Bug 37257 – curl: Multiple issues (ES 3.1)

Bug 37257 - curl: Multiple issues (ES 3.1)


Summary:	curl: Multiple issues (ES 3.1)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 3.2
Hardware:	Other Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 3.1-ES
Assigned To:	Janek Walkenhorst
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2014-12-09 15:07 CET by Moritz Muehlenhoff
Modified:	2015-06-05 14:39 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
3.1-curl.txt (869 bytes, text/plain) 2015-06-03 14:56 CEST, Janek Walkenhorst	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Moritz Muehlenhoff

2014-12-09 15:07:53 CET

* If CURLOPT_SSLVERIFYHOST is disabled, CURLOPT_SSL_VERIFYPEER was disabled as well (CVE-2013-4545)
* libcurl can in some circumstances re-use the wrong connection when asked to do an NTLM-authenticated HTTP or HTTPS request (CVE-2014-0015)
* libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP. (CVE-2014-0138)
* libcurl incorrectly validates wildcard SSL certificates containing literal IP addresses. (CVE-2014-0139)
* Information leak in cookie handling (CVE-2014-3613)

Comment 1 Moritz Muehlenhoff

2014-12-09 15:14:03 CET

Information leak in curl_easy_duphandle() (CVE-2014-3707)

Comment 2 Arvid Requate

2015-04-24 12:12:23 CEST

* Re-using authenticated connection when unauthenticated (CVE-2015-3143)
* Negotiate not treated as connection-oriented (CVE-2015-3148)

Comment 3 Arvid Requate

2015-04-30 19:32:26 CEST

Fix available in Debian version 7.21.0-2.1+squeeze12

Comment 4 Janek Walkenhorst

2015-06-02 19:26:40 CEST

(In reply to Moritz Muehlenhoff from comment #0)
> * If CURLOPT_SSLVERIFYHOST is disabled, CURLOPT_SSL_VERIFYPEER was disabled
> as well (CVE-2013-4545)
> * libcurl can in some circumstances re-use the wrong connection when asked
> to do an NTLM-authenticated HTTP or HTTPS request (CVE-2014-0015)
> * libcurl can in some circumstances re-use the wrong connection when asked
> to do transfers using other protocols than HTTP and FTP. (CVE-2014-0138)
> * libcurl incorrectly validates wildcard SSL certificates containing literal
> IP addresses. (CVE-2014-0139)
Fixed with <http://errata.univention.de/ucs/3.1/228.html>

> * Information leak in cookie handling (CVE-2014-3613)
7.21.0-2.1+squeeze9

(In reply to Moritz Muehlenhoff from comment #1)
> Information leak in curl_easy_duphandle() (CVE-2014-3707)
7.21.0-2.1+squeeze10

(In reply to Arvid Requate from comment #2)
> * Re-using authenticated connection when unauthenticated (CVE-2015-3143)
> * Negotiate not treated as connection-oriented (CVE-2015-3148)
7.21.0-2.1+squeeze12

Also fixed are:
* CVE-2014-8150
7.21.0-2.1+squeeze11
* CVE-2014-3620
7.21.0-2.1+squeeze9

Comment 5 Janek Walkenhorst

2015-06-03 14:55:47 CEST

(In reply to Janek Walkenhorst from comment #4)
> Also fixed are:
> * CVE-2014-3620
> 7.21.0-2.1+squeeze9
Correction: [squeeze] - curl <not-affected> (affects versions 7.31.0 and later)

LTS version 7.21.0-2.1+squeeze12 built as 7.21.0-7.52.201506031400.

Comment 6 Janek Walkenhorst

2015-06-03 14:56:11 CEST

Created attachment 6939 [details]
3.1-curl.txt

Comment 7 Arvid Requate

2015-06-04 17:55:41 CEST

Ok, 7.21.0-2.1+squeeze12 has been imported and built in extsec3.1.
Package update works:

previous version:

 libcurl3 7.21.0-6.44.201404141858

new version:

 libcurl3 7.21.0-7.52.201506031400

(via patches/curl/3.1-0-0-ucs/7.21.0-2.1+squeeze12-extsec3.1/bump-version.patch )


Problem: version in ucs3.2-0 is not higher than in extsec3.1, but this is a problem we had before this update, so it's ok for now:

 libcurl3 7.21.0-4.31.201307031259

Advisory mail ok (not yet gpg signed).

Comment 8 Janek Walkenhorst

2015-06-05 14:39:49 CEST

Announced