Bug#742728: marked as done (curl: CVE-2014-0138 CVE-2014-0139)

[Debian Bug Tracking System]

Your message dated Sun, 13 Apr 2014 16:47:05 +0000
with message-id <e1wznyf-0003xb...@franck.debian.org>
and subject line Bug#742728: fixed in curl 7.26.0-1+wheezy9
has caused the Debian Bug report #742728,
regarding curl: CVE-2014-0138 CVE-2014-0139
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
742728: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742728
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: curl
Version: 7.21.0-1
Severity: grave
Tags: security upstream fixed-upstream

Hi Alessandro,

For having this referenced also in the Debian BTS, the following
vulnerabilities were published for curl.

CVE-2014-0138[0]:
libcurl wrong re-use of connections

CVE-2014-0139[1]:
libcurl IP address wildcard certificate validation

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2014-0138
[1] http://security-tracker.debian.org/tracker/CVE-2014-0139

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: curl
Source-Version: 7.26.0-1+wheezy9

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 742...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessandro Ghedini <gh...@debian.org> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 09 Apr 2014 19:03:55 +0200
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev 
libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg
Architecture: source amd64
Version: 7.26.0-1+wheezy9
Distribution: wheezy-security
Urgency: high
Maintainer: Alessandro Ghedini <gh...@debian.org>
Changed-By: Alessandro Ghedini <gh...@debian.org>
Description: 
 curl       - command line tool for transferring data with URL syntax
 libcurl3   - easy-to-use client-side URL transfer library (OpenSSL flavour)
 libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours)
 libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
 libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
 libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS 
flavour)
 libcurl4-nss-dev - development files and documentation for libcurl (NSS 
flavour)
 libcurl4-openssl-dev - development files and documentation for libcurl 
(OpenSSL flavour)
Closes: 742728
Changes: 
 curl (7.26.0-1+wheezy9) wheezy-security; urgency=high
 .
   * Fix multiple security issues (Closes: #742728):
     - Fix connection re-use when using different log-in credentials
       as per CVE-2014-0138
       http://curl.haxx.se/docs/adv_20140326A.html
     - Reject IP address wildcard matches as per CVE-2014-0139
       http://curl.haxx.se/docs/adv_20140326B.html
   * Set urgency=high accordingly
Checksums-Sha1: 
 431d40bd10041ee9ef833406d502e5cf068b19b4 2514 curl_7.26.0-1+wheezy9.dsc
 fbb6c7628e3d1415b1bb7162c8598b1a5a667161 35101 
curl_7.26.0-1+wheezy9.debian.tar.gz
 b0825dd01cbdd61aaa28d2dd2855a117f510d99e 269554 curl_7.26.0-1+wheezy9_amd64.deb
 4a4e875dfaf60952af36ca7cea3cbc62e7a42b37 330580 
libcurl3_7.26.0-1+wheezy9_amd64.deb
 1c6db430ba7377d475b95cea7933544b95237707 321228 
libcurl3-gnutls_7.26.0-1+wheezy9_amd64.deb
 658c75342c738ab7fd67f01a267fb6373022c826 327988 
libcurl3-nss_7.26.0-1+wheezy9_amd64.deb
 455fbc6fa1a14f363ad7c3d5304ec9e9baca9e31 1271882 
libcurl4-openssl-dev_7.26.0-1+wheezy9_amd64.deb
