Bug#763372: marked as done (cURL binary hardening)

Debian Bug Tracking System Thu, 06 Nov 2014 13:24:33 -0800

Your message dated Thu, 06 Nov 2014 21:20:49 +0000
with message-id <[email protected]>
and subject line Bug#763372: fixed in curl 7.38.0-3
has caused the Debian Bug report #763372,
regarding cURL binary hardening
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
763372: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763372
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---
Package: curl
Version: 7.26.0-1
Owner: [email protected]
We currently use curl in a security sensitive context and thereforeI'm looking to harden it as much as possible against remoteexploitation. I was wondering if you can further harden the binary byenabling full RELRO support and PIE as well.
NB. I used the checksec script to see the package's hardening options.

Thanks.
--- End Message ---

--- Begin Message ---

Source: curl
Source-Version: 7.38.0-3

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessandro Ghedini <[email protected]> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 06 Nov 2014 11:40:24 +0100
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev 
libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg libcurl4-doc
Architecture: source amd64 all
Version: 7.38.0-3
Distribution: unstable
Urgency: high
Maintainer: Alessandro Ghedini <[email protected]>
Changed-By: Alessandro Ghedini <[email protected]>
Description:
 curl       - command line tool for transferring data with URL syntax
 libcurl3   - easy-to-use client-side URL transfer library (OpenSSL flavour)
 libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours)
 libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
 libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
 libcurl4-doc - documentation for libcurl
 libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS 
flavour)
 libcurl4-nss-dev - development files and documentation for libcurl (NSS 
flavour)
 libcurl4-openssl-dev - development files and documentation for libcurl 
(OpenSSL flavour)
Closes: 763372
Changes:
 curl (7.38.0-3) unstable; urgency=high
 .
   * Enable all hardening options (Closes: #763372)
   * Fix duphandle read out of bounds as per CVE-2014-3707
     http://curl.haxx.se/docs/adv_20141105.html
   * Set urgency=high accordingly
Checksums-Sha1:
 fbb68c6488f077918653466842428827328f2d60 2625 curl_7.38.0-3.dsc
 bd2ccfb0b261cd677296b91a885a9e49cc61da15 29672 curl_7.38.0-3.debian.tar.xz
 3cf59d173cbaa70ed8c40150255fc2e240d6c95a 199746 curl_7.38.0-3_amd64.deb
 ebfec8dfb48c52a32a21344347da9a54de0fc4da 257774 libcurl3_7.38.0-3_amd64.deb
 81a52ec8c7c2160950586aaad3d26d1d1a93421f 250008 
libcurl3-gnutls_7.38.0-3_amd64.deb
 404f04af6b4cfc1df6c93aaabf51a1fe58137766 261414 libcurl3-nss_7.38.0-3_amd64.deb
 7e2cc3818471afd28b6355bbd81ff584ed60835e 334980 
libcurl4-openssl-dev_7.38.0-3_amd64.deb
 59fad661a68e41eb2f9e73547245adac3d7edd00 326546 
libcurl4-gnutls-dev_7.38.0-3_amd64.deb
 997bd1130b3b5a1b355563932d8acb4ca11ede85 338878 
libcurl4-nss-dev_7.38.0-3_amd64.deb
 21e651526be10fca9ffb89388ee88d78a572a41b 3363876 
