Your message dated Sun, 13 Apr 2014 17:02:29 +0000 with message-id <e1wznnz-0005zo...@franck.debian.org> and subject line Bug#742728: fixed in curl 7.21.0-2.1+squeeze8 has caused the Debian Bug report #742728, regarding curl: CVE-2014-0138 CVE-2014-0139 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 742728: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742728 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: curl Version: 7.21.0-1 Severity: grave Tags: security upstream fixed-upstream Hi Alessandro, For having this referenced also in the Debian BTS, the following vulnerabilities were published for curl. CVE-2014-0138[0]: libcurl wrong re-use of connections CVE-2014-0139[1]: libcurl IP address wildcard certificate validation If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2014-0138 [1] http://security-tracker.debian.org/tracker/CVE-2014-0139 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: curl Source-Version: 7.21.0-2.1+squeeze8 We believe that the bug you reported is fixed in the latest version of curl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 742...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Alessandro Ghedini <gh...@debian.org> (supplier of updated curl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 09 Apr 2014 19:47:38 +0200 Source: curl Binary: curl libcurl3 libcurl3-gnutls libcurl4-openssl-dev libcurl4-gnutls-dev libcurl3-dbg Architecture: source amd64 Version: 7.21.0-2.1+squeeze8 Distribution: squeeze-security Urgency: medium Maintainer: Ramakrishnan Muthukrishnan <rkrish...@debian.org> Changed-By: Alessandro Ghedini <gh...@debian.org> Description: curl - Get a file from an HTTP, HTTPS or FTP server libcurl3 - Multi-protocol file transfer library (OpenSSL) libcurl3-dbg - libcurl compiled with debug symbols libcurl3-gnutls - Multi-protocol file transfer library (GnuTLS) libcurl4-gnutls-dev - Development files and documentation for libcurl (GnuTLS) libcurl4-openssl-dev - Development files and documentation for libcurl (OpenSSL) Closes: 742728 Changes: curl (7.21.0-2.1+squeeze8) squeeze-security; urgency=medium . * Fix multiple security issues (Closes: #742728): - Fix connection re-use when using different log-in credentials as per CVE-2014-0138 http://curl.haxx.se/docs/adv_20140326A.html - Reject IP address wildcard matches as per CVE-2014-0139 http://curl.haxx.se/docs/adv_20140326B.html * Set urgency=high accordingly Checksums-Sha1: 50bc91eb47330235b2a5bfddf8e554a1d7c3579f 2151 curl_7.21.0-2.1+squeeze8.dsc ec43964ff203a7ef144903d30112934e359793d9 102771 curl_7.21.0-2.1+squeeze8.debian.tar.gz f7c5c6fa4d2c3a33f207b6bdd901eec72c0c4796 229044 curl_7.21.0-2.1+squeeze8_amd64.deb 7f72bfaadfd8dda3dc5f497769ad1796b531c9a2 284748 libcurl3_7.21.0-2.1+squeeze8_amd64.deb e2489a9a6fd805ee680aac18a6380086be121791 265604 