Summary: | <net-misc/curl-7.51.0: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bertrand, blueness, jer, kensington |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://curl.haxx.se/mail/lib-2016-10/0076.html | ||
Whiteboard: | A2 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 581034, 603370 | ||
Bug Blocks: |
Description
Kristian Fiskerstrand (RETIRED)
2016-10-22 10:07:46 UTC
It's there: https://curl.haxx.se/changes.html#7_51_0 CVE-2016-8615: cookie injection for other servers CVE-2016-8616: case insensitive password comparison CVE-2016-8617: OOB write via unchecked multiplication CVE-2016-8618: double-free in curl_maprintf CVE-2016-8619: double-free in krb5 code CVE-2016-8620: glob parser write/read out of bounds CVE-2016-8621: curl_getdate read out of bounds CVE-2016-8622: URL unescape heap overflow via integer truncation CVE-2016-8623: Use-after-free via shared cookies CVE-2016-8624: invalid URL parsing with '#' CVE-2016-8625: IDNA 2003 makes curl use wrong host Maintainers, please bump to 7.51.0. (In reply to Hanno Boeck from comment #1) > > Maintainers, please bump to 7.51.0. Unfortunately its not an easy bump since curl-7.50.3 depended on libidn and curl-7.51.0 depends on libidn2. I'm getting the latter ready and hopefully we can rapid keyword/stabilize, or else just mask idn for now. Stable for HPPA PPC64. commit 802d574601a5cb10eb43aa715e9d030959004da7 Author: Jeroen Roovers <jer@gentoo.org> Date: Thu Nov 3 13:43:04 2016 +0100 net-misc/curl: Stable for HPPA PPC64 (bug #598856). Package-Manager: portage-2.3.2 RepoMan-Options: --ignore-arches I referred to the wrong bug, there. This comment relates to CVE-2016-8625: IDNA 2003 makes curl use wrong host Using libidn2 is insufficient fix as there are potential for mismatches between IDNA 2003 and IDNA 2008 Upstream maintainer advice would suggest use.stable.masking idn for curl at the present time. http://www.openwall.com/lists/oss-security/2016/11/04/6: Date: Fri, 4 Nov 2016 08:27:43 +0100 (CET) From: Daniel Stenberg <daniel@...x.se>: I've suggested curl users to simply *disable* IDN completely in their builds now until we get something better done. To reduce the risk. There's no schedule or plan yet for when "something better" might be ready. I'll admit my energy level for this crap is very low. @teams: alpha arm64 hppa ia64 m68k s390 sh sparc You'll want to keyword and stabilize this package and its dependencies. Sorry you should probably have been added earlier. @prefix you may want to restore prefixes too. Stable on alpha. Also stable on amd64. Somehow O.o (In reply to Anthony Basile from comment #6) > @teams: alpha arm64 hppa ia64 m68k s390 sh sparc You'll want to keyword and > stabilize this package and its dependencies. Sorry you should probably have > been added earlier. Please be advised that bug 603370 re security vuln in lover version than 7.52.0 supersedes this report (In reply to Kristian Fiskerstrand from comment #9) > (In reply to Anthony Basile from comment #6) > > @teams: alpha arm64 hppa ia64 m68k s390 sh sparc You'll want to keyword and > > stabilize this package and its dependencies. Sorry you should probably have > > been added earlier. > > Please be advised that bug 603370 re security vuln in lover version than > 7.52.0 supersedes this report I am aware, which is why I want the keywords at least in so I can forward migrate them. Prefix keywords restored, x86-interix dropped. This issue was resolved and addressed in GLSA 201701-47 at https://security.gentoo.org/glsa/201701-47 by GLSA coordinator Thomas Deutschmann (whissi). |