Summary: | <net-misc/curl-7.35.0 : NTLM Connection Re-use Security Bypass Security Issue (CVE-2014-0015) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | blueness, gregkh |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/56728/ | ||
Whiteboard: | A4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-01-31 16:49:04 UTC
Please proceed with stabilizing curl-7.35.0. KEYWORDS="alpha amd64 arm arm64 hppa ia64 ppc ppc64 sparc x86" I'm dropping keywords for ~arch. Stable for HPPA. Depending on USE configuration this package pulls in a few non-stable deps. With the flags I just happen to have set I get: media-libs/opus (USE=opus) net-libs/gnutls (USE=gnutls) sys-devel/gettext (this looks like it doesn't depend on USE) How do we want to handle? Stable masking some USE flags might be an option, but we should at least check in with the gettext maintainers. (In reply to Richard Freeman from comment #3) > Depending on USE configuration this package pulls in a few non-stable deps. > With the flags I just happen to have set I get: > media-libs/opus (USE=opus) > net-libs/gnutls (USE=gnutls) > sys-devel/gettext (this looks like it doesn't depend on USE) > > How do we want to handle? Stable masking some USE flags might be an option, > but we should at least check in with the gettext maintainers. Ugh - disregard entirely - posted this in the wrong bug!!!! amd64 stable CVE-2014-0015 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0015): cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request. x86 stable ppc stable ppc64 stable sparc stable alpha stable ia64 stable arm stable. Maintainer(s), please cleanup. Security, please vote. Thanks for your work! GLSA vote: no + 27 Feb 2014; Lars Wendler <polynomial-c@gentoo.org> -curl-7.34.0-r1.ebuild, + -files/curl-7.34.0-fix-ipv6-failover.patch: + Removed vulnerable version (bug #499902). + GLSA vote: no. Closing as [noglsa]. |