*** EMBARGOED CRD 2017-08-09 *** Curl 7.55.0 will be released on August 9th containing fixes for multiple vulnerabilities.
https://curl.haxx.se/docs/adv_20170809A.html https://curl.haxx.se/docs/adv_20170809B.html https://curl.haxx.se/docs/adv_20170809C.html
CVE-2017-1000101 curl: URL globbing out of bounds read CVE-2017-1000100 curl: TFTP sends more than buffer size CVE-2017-1000099 curl: FILE buffer read out of bounds
Its in the tree. KEYWORDS for stable arches are "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
ia64 stable
amd64 stable
x86 stable
arm stable
alpha stable
i had to stabilize 7.55.1 on ppc because of bug #629562.
stable on ppc64
CC'ing arches again for 7.55.1
amd64/x86 stable
Stable on alpha.
GLSA Vote: Yes New GLSA Request filed. All remaining arches (sparc / arm / hppa) are not security supported. Please proceed with stabilization.
Maintainer(s), please drop the vulnerable version(s).
sparc was dropped to exp. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9
hppa/sparc stable (thanks to Dakon) All arches are done here.
(In reply to Anthony Basile from comment #10) > stable on ppc64 Keywords for net-misc/curl: | | u | | a a p a n r s | n | | l m h i p r m m i i s p | e u s | r | p d a p a p c x m i 6 o s 3 a | a s l | e | h 6 r p 6 p 6 8 6 p 8 s c 9 s r | p e o | p | a 4 m a 4 c 4 6 4 s k 2 v 0 h c | i d t | o ----------+---------------------------------+-------+------- 7.53.0 | + + + + + + + + + ~ + o o + + + | 6 o 0 | gentoo 7.53.1 | ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ o o ~ ~ ~ | 6 # | gentoo 7.54.0 | ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ o o ~ ~ ~ | 6 # | gentoo 7.54.1 | + + + ~ + + + + ~ ~ ~ o o ~ ~ + | 6 # | gentoo 7.55.0 | + + + ~ + o + + ~ ~ ~ o o ~ ~ ~ | 6 o | gentoo [I]7.55.1 | + + + + + + ~ + ~ ~ ~ o o ~ ~ + | 6 o | gentoo @Maintainer, could you please confirm that ppc64 is stable? I can't find any commit in the log about that. After that, we need to clean the tree. Thank you, Gentoo Security Padawan ChrisADR
(In reply to Christopher Díaz from comment #20) > (In reply to Anthony Basile from comment #10) > > stable on ppc64 > > @Maintainer, could you please confirm that ppc64 is stable? I can't find any > commit in the log about that. After that, we need to clean the tree. > I marked 7.55.1 stable on ppc64 and removed the vulnerable verins.
(In reply to Anthony Basile from comment #21) > I marked 7.55.1 stable on ppc64 and removed the vulnerable verins. Thank you very much, GLSA already requested. Gentoo Security Padawan ChrisADR
This issue was resolved and addressed in GLSA 201709-14 at https://security.gentoo.org/glsa/201709-14 by GLSA coordinator Aaron Bauman (b-man).