First Last Prev Next    This bug is not in your last search results.
Bug 47283 - curl: Multiple issues (4.3)
curl: Multiple issues (4.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P3 normal (vote)
: UCS 4.3-1-errata
Assigned To: Philipp Hahn
Arvid Requate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-03 12:56 CEST by Philipp Hahn
Modified: 2018-07-04 14:53 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2018-07-03 12:56:25 CEST 
New Debian curl 7.52.1-5+deb9u6 fixes:
This update addresses the following issue(s):
* 
* curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0. (CVE-2018-1000301)

7.52.1-5+deb9u6 (Tue, 15 May 2018 23:00:28 +0100)
 * Fix heap buffer over-read when parsing bad RTSP headers
 as per CVE-2018-1000301
 https://curl.haxx.se/docs/adv_2018-b138.html
* CVE-2018-1000301 curl: Out-of-bounds heap read when missing RTSP headers allows information leak of denial of service (CVE-2018-1000301)

product: ucs
release: "4.3"
version: [1]
scope: ucs_4.3-0-errata4.3-1
src: curl
fix: 7.52.1-5+deb9u6
desc: |
 This update addresses the following issue(s):
 * 
 * curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0. (CVE-2018-1000301)

 7.52.1-5+deb9u6 (Tue, 15 May 2018 23:00:28 +0100)
  * Fix heap buffer over-read when parsing bad RTSP headers
  as per CVE-2018-1000301
  https://curl.haxx.se/docs/adv_2018-b138.html
 * CVE-2018-1000301 curl: Out-of-bounds heap read when missing RTSP headers allows information leak of denial of service (CVE-2018-1000301)
bug: []
cve:
- CVE-2018-1000301
Comment 1 Philipp Hahn univentionstaff 2018-07-03 13:31:56 CEST 
[4.3-1] cfc0c1a09d Bug #47283: curl 7.52.1-5+deb9u6
 doc/errata/staging/curl.yaml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

<http://10.200.17.11/4.3-1/#4428784599820139931>
Comment 2 Arvid Requate univentionstaff 2018-07-04 13:28:16 CEST 
Verified:
* Output of automatic checks
* Package update
* Advisory
Comment 3 Arvid Requate univentionstaff 2018-07-04 13:33:57 CEST 
cdbd9cad8b | Publish also for UCS 4.3-0
Comment 4 Arvid Requate univentionstaff 2018-07-04 14:53:54 CEST 
<http://errata.software-univention.de/ucs/4.3/127.html>
First Last Prev Next    This bug is not in your last search results.