Bug 505864 (CVE-2014-0138)

Comment 1 Anthony Basile 2014-03-26 12:57:34 UTC

Is there any in-tree version that is not affected?

Comment 2 Yury German 2014-03-26 15:28:37 UTC

Anthony here is the detailed information:

CVE-2014-0138
http://curl.haxx.se/docs/adv_20140326A.html
Affected versions	from libcurl 7.10.6 to and including 7.35.0
Not affected versions	libcurl < 7.10.6 and >= 7.36.0
Patch for Version:	http://curl.haxx.se/libcurl-bad-reuse.patch

CVE-2014-0139
http://curl.haxx.se/docs/adv_20140326B.html
Affected versions	from libcurl 7.1 to and including 7.35.0
Not affected versions	libcurl >= 7.36.0
Patch for Versions:	http://curl.haxx.se/libcurl-reject-cert-ip-wildcards.patch

CVE-2014-1263
http://curl.haxx.se/docs/adv_20140326C.html
Affected versions	from libcurl 7.27.0 to and including 7.35.0
Not affected versions	libcurl < 7.27.0 and >= 7.36.0

CVE-2014-2522
http://curl.haxx.se/docs/adv_20140326D.html
Affected versions	from libcurl 7.27.0 to and including 7.35.0
Not affected versions	libcurl < 7.27.0 and >= 7.36.0
Patch for Version:  https://github.com/bagder/curl/commit/63fc8ee7be2b71

Version not affected on all of them is 7.36.0

Just an FYI to anyone watching this bug without watching portage, an ebuild for 7.36.0 is available but still needs to be stabilized.

Comment 4 Anthony Basile 2014-04-02 15:44:44 UTC

(In reply to Jack Suter from comment #3)
> Just an FYI to anyone watching this bug without watching portage, an ebuild
> for 7.36.0 is available but still needs to be stabilized.

Okay let's start stabilization:

TARGET = "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Comment 5 Jeroen Roovers (RETIRED) 2014-04-02 16:17:39 UTC

(In reply to Anthony Basile from comment #4)
> (In reply to Jack Suter from comment #3)
> > Just an FYI to anyone watching this bug without watching portage, an ebuild
> > for 7.36.0 is available but still needs to be stabilized.
> 
> Okay let's start stabilization:
> 
> TARGET = "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Stabilise what?

Comment 6 Anthony Basile 2014-04-02 16:20:15 UTC

(In reply to Jeroen Roovers from comment #5)
> (In reply to Anthony Basile from comment #4)
> > (In reply to Jack Suter from comment #3)
> > > Just an FYI to anyone watching this bug without watching portage, an ebuild
> > > for 7.36.0 is available but still needs to be stabilized.
> > 
> > Okay let's start stabilization:
> > 
> > TARGET = "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
> 
> Stabilise what?

curl-7.36.0.  Its the latest version not affected by the above CVEs.

Comment 7 Jeroen Roovers (RETIRED) 2014-04-02 23:43:47 UTC

(In reply to Anthony Basile from comment #6)
> curl-7.36.0.  Its the latest version not affected by the above CVEs.

Next time, write separate valid atoms on separate lines. We agreed on this ages ago, since it's really hard and time-consuming to read through all the chatter to find what is supposed to be done. So do this:

=net-misc/curl-7.36.0

and everyone can see in an instant what you want.

Comment 8 Jeroen Roovers (RETIRED) 2014-04-03 14:41:08 UTC

Stable for HPPA.

Comment 9 Agostino Sarubbo 2014-04-05 22:01:16 UTC

amd64 stable

Comment 10 Sergey Popov (RETIRED) 2014-04-07 09:17:23 UTC

arm stable

Comment 11 Agostino Sarubbo 2014-04-12 09:33:43 UTC

x86 stable

Comment 12 Agostino Sarubbo 2014-04-13 11:08:16 UTC

ppc stable

Comment 13 Agostino Sarubbo 2014-04-21 10:50:45 UTC

alpha stable

Comment 14 GLSAMaker/CVETool Bot 2014-04-29 20:13:23 UTC

CVE-2014-0139 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0139):
  cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or
  gskit libraries for TLS, recognize a wildcard IP address in the subject's
  Common Name (CN) field of an X.509 certificate, which might allow
  man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted
  certificate issued by a legitimate Certification Authority.

CVE-2014-0138 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0138):
  The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses
  (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8)
  SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow
  context-dependent attackers to connect as other users via a request, a
  similar issue to CVE-2014-0015.

Comment 15 Agostino Sarubbo 2014-05-11 08:05:59 UTC

ppc64 stable

Comment 16 Agostino Sarubbo 2014-05-13 15:21:36 UTC

ia64 stable

Comment 17 Agostino Sarubbo 2014-05-14 16:11:39 UTC

sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 18 Anthony Basile 2014-05-14 16:52:45 UTC

(In reply to Agostino Sarubbo from comment #17)
> sparc stable.
> 
> Maintainer(s), please cleanup.
> Security, please add it to the existing request, or file a new one.

Done.

Comment 19 Yury German 2014-06-10 01:50:22 UTC

Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.

Comment 20 GLSAMaker/CVETool Bot 2014-06-22 13:29:06 UTC

This issue was resolved and addressed in
 GLSA 201406-21 at http://security.gentoo.org/glsa/glsa-201406-21.xml
by GLSA coordinator Mikle Kolyada (Zlogene).