 6a76c03c0b5286b1a10958d3f438b9965ce8b26a 1260270 
libcurl4-gnutls-dev_7.26.0-1+wheezy9_amd64.deb
 ec4212796d71e04ed2fdcd03b4fbc09831b91bc1 1268090 
libcurl4-nss-dev_7.26.0-1+wheezy9_amd64.deb
 055c7211531f11e5c48bcc01275309d569be2638 3296026 
libcurl3-dbg_7.26.0-1+wheezy9_amd64.deb
Checksums-Sha256: 
 39a17ff9e513d649d69c2b4b7748b1b82c5122bb276a35d6dbfed9ca446565ce 2514 
curl_7.26.0-1+wheezy9.dsc
 ba0b15938ac47298715c1dc228d4c43628d0f45e0f84dd872970fe5797faebc0 35101 
curl_7.26.0-1+wheezy9.debian.tar.gz
 0e820c4e61bae6b354fff6a5a623b83a88d1ee43586ca8122b669752ca666115 269554 
curl_7.26.0-1+wheezy9_amd64.deb
 467091ee30f50cfd7e62f8e27993faa80c4b1ca447f6cd5d9fa36d7a42272e02 330580 
libcurl3_7.26.0-1+wheezy9_amd64.deb
 9e5c14a19c8dcf9f81bc556a5f9b93925969953569b3d7d229f41f1f2dd42a4f 321228 
libcurl3-gnutls_7.26.0-1+wheezy9_amd64.deb
 f12529b795fb68b158de0e4067210d583a4dfc6a882d9dd55d83a88b75f508f1 327988 
libcurl3-nss_7.26.0-1+wheezy9_amd64.deb
 fe0c692b0b84444132ee7942dad3124a1abb74de6ee7182737edcce3556b5cf4 1271882 
libcurl4-openssl-dev_7.26.0-1+wheezy9_amd64.deb
 0eca2a37ef3cec65e521393bd1a8976490fb9d7ce7c1b063de6ee1ba588285e3 1260270 
libcurl4-gnutls-dev_7.26.0-1+wheezy9_amd64.deb
 dfec352a05a60c092f9b4df3f54d974230440a9c4c87a7abc816b318628fb347 1268090 
libcurl4-nss-dev_7.26.0-1+wheezy9_amd64.deb
 2481fb6992df60eeb085b50b85f0af6af878e25feddd2f61423c97e4833858ee 3296026 
libcurl3-dbg_7.26.0-1+wheezy9_amd64.deb
Files: 
 b3ca14c09cc1578c7e1d9d2ccdd3a482 2514 web optional curl_7.26.0-1+wheezy9.dsc
 80b65ccde47f3c2b78642632b8fb40e2 35101 web optional 
curl_7.26.0-1+wheezy9.debian.tar.gz
 53a3a3b22ecac9d70c13ec76af99c984 269554 web optional 
curl_7.26.0-1+wheezy9_amd64.deb
 8f335ba1736eb179e36ade1b8114d38e 330580 libs optional 
libcurl3_7.26.0-1+wheezy9_amd64.deb
 ab7b93711d220c807bc549d4d83a65d9 321228 libs optional 
libcurl3-gnutls_7.26.0-1+wheezy9_amd64.deb
 e5c5937fda51a21d8b6cec13bdfeb401 327988 libs optional 
libcurl3-nss_7.26.0-1+wheezy9_amd64.deb
 dde99dca21582e79fe515fea1833112e 1271882 libdevel optional 
libcurl4-openssl-dev_7.26.0-1+wheezy9_amd64.deb
 81650ebce14eb0a6d2eb49deabc2ecf3 1260270 libdevel optional 
libcurl4-gnutls-dev_7.26.0-1+wheezy9_amd64.deb
 70197c7ea81d7cdeb11028b507245079 1268090 libdevel optional 
libcurl4-nss-dev_7.26.0-1+wheezy9_amd64.deb
 756c56fa6434fee73d7b33bc2af4c2dc 3296026 debug extra 
libcurl3-dbg_7.26.0-1+wheezy9_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTRYRWAAoJEK+lG9bN5XPLu+0P/jjNN33XJ7BcysVC1J4PYmvN
Z+oWYGGnSl8d/mvm1IZrdr1+BBUOaBp5QdbDw4Higw1GSEMB+v+KwSq8srldjT1n
QUnqny77rpQfSw55xg5jl/lPCnXL0PUIFcTQ58ZJfdjRaAKLTiy/htyltHledYo7
7dHgzDHcTiVOJjZjjb10pEDrH76+LWMpbJO11SLKUPtP8RTxcfe7SeasAI1nTVAl
+V4pY2tRHmKwUU0pA41/x2/g/Rordlnh3IKYexnxjznbqOqVx8mrhTPq4GBNgXOC
tY/IctbdXptFHt1KHlXQzccS7X7ZHJGW33hc5rIXAT+JeoNxzy+GGqqlYmYAGtX6
EOpM4odG8NS8j6pFBBVCPbP6aPGSz/ReLrtgYT7KpmSW/12AUz4XB+A3De6ous7s
mJLZKsxL36PmArEv3Ufhq6LaflHjF1XcTlceS71766lB84hu5XPTHfvaZjr+hZ9L
W7sVeG5ALD9W3+4YvRROhmVScPle1FcpxmDg+pqU0uwIRfJ3KZsgXpYx3IliJPQr
Wk+hhr4JtZGMVwyx8KqRgOQluZkKZMTdoLxpEz5BDLuyhG5OwcWAy7PELPKwzToq
IpcMcwgd3XjKQ86AOfh5DWIIHjsQFu+xBirHPUAGvTKcXqrpaq2OhETnXx/rM2Jz
Xkcrwv6KL3bdaIYGto0z
=pfHA
-----END PGP SIGNATURE-----

--- End Message ---