Summary: | <net-misc/curl-7.43.0: Multiple vulnerabilities (CVE-2015-{3236,3237}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | blueness, gregkh, vapier |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A3 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Kristian Fiskerstrand (RETIRED)
2015-06-20 11:50:53 UTC
@maintainer: The unaffected package has already been bumped in tree, please advice on whether it is ready for stabilization. (In reply to Kristian Fiskerstrand from comment #1) > @maintainer: The unaffected package has already been bumped in tree, please > advice on whether it is ready for stabilization. Preliminary testing shows that it should be fine for rapid stabilization: KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" amd64 stable (In reply to Mikle Kolyada from comment #3) > amd64 stable nvmd, wrong bug >> Creating Manifest for /home/zlogene/gentoo-x86/net-misc/curl
dependency.bad [fatal] 28
net-misc/curl/curl-7.43.0.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['net-libs/nghttp2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
net-misc/curl/curl-7.43.0.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['net-libs/nghttp2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
.......
CVE-2015-3237 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3237): The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1 allows remote SMB servers to obtain sensitive information from memory or cause a denial of service (out-of-bounds read and crash) via crafted length and offset values. CVE-2015-3236 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3236): cURL and libcurl 7.40.0 through 7.42.1 sends the HTTP Basic authentication credentials for a previous connection when reusing a reset (curl_easy_reset) connection handle to send a request to the same host name, which allows remote attackers to obtain sensitive information via unspecified vectors. (In reply to Mikle Kolyada from comment #5) > >> Creating Manifest for /home/zlogene/gentoo-x86/net-misc/curl > dependency.bad [fatal] 28 > net-misc/curl/curl-7.43.0.ebuild: DEPEND: amd64(default/linux/amd64/13.0) > ['net-libs/nghttp2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?, > abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?, > abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]'] > net-misc/curl/curl-7.43.0.ebuild: RDEPEND: > amd64(default/linux/amd64/13.0) > ['net-libs/nghttp2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?, > abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?, > abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]'] > ....... Yeah, vapier added nghttp2. I would stabilized =net-libs/nghttp2-1.0.2 along with =net-misc/curl-7.43.0. I'm cc-ing him to see if its okay. You could broadly mask that USE=nghttp2 instead for now. (In reply to Jeroen Roovers from comment #8) > You could broadly mask that USE=nghttp2 instead for now. I.e. USE=http2. (In reply to Jeroen Roovers from comment #9) > (In reply to Jeroen Roovers from comment #8) > > You could broadly mask that USE=nghttp2 instead for now. > > I.e. USE=http2. I kinda want it. So let's wait a few days and see if vapier responds. Stable for HPPA. Just mask USE=http2 or be very sure you want to pull in nghttp2 and openssl-1.0.2 at this moment. (In reply to Jeroen Roovers from comment #12) > Just mask USE=http2 or be very sure you want to pull in nghttp2 and > openssl-1.0.2 at this moment. I masked at profile/base level. I didn't realize it was pulling openssl-1.0.2. + 04 Jul 2015; Anthony G. Basile <blueness@gentoo.org> package.use.mask: + Mask http2 for net-misc/curl. Bug #552618. + Arch teams. Please proceed. amd64 stable 04 Jul 2015; Anthony G. Basile <blueness@gentoo.org> curl-7.43.0.ebuild: Stable on ppc and ppc64. Bug #552618. x86 stable arm stable Stable on alpha. ia64 stable sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Maintainer(s), Thank you for you for cleanup. Added to an existing GLSA Request. Maintainer(s), please drop the vulnerable version(s). Maintainer(s), please drop the vulnerable version(s). This issue was resolved and addressed in GLSA 201509-02 at https://security.gentoo.org/glsa/201509-02 by GLSA coordinator Kristian Fiskerstrand (K_F). Re-Opening for Cleanup Maintainer(s), please drop the vulnerable version(s). It has been 30 days+ since cleanup requested. Maintainer(s), please drop the vulnerable version(s). (In reply to Yury German from comment #25) > It has been 30 days+ since cleanup requested. > Maintainer(s), please drop the vulnerable version(s). commit 828055f6f393e89f3f9a0c65d07e5d3f562e56aa Author: Anthony G. Basile <blueness@gentoo.org> Date: Mon Nov 2 17:04:17 2015 -0500 net-misc/curl: remove vulnerable versions, bug #552618. Package-Manager: portage-2.2.20.1 (In reply to Anthony Basile from comment #26) > (In reply to Yury German from comment #25) > > It has been 30 days+ since cleanup requested. > > Maintainer(s), please drop the vulnerable version(s). > > commit 828055f6f393e89f3f9a0c65d07e5d3f562e56aa > Author: Anthony G. Basile <blueness@gentoo.org> > Date: Mon Nov 2 17:04:17 2015 -0500 > > net-misc/curl: remove vulnerable versions, bug #552618. > > Package-Manager: portage-2.2.20.1 Thank you, closing |