[security-announce] curl: Security update

Sona Sarmadi sona.sarmadi at enea.com
Fri May 8 11:09:32 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	Enea Linux Security Advisory

=========================================================
Product/package: curl 7.35.0
Severity: Moderate
CVE Names: CVE-2014-3620
=========================================================
This security update fixes libcurl cookie leak for TLDs

The patch and README files are gpg signed by ESRT (Enea Security
Response Team) for verification of origin.
To verify the integrity of patches download the ESRT public Key from:
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x773EF6EF68716A14

For detailed info refer to https://linux.enea.com/4.0/patches/README.asc

Signed/SHA512 patch/README files
================================
0071-curl-Security-Advisory-curl-CVE-2014-3620.README.asc
0071-curl-Security-Advisory-curl-CVE-2014-3620.patch.asc
0071-curl-Security-Advisory-curl-CVE-2014-3620.patch.sha

Description
===========
libcurl wrongly allows cookies to be set for Top Level Domains
(TLDs), thus making them apply broader than cookies are allowed.
This can allow arbitrary sites to set cookies that then would
get sent to a different and unrelated site or domain.

References:
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3620
http://curl.haxx.se/docs/http-cookies.html

How to apply the patches
=======================
- - - - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order.

wget https://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

- - - - Fetch and apply the new patch
wget
https://linux.enea.com/4.0/patches/0071-curl-Security-Advisory-curl-CVE-
2014-3620.patch.asc
patch -p1 < ./0071-curl-Security-Advisory-curl-CVE-2014-3620.patch.asc

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJVTH1MAAoJEHc+9u9ocWoUE/sP/RF/oqNBvTgdomE9N8ie/NhM
TaH307XBa4GbvxFwijPMtiecX2suVHQe/GveC9pZtInaIgiey6jbQUJUsvV5B9mx
5+l4ZXS60J1VXsNHdq2S09zd9iN20FGIdYhWy2kyEtK2szTnaYhIKWsKVhgANRB6
DdnfXpX0Xy09KB/mJqC0tGk6A8TKT8HmnJVeAyFtV/Bh+pTInugfMfTUvMkLp05k
5sdi0ow0Z+XYIB7SqNDztsdVH5+fUJW351ew9RIn+01vZnV56iaTTpsRJNZfdC8/
BJ8g73NoAnSLySl6xZQfDoc8gPsaPuIzmhJCpPHjGuGpHeV2KYbhDsuMXxz97K66
2sFiUKDF7q5+Czh3DqWXBJuqHh/N+yRP1dd6YIscXHUHpJs60w7r9gPWtguUfEIa
QQ6tFF6iBKIEWBohobr1LUlual1xvxjKf8pHnPugjPNgOnls6Ur495q3XzwkOu/Z
mT86I3kVuengGh5Z4UKlXNUI2+ohtlPQeMQQpBT9aPCXPCX2sgnx027HV8ltkxHW
+fYQXMhnPodp4U57Hujdj274tVnysZ9MC4vIz68UkiWEWjcDDMW6DfB0EyFP4USQ
8TYTzt2dy/E7PCoyOu21oimog2AdDFzRedY5rD83t8X884yOi0vwhuR4iMabTrUl
A93UZpbm59o1ARN7vXsA
=l4kf
-----END PGP SIGNATURE-----



More information about the security-announce mailing list