libcurl wrong re-use of connections Date: March 26, 2014 ID CVE-2014-0138 20140326A Affected versions from libcurl 7.10.6 to and including 7.35.0 Not affected versions libcurl < 7.10.6 and >= 7.36.0 Patch libcurl-bad-reuse.patch libcurl IP address wildcard certificate validation Date: March 26, 2014 ID CVE-2014-0139 20140326B Affected versions from libcurl 7.1 to and including 7.35.0 Not affected versions libcurl >= 7.36.0 Patch libcurl-reject-cert-ip-wildcards.patch libcurl not verifying certs for TLS to IP address / Darwinssl Date: March 26, 2014 ID CVE-2014-1263 20140326C Affected versions from libcurl 7.27.0 to and including 7.35.0 Not affected versions libcurl < 7.27.0 and >= 7.36.0 Patch commit afc6e5004fabee libcurl not verifying certs for TLS to IP address / Winssl Date: March 26, 2014 ID CVE-2014-2522 20140326D Affected versions from libcurl 7.27.0 to and including 7.35.0 Not affected versions libcurl < 7.27.0 and >= 7.36.0 Patch commit 63fc8ee7be2b71
Is there any in-tree version that is not affected?
Anthony here is the detailed information: CVE-2014-0138 http://curl.haxx.se/docs/adv_20140326A.html Affected versions from libcurl 7.10.6 to and including 7.35.0 Not affected versions libcurl < 7.10.6 and >= 7.36.0 Patch for Version: http://curl.haxx.se/libcurl-bad-reuse.patch CVE-2014-0139 http://curl.haxx.se/docs/adv_20140326B.html Affected versions from libcurl 7.1 to and including 7.35.0 Not affected versions libcurl >= 7.36.0 Patch for Versions: http://curl.haxx.se/libcurl-reject-cert-ip-wildcards.patch CVE-2014-1263 http://curl.haxx.se/docs/adv_20140326C.html Affected versions from libcurl 7.27.0 to and including 7.35.0 Not affected versions libcurl < 7.27.0 and >= 7.36.0 CVE-2014-2522 http://curl.haxx.se/docs/adv_20140326D.html Affected versions from libcurl 7.27.0 to and including 7.35.0 Not affected versions libcurl < 7.27.0 and >= 7.36.0 Patch for Version: https://github.com/bagder/curl/commit/63fc8ee7be2b71 Version not affected on all of them is 7.36.0
Just an FYI to anyone watching this bug without watching portage, an ebuild for 7.36.0 is available but still needs to be stabilized.
(In reply to Jack Suter from comment #3) > Just an FYI to anyone watching this bug without watching portage, an ebuild > for 7.36.0 is available but still needs to be stabilized. Okay let's start stabilization: TARGET = "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
(In reply to Anthony Basile from comment #4) > (In reply to Jack Suter from comment #3) > > Just an FYI to anyone watching this bug without watching portage, an ebuild > > for 7.36.0 is available but still needs to be stabilized. > > Okay let's start stabilization: > > TARGET = "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" Stabilise what?
(In reply to Jeroen Roovers from comment #5) > (In reply to Anthony Basile from comment #4) > > (In reply to Jack Suter from comment #3) > > > Just an FYI to anyone watching this bug without watching portage, an ebuild > > > for 7.36.0 is available but still needs to be stabilized. > > > > Okay let's start stabilization: > > > > TARGET = "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" > > Stabilise what? curl-7.36.0. Its the latest version not affected by the above CVEs.
(In reply to Anthony Basile from comment #6) > curl-7.36.0. Its the latest version not affected by the above CVEs. Next time, write separate valid atoms on separate lines. We agreed on this ages ago, since it's really hard and time-consuming to read through all the chatter to find what is supposed to be done. So do this: =net-misc/curl-7.36.0 and everyone can see in an instant what you want.
Stable for HPPA.
amd64 stable
arm stable
x86 stable
ppc stable
alpha stable
CVE-2014-0139 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0139): cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. CVE-2014-0138 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0138): The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.
ppc64 stable
ia64 stable
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
(In reply to Agostino Sarubbo from comment #17) > sparc stable. > > Maintainer(s), please cleanup. > Security, please add it to the existing request, or file a new one. Done.
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201406-21 at http://security.gentoo.org/glsa/glsa-201406-21.xml by GLSA coordinator Mikle Kolyada (Zlogene).