Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 400799 - <net-misc/curl-7.24.0 : SSL/TLS IV Selection Weakness and URL Sanitisation Vulnerability (CVE-2011-3389,CVE-2012-0036)
Summary: <net-misc/curl-7.24.0 : SSL/TLS IV Selection Weakness and URL Sanitisation Vu...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: A4 [glsa]
: 401655 (view as bug list)
Depends on:
Blocks: CVE-2011-2192
  Show dependency tree
Reported: 2012-01-25 20:02 UTC by Agostino Sarubbo
Modified: 2012-03-06 01:29 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-01-25 20:02:00 UTC
From secunia security advisory at $URL:

1) A weakness within the SSL and TLS Initialization Vector (IV) selection exists when compiled to use OpenSSL and the SSL_OP_ALL bitmask is used.

For more information:
Microsoft Windows SSL/TLS Initialization Vector Selection Weakness

This vulnerability is reported in versions 7.10.6 through 7.23.1.

2) Input passed via the file path section of URLs related to the IMAP, POP3, and SMTP protocols is not properly sanitised before being used in protocol-specific code and can be exploited to e.g. inject control characters and cause a mail server to send or delete messages.

This vulnerability is reported in versions 7.20.0 through 7.23.1.

Update to version 7.24.0.

Original Advisory:
Comment 1 SpanKY gentoo-dev 2012-01-26 19:41:26 UTC
i've added 7.24.0 since there's a security issue ... hopefully Christoph doesn't mind
Comment 2 Agostino Sarubbo gentoo-dev 2012-01-26 19:50:58 UTC
Thanks Mike.

@angelos, is it ready to stabilize?
Comment 3 Christoph Mende (RETIRED) gentoo-dev 2012-01-26 20:56:38 UTC
26/073210 <@vapier> angelos: mind if i bump curl to 7.24.0 ?
26/073500 <@angelos> vapier: sure, go ahead
26/073803 -!- vapier [UserBah@nat/google/x-rsldjehppespqenp] has quit [Ping timeout: 272 seconds]
guess you missed it

anyway, good to go and thanks Mike
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-01-27 04:52:43 UTC
Arches, please test and mark stable:
Target KEYWORDS: "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 5 Agostino Sarubbo gentoo-dev 2012-01-27 13:30:40 UTC
amd64 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2012-01-28 17:26:14 UTC
Stable for HPPA.
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-01-29 12:23:05 UTC
x86 stable
Comment 8 Viorel Tabara 2012-01-31 16:53:35 UTC
*** Bug 401655 has been marked as a duplicate of this bug. ***
Comment 9 Brent Baude (RETIRED) gentoo-dev 2012-02-01 17:22:03 UTC
ppc done
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2012-02-04 15:31:30 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 11 Brent Baude (RETIRED) gentoo-dev 2012-03-03 15:32:16 UTC
ppc64 done
Comment 12 Agostino Sarubbo gentoo-dev 2012-03-03 15:57:22 UTC

please vote
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2012-03-03 20:09:23 UTC
Thanks, folks. GLSA Vote: yes.
Comment 14 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-03 23:41:49 UTC
Added to existing GLSA request.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-03-06 01:29:59 UTC
This issue was resolved and addressed in
 GLSA 201203-02 at
by GLSA coordinator Sean Amoss (ackle).