Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 686050 (CVE-2019-5435, CVE-2019-5436) - <net-misc/curl-7.65.0: multiple vulnerabilities (CVE-2019-{5435,5436})
Summary: <net-misc/curl-7.65.0: multiple vulnerabilities (CVE-2019-{5435,5436})
Status: RESOLVED FIXED
Alias: CVE-2019-5435, CVE-2019-5436
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords: STABLEREQ
Depends on:
Blocks:
 
Reported: 2019-05-15 18:46 UTC by Thomas Deutschmann (RETIRED)
Modified: 2020-03-28 22:19 UTC (History)
2 users (show)

See Also:
Package list:
net-misc/curl-7.65.0
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2019-05-15 18:46:36 UTC
Incoming details.
Comment 1 Anthony Basile gentoo-dev 2019-05-23 14:36:43 UTC
(In reply to Thomas Deutschmann from comment #0)
> Incoming details.

curl-7.65.0 is on the tree.

@arch teams please start

KEYWORDS="alpha amd64 arm arm64 ia64 ppc ppc64 x8"


@minor arch teams, i'm cc-ing you too since this is an important package with an important update.
Comment 2 Anthony Basile gentoo-dev 2019-05-23 23:38:32 UTC
stable on amd64
Comment 3 Anthony Basile gentoo-dev 2019-05-24 13:55:03 UTC
stable on arm64
Comment 4 Rolf Eike Beer archtester 2019-05-24 20:57:15 UTC
sparc stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2019-05-25 07:52:33 UTC
ia64 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2019-05-25 07:59:03 UTC
ppc stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2019-05-25 08:03:54 UTC
ppc64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2019-05-26 07:10:26 UTC
hppa stable
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2019-05-26 22:28:25 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2019-06-04 18:52:51 UTC
s390 stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-06-06 06:46:53 UTC
alpha stable
Comment 12 Anthony Ryan 2019-06-07 20:08:44 UTC
Just a heads up, we're seeing production segfaults after this stabilization.

Seems to be DNS related and already reported upstream: https://github.com/curl/curl/issues/3995
Comment 13 Anthony Basile gentoo-dev 2019-06-08 11:22:31 UTC
(In reply to Anthony Ryan from comment #12)
> Just a heads up, we're seeing production segfaults after this stabilization.
> 
> Seems to be DNS related and already reported upstream:
> https://github.com/curl/curl/issues/3995

0.65.1 was released and the ebuild is in the tree, but it doesn't seem to address you issue :(  Just in case, can you test 0.65.1 and open a separate bug if you verify that the seg fault is there too.  Unfortunately we need to move forward for security reasons.  When a patch becomes available, I'll back port it.
Comment 14 Markus Meier gentoo-dev 2019-06-13 04:28:05 UTC
arm stable
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 16:30:59 UTC
Added to an existing GLSA request.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 16:38:58 UTC
This issue was resolved and addressed in
 GLSA 202003-29 at https://security.gentoo.org/glsa/202003-29
by GLSA coordinator Thomas Deutschmann (whissi).