libcurl3-gnutls_7.21.0-2.1+squeeze8_amd64.deb 3b45b78e781a933ac08b89b70906ab0316fbde61 1100028 libcurl4-openssl-dev_7.21.0-2.1+squeeze8_amd64.deb de31c59a6773bd447b646cfc96f58f089a223b73 1076146 libcurl4-gnutls-dev_7.21.0-2.1+squeeze8_amd64.deb cb0a78c21cce9568257d088dc232fc1176955f2e 106632 libcurl3-dbg_7.21.0-2.1+squeeze8_amd64.deb Checksums-Sha256: 77e07245528ae15a97d124d82da14f20ce7c95df89430c0b1d3069132033dee5 2151 curl_7.21.0-2.1+squeeze8.dsc 85470c161b31e2b5c516bbb243f9d3d1b4d83228d4be2cabce22310a63946980 102771 curl_7.21.0-2.1+squeeze8.debian.tar.gz 6ded9a857b6e33c61b80416b48b5b7cd38591cde43e617b8b4aecd6f260a869e 229044 curl_7.21.0-2.1+squeeze8_amd64.deb d680a70ed55147397ad2126fcd6cdc2769d902771bf91937c6db8415f1c7052f 284748 libcurl3_7.21.0-2.1+squeeze8_amd64.deb a08ff8ce95ba6eab73ee80701e27be91ac5d818eeb8ba887ae671c46eed68936 265604 libcurl3-gnutls_7.21.0-2.1+squeeze8_amd64.deb f9bc5386461ea7da2558bd6f562ad76385c58c43b8507bcd364bb1a14af33c4d 1100028 libcurl4-openssl-dev_7.21.0-2.1+squeeze8_amd64.deb c0cbecd1556383ee1887c4e1461fdd16cadb00b0359a1692053febee64ceea43 1076146 libcurl4-gnutls-dev_7.21.0-2.1+squeeze8_amd64.deb 047bf02f48563d71ee56a8faaf97975fd24fa4c1c259781eea4513516fda4b29 106632 libcurl3-dbg_7.21.0-2.1+squeeze8_amd64.deb Files: 6d113573d45741d6f69cfab6f2388094 2151 web optional curl_7.21.0-2.1+squeeze8.dsc bd41969a372ba02c4d2c9a392d08320a 102771 web optional curl_7.21.0-2.1+squeeze8.debian.tar.gz 3b5a3dc9e36e351151a5488c4aa85aad 229044 web optional curl_7.21.0-2.1+squeeze8_amd64.deb 2aec9d8be465ec9810351e6d4ed181ef 284748 libs optional libcurl3_7.21.0-2.1+squeeze8_amd64.deb bb758639cf48ab179fa6dc0727203168 265604 libs optional libcurl3-gnutls_7.21.0-2.1+squeeze8_amd64.deb 52ae75b00eba599cebf740315ded286e 1100028 libdevel optional libcurl4-openssl-dev_7.21.0-2.1+squeeze8_amd64.deb d0ae33531f5e544ebe9d293681207ae5 1076146 libdevel optional libcurl4-gnutls-dev_7.21.0-2.1+squeeze8_amd64.deb 590a7973511a17a95fca8eca59393536 106632 debug extra libcurl3-dbg_7.21.0-2.1+squeeze8_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTRZZ+AAoJEK+lG9bN5XPLwCAP/RmISKZOtwXIIhZqvi+bThgZ Jm2REeW8mFk48rC1g6VN1TxfOUFMt1MfJioq7cjEom7CnEj1MTKb+6ap6dB+sKeE b9EXNpmKmJosxpnsZczirldoOXjE4iQ9WfuaWOh9cxMa/O3JCTUnP7yCic3k/sxj LVVzw3LovzafXK2BfwbDe0U0Yr7Pfw4PzN4jrSNCstBUcQIuW3g6YcQj6O8tbwsw NIGtDa1EyA96VJJG6NxcPfnhwEoziP0+OTVAzVSRAerVihoz2F77i27JblSKeSKt zI2lxU9n0LtgUIQmGDVyVO2a5nRQaPFl1y52JXRykZZovioEBSdbgmegst9PPSAV s1iMGwfcEgtL+A+7hE9iH6YOPnTWTecmFwnBHtIyKgfrE09hCh0zdj2prnh1heHs NfNu82VmCspQwG1xGXluLzDiPe4DBV3Sx0CsO/BLhBs1nutxGZj8eaGHqKod5fMV i+yK0mo7eMPg2Lawxm1JhX5xRvB5gYLm+7tpuBIDQoksqfg0UUFgk7gDbFXvikmB Cz59v7y5dbQ3NvDbYZ5B/drHz2VygOHETdR7FtvDHGwgHqePTffgqsBdqG2MlMXi FYN1vJG44zvbOx8rJd/GaZoJYDjWVZYbSfXi7WKDsIzUvGLl4ZCmtBrAgAuyXshP ZeqHutuEBCLBnj2yKu88 =XC1s -----END PGP SIGNATURE-----
--- End Message ---
