Summary: | <net-misc/curl-7.39.0: multiple vulnerabilities (CVE-2014-{3613,3620}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Karol Herbst <gentoo> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | blueness, gregkh |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://curl.haxx.se/docs/adv_20140910B.html | ||
Whiteboard: | A4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Karol Herbst
2014-09-17 14:02:26 UTC
maybe the patch for CVE-2014-3613 should be added, too see here for more info: http://curl.haxx.se/docs/adv_20140910A.html libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain. Affected versions: from libcurl 7.31.0 to and including 7.37.1 Not affected versions: libcurl < 7.31.0 and libcurl >= 7.38.0 Maintainer(s): please let us know when the ebuild is ready for stabilization. (In reply to Yury German from comment #3) > Maintainer(s): please let us know when the ebuild is ready for > stabilization. Again, hard to catch if noone is in CC. Ago thank you See bug #528840 which supercedes this version. CVE-2014-3620 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3620): cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain. CVE-2014-3613 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3613): cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1. GLSA Vote: No GLSA vote: no. Closing as [noglsa] |