libcurl3-dbg_7.38.0-3_amd64.deb
 e490a4aa07cc719f0769738e39d40374851d5b75 1066708 libcurl4-doc_7.38.0-3_all.deb
Checksums-Sha256:
 b8a9c8fe51d8daf1a02543486152c691f520717f49d6def04c42651f461e7e9f 2625 
curl_7.38.0-3.dsc
 cf7f168df721818613f61c4c63a693f4246305264498add3d413bc4344253542 29672 
curl_7.38.0-3.debian.tar.xz
 7bb70075e63c2a4c7cd3c8effca58aee833eed681e91a0ea5f68fd8ba2c5036a 199746 
curl_7.38.0-3_amd64.deb
 edc15c700e6f3adfa1e960e2aee8f4c83ca003bb5e39385def42558d370993b3 257774 
libcurl3_7.38.0-3_amd64.deb
 376b89798245f768c414b03e2cfcf1ac83ce3274dfe21bc3b0ea78078b116999 250008 
libcurl3-gnutls_7.38.0-3_amd64.deb
 53b3782940384d358c62c94bf6e22f2059d631acdbba87a89811b1081374728e 261414 
libcurl3-nss_7.38.0-3_amd64.deb
 f129c165df740ebfa7e196e4bece9022007cdc292711d35281f5da7b63e603ad 334980 
libcurl4-openssl-dev_7.38.0-3_amd64.deb
 e5bf6ecad8260aaee81d67c643479de9e651bc1b538590dccc1ae9c5726e4537 326546 
libcurl4-gnutls-dev_7.38.0-3_amd64.deb
 746295a7af720a02458e471d97e91c588460feba02cfefbaf3c88d6e3c82859d 338878 
libcurl4-nss-dev_7.38.0-3_amd64.deb
 ed827747b294abf1791dadd872a51ab6e5eabef08ebdceb7a078804f983f0400 3363876 
libcurl3-dbg_7.38.0-3_amd64.deb
 3dfaa27523503d0f399b385ba932cc195b7c3ede81d2e24cd306cfc07267c2a1 1066708 
libcurl4-doc_7.38.0-3_all.deb
Files:
 94e7bc87163b1b4b8752fed294113644 2625 web optional curl_7.38.0-3.dsc
 0799e5f30434b88f286c82303a4bc672 29672 web optional curl_7.38.0-3.debian.tar.xz
 2d7e17bd61255910efbf9c5a780f5307 199746 web optional curl_7.38.0-3_amd64.deb
 8ae2f085343faec34da96591ed860bba 257774 libs optional 
libcurl3_7.38.0-3_amd64.deb
 69d98baa26a0bc76e15616a4242b9583 250008 libs optional 
libcurl3-gnutls_7.38.0-3_amd64.deb
 4e3c06e5f0ea2c968a1951cb3265486b 261414 libs optional 
libcurl3-nss_7.38.0-3_amd64.deb
 386d819ca24fcf0e302bf31b729294b1 334980 libdevel optional 
libcurl4-openssl-dev_7.38.0-3_amd64.deb
 608e54284104aa63a900b3410d7a7312 326546 libdevel optional 
libcurl4-gnutls-dev_7.38.0-3_amd64.deb
 1c1ffed4ef30bba3a3df2833623632aa 338878 libdevel optional 
libcurl4-nss-dev_7.38.0-3_amd64.deb
 7c1eaf73ebbb4931ee196e7d8cfa6923 3363876 debug extra 
libcurl3-dbg_7.38.0-3_amd64.deb
 2ecf2a93363bbddecd01f63e5da0dc6b 1066708 doc optional 
libcurl4-doc_7.38.0-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUW1bLAAoJEK+lG9bN5XPLgcUP/3j+VROyVSq/GXRtf3A6iL6k
gJ1Lz43DK9MV4C+t6IPvb1jwWs3Lj4nzqSad5lxEMztCaRGXS6p4BshbRc1BZ5ut
Rj8w8Du+9iFRvSFfmmef9oib8HV09OKfskAVYfdg/GCeqaDljalVIz2zhf/MKT5n
g2vBnnFIHohCD2n7bm8ADS5Kv3Ia+UK5ZVFcbibdwvOfiVS8oVqfE+k97GMX0t1A
7fePMjtF6JPTzTOhhuzprn5AOPe3FjD3kUakb8EVZJNfu9JuYl5obD9/y9Kaac7f
51qp3HQGFYmQTdEsgzairVPbp/MqA1oP0lFnUVM+kfEf9t2Yuct+kN2N4Sr9IeQw
uGvDG/pVUjyjYjp3jR7q+YLceyKTwpmSkwoc1gGWOm8J5QDzARtzfR7kmdMtK2ww
ZDe2zvUxmO/ZWWwynS9ZNuK2jiaGu0r0/wcgmwZV+I5ts8CT2NCzBD9swIf5xHaI
gVEcg8MlW3l+e8RS9xT/OUaWXfZvO55O8jUWNzrsLRKic4SxyFoVC1xxBXCdN2DH
V3bXPBQ7TL9/IC/YGCFh/1KT4A/oUN+nSG5bpARbAeyggt+f0c9chTRaJjjUYq7D
vsI+eSP6W6gpU6u9qayv7VZmhy11W7jULTYqYDi2llUKe4pBvxcyC79SUvhREcp4
vHNCOifWRLoStKnDERSM
=FCOj
-----END PGP SIGNATURE-----

--- End Message ---

Bug#763372: marked as done (cURL binary hardening)

Reply via email to