*** Bug 528842 has been marked as a duplicate of this bug. ***

oops

Comment 3 Anthony Basile 2014-11-11 00:13:50 UTC

(In reply to Tiago Marques from comment #0)
> As described in http://curl.haxx.se/docs/adv_20141105.html and 
> 
> Reproducible: Always

From the report: Not affected versions: libcurl >= 7.39.0.

curl-7.39.0 has now been added to the tree and I've removed all older unstable versions that were vulnerable.

We should rapid stabilize.

TARGETS="alpha amd64 arm arm64 hppa ia64 ppc ppc64 s390 sparc x86"

I'm cc-ing arm64 that may want to stabilize this important package.

Comment 4 Anthony Basile 2014-11-11 00:19:00 UTC

@alpha, arm64, ia64, sparc.  You will need to stabilize =net-dns/c-ares-1.10.0-r1 first.  See bug #522820.

Comment 5 Agostino Sarubbo 2014-11-11 08:33:44 UTC

amd64 stable

Comment 6 Agostino Sarubbo 2014-11-11 08:33:59 UTC

x86 stable

Comment 7 Anthony Basile 2014-11-11 10:56:29 UTC

stable on ppc and ppc64

Comment 8 Jeroen Roovers (RETIRED) 2014-11-11 11:39:14 UTC

Stable for HPPA.

Comment 9 Anthony Basile 2014-11-13 12:18:39 UTC

stable on arm

Comment 10 Tobias Klausmann (RETIRED) 2014-11-20 13:45:58 UTC

Stable on alpha

Comment 11 Agostino Sarubbo 2014-11-20 15:48:16 UTC

ia64 stable

Comment 12 Agostino Sarubbo 2014-12-01 09:18:00 UTC

sparc stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 13 GLSAMaker/CVETool Bot 2015-01-04 02:08:10 UTC

CVE-2014-3707 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3707):
  The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when
  running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP
  POST data for an easy handle, which triggers an out-of-bounds read that
  allows remote web servers to read sensitive memory information.

Comment 14 Kristian Fiskerstrand (RETIRED) 2015-01-05 00:14:56 UTC

GLSA Vote: No

Comment 15 Mikle Kolyada (RETIRED) 2015-01-05 00:40:49 UTC

GLSA vote: no.

Comment 16 Yury German 2015-05-11 20:15:32 UTC

For this version it is all cleaned up. Thank you