Univention Bugzilla – Bug 37257
curl: Multiple issues (ES 3.1)
Last modified: 2015-06-05 14:39:49 CEST
* If CURLOPT_SSLVERIFYHOST is disabled, CURLOPT_SSL_VERIFYPEER was disabled as well (CVE-2013-4545) * libcurl can in some circumstances re-use the wrong connection when asked to do an NTLM-authenticated HTTP or HTTPS request (CVE-2014-0015) * libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP. (CVE-2014-0138) * libcurl incorrectly validates wildcard SSL certificates containing literal IP addresses. (CVE-2014-0139) * Information leak in cookie handling (CVE-2014-3613)
Information leak in curl_easy_duphandle() (CVE-2014-3707)
* Re-using authenticated connection when unauthenticated (CVE-2015-3143) * Negotiate not treated as connection-oriented (CVE-2015-3148)
Fix available in Debian version 7.21.0-2.1+squeeze12
(In reply to Moritz Muehlenhoff from comment #0) > * If CURLOPT_SSLVERIFYHOST is disabled, CURLOPT_SSL_VERIFYPEER was disabled > as well (CVE-2013-4545) > * libcurl can in some circumstances re-use the wrong connection when asked > to do an NTLM-authenticated HTTP or HTTPS request (CVE-2014-0015) > * libcurl can in some circumstances re-use the wrong connection when asked > to do transfers using other protocols than HTTP and FTP. (CVE-2014-0138) > * libcurl incorrectly validates wildcard SSL certificates containing literal > IP addresses. (CVE-2014-0139) Fixed with <http://errata.univention.de/ucs/3.1/228.html> > * Information leak in cookie handling (CVE-2014-3613) 7.21.0-2.1+squeeze9 (In reply to Moritz Muehlenhoff from comment #1) > Information leak in curl_easy_duphandle() (CVE-2014-3707) 7.21.0-2.1+squeeze10 (In reply to Arvid Requate from comment #2) > * Re-using authenticated connection when unauthenticated (CVE-2015-3143) > * Negotiate not treated as connection-oriented (CVE-2015-3148) 7.21.0-2.1+squeeze12 Also fixed are: * CVE-2014-8150 7.21.0-2.1+squeeze11 * CVE-2014-3620 7.21.0-2.1+squeeze9
(In reply to Janek Walkenhorst from comment #4) > Also fixed are: > * CVE-2014-3620 > 7.21.0-2.1+squeeze9 Correction: [squeeze] - curl <not-affected> (affects versions 7.31.0 and later) LTS version 7.21.0-2.1+squeeze12 built as 7.21.0-7.52.201506031400.
Created attachment 6939 [details] 3.1-curl.txt
Ok, 7.21.0-2.1+squeeze12 has been imported and built in extsec3.1. Package update works: previous version: libcurl3 7.21.0-6.44.201404141858 new version: libcurl3 7.21.0-7.52.201506031400 (via patches/curl/3.1-0-0-ucs/7.21.0-2.1+squeeze12-extsec3.1/bump-version.patch ) Problem: version in ucs3.2-0 is not higher than in extsec3.1, but this is a problem we had before this update, so it's ok for now: libcurl3 7.21.0-4.31.201307031259 Advisory mail ok (not yet gpg signed).
Announced