From ${URL} : Description A security issue has been reported in libcURL, which can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to the application re-using recent authenticated connections when processing new NTLM-authenticated requests. This can be exploited to perform certain operations with the credentials of a recent NTLM authenticated user. The security issue is reported in versions 7.10.6 through 7.34.0. Solution: Update to version 7.35.0. Provided and/or discovered by: Reported by the vendor. Original Advisory: http://curl.haxx.se/docs/adv_20140129.html @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Please proceed with stabilizing curl-7.35.0. KEYWORDS="alpha amd64 arm arm64 hppa ia64 ppc ppc64 sparc x86" I'm dropping keywords for ~arch.
Stable for HPPA.
Depending on USE configuration this package pulls in a few non-stable deps. With the flags I just happen to have set I get: media-libs/opus (USE=opus) net-libs/gnutls (USE=gnutls) sys-devel/gettext (this looks like it doesn't depend on USE) How do we want to handle? Stable masking some USE flags might be an option, but we should at least check in with the gettext maintainers.
(In reply to Richard Freeman from comment #3) > Depending on USE configuration this package pulls in a few non-stable deps. > With the flags I just happen to have set I get: > media-libs/opus (USE=opus) > net-libs/gnutls (USE=gnutls) > sys-devel/gettext (this looks like it doesn't depend on USE) > > How do we want to handle? Stable masking some USE flags might be an option, > but we should at least check in with the gettext maintainers. Ugh - disregard entirely - posted this in the wrong bug!!!!
amd64 stable
CVE-2014-0015 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0015): cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.
x86 stable
ppc stable
ppc64 stable
sparc stable
alpha stable
ia64 stable
arm stable. Maintainer(s), please cleanup. Security, please vote.
Thanks for your work! GLSA vote: no
+ 27 Feb 2014; Lars Wendler <polynomial-c@gentoo.org> -curl-7.34.0-r1.ebuild, + -files/curl-7.34.0-fix-ipv6-failover.patch: + Removed vulnerable version (bug #499902). +
GLSA vote: no. Closing as [noglsa].
