Package update works:

previous version:

  libcurl3 7.21.0-6.48.201410151452

new version:

  libcurl3 7.21.0-7.53.201506031709

(via patches/curl/3.2-0-0-ucs/7.21.0-2.1+squeeze12-errata3.2-6/bump-version.patch)

Version in UCS 4.0-0 is still higher:

  libcurl3 7.26.0-1.49.201411010317


Advisory is ok, probably we also should add "5" to the updatable versions?:

version: [5,6]

I guess we are still in the 6 weeks maintenance time frame after a patch level release.

Otherwise ok.
Comment 7 Janek Walkenhorst univentionstaff 2015-06-04 19:26:27 CEST 
(In reply to Arvid Requate from comment #6)
> version: [5,6]
Changed
Comment 8 Janek Walkenhorst univentionstaff 2015-06-17 15:26:35 CEST 
<http://errata.univention.de/ucs/3.2/339.html>