Your message dated Sun, 13 Apr 2014 16:47:05 +0000
with message-id <e1wznyf-0003xb...@franck.debian.org>
and subject line Bug#742728: fixed in curl 7.26.0-1+wheezy9
has caused the Debian Bug report #742728,
regarding curl: CVE-2014-0138 CVE-2014-0139
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
742728: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742728
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: curl
Version: 7.21.0-1
Severity: grave
Tags: security upstream fixed-upstream
Hi Alessandro,
For having this referenced also in the Debian BTS, the following
vulnerabilities were published for curl.
CVE-2014-0138[0]:
libcurl wrong re-use of connections
CVE-2014-0139[1]:
libcurl IP address wildcard certificate validation
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] http://security-tracker.debian.org/tracker/CVE-2014-0138
[1] http://security-tracker.debian.org/tracker/CVE-2014-0139
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: curl
Source-Version: 7.26.0-1+wheezy9
We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 742...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alessandro Ghedini <gh...@debian.org> (supplier of updated curl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 09 Apr 2014 19:03:55 +0200
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev
libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg
Architecture: source amd64
Version: 7.26.0-1+wheezy9
Distribution: wheezy-security
Urgency: high
Maintainer: Alessandro Ghedini <gh...@debian.org>
Changed-By: Alessandro Ghedini <gh...@debian.org>
Description:
curl - command line tool for transferring data with URL syntax
libcurl3 - easy-to-use client-side URL transfer library (OpenSSL flavour)
libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours)
libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS
flavour)
libcurl4-nss-dev - development files and documentation for libcurl (NSS
flavour)
libcurl4-openssl-dev - development files and documentation for libcurl
(OpenSSL flavour)
Closes: 742728
Changes:
curl (7.26.0-1+wheezy9) wheezy-security; urgency=high
.
* Fix multiple security issues (Closes: #742728):
- Fix connection re-use when using different log-in credentials
as per CVE-2014-0138
http://curl.haxx.se/docs/adv_20140326A.html
- Reject IP address wildcard matches as per CVE-2014-0139
http://curl.haxx.se/docs/adv_20140326B.html
* Set urgency=high accordingly
Checksums-Sha1:
431d40bd10041ee9ef833406d502e5cf068b19b4 2514 curl_7.26.0-1+wheezy9.dsc
fbb6c7628e3d1415b1bb7162c8598b1a5a667161 35101
curl_7.26.0-1+wheezy9.debian.tar.gz
b0825dd01cbdd61aaa28d2dd2855a117f510d99e 269554 curl_7.26.0-1+wheezy9_amd64.deb
4a4e875dfaf60952af36ca7cea3cbc62e7a42b37 330580
libcurl3_7.26.0-1+wheezy9_amd64.deb
1c6db430ba7377d475b95cea7933544b95237707 321228
libcurl3-gnutls_7.26.0-1+wheezy9_amd64.deb
658c75342c738ab7fd67f01a267fb6373022c826 327988
libcurl3-nss_7.26.0-1+wheezy9_amd64.deb
455fbc6fa1a14f363ad7c3d5304ec9e9baca9e31 1271882
libcurl4-openssl-dev_7.26.0-1+wheezy9_amd64.deb
6a76c03c0b5286b1a10958d3f438b9965ce8b26a 1260270
