Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 686050 (CVE-2019-5435, CVE-2019-5436)

Summary: <net-misc/curl-7.65.0: multiple vulnerabilities (CVE-2019-{5435,5436})
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: anthonyryan1, blueness
Priority: Normal Keywords: STABLEREQ
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa+ cve]
Package list:
Runtime testing required: ---

Description Thomas Deutschmann (RETIRED) gentoo-dev 2019-05-15 18:46:36 UTC
Incoming details.
Comment 1 Anthony Basile gentoo-dev 2019-05-23 14:36:43 UTC
(In reply to Thomas Deutschmann from comment #0)
> Incoming details.

curl-7.65.0 is on the tree.

@arch teams please start

KEYWORDS="alpha amd64 arm arm64 ia64 ppc ppc64 x8"

@minor arch teams, i'm cc-ing you too since this is an important package with an important update.
Comment 2 Anthony Basile gentoo-dev 2019-05-23 23:38:32 UTC
stable on amd64
Comment 3 Anthony Basile gentoo-dev 2019-05-24 13:55:03 UTC
stable on arm64
Comment 4 Rolf Eike Beer archtester 2019-05-24 20:57:15 UTC
sparc stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2019-05-25 07:52:33 UTC
ia64 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2019-05-25 07:59:03 UTC
ppc stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2019-05-25 08:03:54 UTC
ppc64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2019-05-26 07:10:26 UTC
hppa stable
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2019-05-26 22:28:25 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2019-06-04 18:52:51 UTC
s390 stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-06-06 06:46:53 UTC
alpha stable
Comment 12 Anthony Ryan 2019-06-07 20:08:44 UTC
Just a heads up, we're seeing production segfaults after this stabilization.

Seems to be DNS related and already reported upstream:
Comment 13 Anthony Basile gentoo-dev 2019-06-08 11:22:31 UTC
(In reply to Anthony Ryan from comment #12)
> Just a heads up, we're seeing production segfaults after this stabilization.
> Seems to be DNS related and already reported upstream:

0.65.1 was released and the ebuild is in the tree, but it doesn't seem to address you issue :(  Just in case, can you test 0.65.1 and open a separate bug if you verify that the seg fault is there too.  Unfortunately we need to move forward for security reasons.  When a patch becomes available, I'll back port it.
Comment 14 Markus Meier gentoo-dev 2019-06-13 04:28:05 UTC
arm stable
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 16:30:59 UTC
Added to an existing GLSA request.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 16:38:58 UTC
This issue was resolved and addressed in
 GLSA 202003-29 at
by GLSA coordinator Thomas Deutschmann (whissi).