An alert on the upcoming 7.51.0 release
This message: [ Message body ] [ More options ]
Related messages: [ Next message ] [ Previous message ] [ Next in thread ] [ Replies ]
From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 19 Oct 2016 00:30:38 +0200 (CEST)
In two weeks time, on Wednesday November 2nd, we will release curl and libcurl
7.51.0 unless something earth shattering happens.
This release will bundle no less than _eleven_ security advisories and their
associated fixes (unless we get more reported in the time we have left). Each
individual security issue will be documented in detail in their own advisories
as usual and sent out as separate emails and get documented on the curl web
site. Chances are big several of these affects your use of curl.
We have never before handled anywhere close to this many security problems in
a single release. We have notified both Apple and distros_at_openwall so the
major distributions should be aware of what's coming.
Merging eleven previously non-disclosed branches into master just before a
release is not ideal but done so to minimize the security impact on existing
users when the problems get known. My plan is to merge them all into master
and push around 48 hours before release, watch the autobuilds closesly, have a
few extra coverity scans done and then fix up what's found before the release.
I will also prepare to do a follow-up patch release within the following week
if we find serious enough problems in the shipped product.
CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host
Maintainers, please bump to 7.51.0.
(In reply to Hanno Boeck from comment #1)
> Maintainers, please bump to 7.51.0.
Unfortunately its not an easy bump since curl-7.50.3 depended on libidn and curl-7.51.0 depends on libidn2. I'm getting the latter ready and hopefully we can rapid keyword/stabilize, or else just mask idn for now.
Stable for HPPA PPC64.
Author: Jeroen Roovers <firstname.lastname@example.org>
Date: Thu Nov 3 13:43:04 2016 +0100
net-misc/curl: Stable for HPPA PPC64 (bug #598856).
I referred to the wrong bug, there.
This comment relates to CVE-2016-8625: IDNA 2003 makes curl use wrong host
Using libidn2 is insufficient fix as there are potential for mismatches between IDNA 2003 and IDNA 2008
Upstream maintainer advice would suggest use.stable.masking idn for curl at the present time.
Date: Fri, 4 Nov 2016 08:27:43 +0100 (CET)
From: Daniel Stenberg <daniel@...x.se>:
I've suggested curl users to simply *disable* IDN completely in their builds
now until we get something better done. To reduce the risk. There's no
schedule or plan yet for when "something better" might be ready. I'll admit my
energy level for this crap is very low.
@teams: alpha arm64 hppa ia64 m68k s390 sh sparc You'll want to keyword and stabilize this package and its dependencies. Sorry you should probably have been added earlier.
@prefix you may want to restore prefixes too.
Stable on alpha.
Also stable on amd64. Somehow O.o
(In reply to Anthony Basile from comment #6)
> @teams: alpha arm64 hppa ia64 m68k s390 sh sparc You'll want to keyword and
> stabilize this package and its dependencies. Sorry you should probably have
> been added earlier.
Please be advised that bug 603370 re security vuln in lover version than 7.52.0 supersedes this report
(In reply to Kristian Fiskerstrand from comment #9)
> (In reply to Anthony Basile from comment #6)
> > @teams: alpha arm64 hppa ia64 m68k s390 sh sparc You'll want to keyword and
> > stabilize this package and its dependencies. Sorry you should probably have
> > been added earlier.
> Please be advised that bug 603370 re security vuln in lover version than
> 7.52.0 supersedes this report
I am aware, which is why I want the keywords at least in so I can forward migrate them.
Prefix keywords restored, x86-interix dropped.
This issue was resolved and addressed in
GLSA 201701-47 at https://security.gentoo.org/glsa/201701-47
by GLSA coordinator Thomas Deutschmann (whissi).