libcurl4-gnutls-dev_7.26.0-1+wheezy9_amd64.deb
ec4212796d71e04ed2fdcd03b4fbc09831b91bc1 1268090
libcurl4-nss-dev_7.26.0-1+wheezy9_amd64.deb
055c7211531f11e5c48bcc01275309d569be2638 3296026
libcurl3-dbg_7.26.0-1+wheezy9_amd64.deb
Checksums-Sha256:
39a17ff9e513d649d69c2b4b7748b1b82c5122bb276a35d6dbfed9ca446565ce 2514
curl_7.26.0-1+wheezy9.dsc
ba0b15938ac47298715c1dc228d4c43628d0f45e0f84dd872970fe5797faebc0 35101
curl_7.26.0-1+wheezy9.debian.tar.gz
0e820c4e61bae6b354fff6a5a623b83a88d1ee43586ca8122b669752ca666115 269554
curl_7.26.0-1+wheezy9_amd64.deb
467091ee30f50cfd7e62f8e27993faa80c4b1ca447f6cd5d9fa36d7a42272e02 330580
libcurl3_7.26.0-1+wheezy9_amd64.deb
9e5c14a19c8dcf9f81bc556a5f9b93925969953569b3d7d229f41f1f2dd42a4f 321228
libcurl3-gnutls_7.26.0-1+wheezy9_amd64.deb
f12529b795fb68b158de0e4067210d583a4dfc6a882d9dd55d83a88b75f508f1 327988
libcurl3-nss_7.26.0-1+wheezy9_amd64.deb
fe0c692b0b84444132ee7942dad3124a1abb74de6ee7182737edcce3556b5cf4 1271882
libcurl4-openssl-dev_7.26.0-1+wheezy9_amd64.deb
0eca2a37ef3cec65e521393bd1a8976490fb9d7ce7c1b063de6ee1ba588285e3 1260270
libcurl4-gnutls-dev_7.26.0-1+wheezy9_amd64.deb
dfec352a05a60c092f9b4df3f54d974230440a9c4c87a7abc816b318628fb347 1268090
libcurl4-nss-dev_7.26.0-1+wheezy9_amd64.deb
2481fb6992df60eeb085b50b85f0af6af878e25feddd2f61423c97e4833858ee 3296026
libcurl3-dbg_7.26.0-1+wheezy9_amd64.deb
Files:
b3ca14c09cc1578c7e1d9d2ccdd3a482 2514 web optional curl_7.26.0-1+wheezy9.dsc
80b65ccde47f3c2b78642632b8fb40e2 35101 web optional
curl_7.26.0-1+wheezy9.debian.tar.gz
53a3a3b22ecac9d70c13ec76af99c984 269554 web optional
curl_7.26.0-1+wheezy9_amd64.deb
8f335ba1736eb179e36ade1b8114d38e 330580 libs optional
libcurl3_7.26.0-1+wheezy9_amd64.deb
ab7b93711d220c807bc549d4d83a65d9 321228 libs optional
libcurl3-gnutls_7.26.0-1+wheezy9_amd64.deb
e5c5937fda51a21d8b6cec13bdfeb401 327988 libs optional
libcurl3-nss_7.26.0-1+wheezy9_amd64.deb
dde99dca21582e79fe515fea1833112e 1271882 libdevel optional
libcurl4-openssl-dev_7.26.0-1+wheezy9_amd64.deb
81650ebce14eb0a6d2eb49deabc2ecf3 1260270 libdevel optional
libcurl4-gnutls-dev_7.26.0-1+wheezy9_amd64.deb
70197c7ea81d7cdeb11028b507245079 1268090 libdevel optional
libcurl4-nss-dev_7.26.0-1+wheezy9_amd64.deb
756c56fa6434fee73d7b33bc2af4c2dc 3296026 debug extra
libcurl3-dbg_7.26.0-1+wheezy9_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJTRYRWAAoJEK+lG9bN5XPLu+0P/jjNN33XJ7BcysVC1J4PYmvN
Z+oWYGGnSl8d/mvm1IZrdr1+BBUOaBp5QdbDw4Higw1GSEMB+v+KwSq8srldjT1n
QUnqny77rpQfSw55xg5jl/lPCnXL0PUIFcTQ58ZJfdjRaAKLTiy/htyltHledYo7
7dHgzDHcTiVOJjZjjb10pEDrH76+LWMpbJO11SLKUPtP8RTxcfe7SeasAI1nTVAl
+V4pY2tRHmKwUU0pA41/x2/g/Rordlnh3IKYexnxjznbqOqVx8mrhTPq4GBNgXOC
tY/IctbdXptFHt1KHlXQzccS7X7ZHJGW33hc5rIXAT+JeoNxzy+GGqqlYmYAGtX6
EOpM4odG8NS8j6pFBBVCPbP6aPGSz/ReLrtgYT7KpmSW/12AUz4XB+A3De6ous7s
mJLZKsxL36PmArEv3Ufhq6LaflHjF1XcTlceS71766lB84hu5XPTHfvaZjr+hZ9L
W7sVeG5ALD9W3+4YvRROhmVScPle1FcpxmDg+pqU0uwIRfJ3KZsgXpYx3IliJPQr
Wk+hhr4JtZGMVwyx8KqRgOQluZkKZMTdoLxpEz5BDLuyhG5OwcWAy7PELPKwzToq
IpcMcwgd3XjKQ86AOfh5DWIIHjsQFu+xBirHPUAGvTKcXqrpaq2OhETnXx/rM2Jz
Xkcrwv6KL3bdaIYGto0z
=pfHA
-----END PGP SIGNATURE-----
--- End Message ---