patch for this can be found here: http://curl.haxx.se/CVE-2014-3620.patch
Reproducible: Didn't try
maybe the patch for CVE-2014-3613 should be added, too
see here for more info: http://curl.haxx.se/docs/adv_20140910A.html
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus
making them apply broader than cookies are allowed. This can allow arbitrary
sites to set cookies that then would get sent to a different and unrelated
site or domain.
Affected versions: from libcurl 7.31.0 to and including 7.37.1
Not affected versions: libcurl < 7.31.0 and libcurl >= 7.38.0
Maintainer(s): please let us know when the ebuild is ready for stabilization.
(In reply to Yury German from comment #3)
> Maintainer(s): please let us know when the ebuild is ready for
Again, hard to catch if noone is in CC.
Ago thank you
See bug #528840 which supercedes this version.
cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same
Origin Policy and set cookies for arbitrary sites by setting a cookie for a
cURL and libcurl before 7.38.0 does not properly handle IP addresses in
cookie domain names, which allows remote attackers to set cookies for or
send arbitrary cookies to certain sites, as demonstrated by a site at
192.168.0.1 setting cookies for a site at 127.168.0.1.
GLSA Vote: No
GLSA vote: no.
Closing as [noglsa]