[security-announce] curl: Security update

Sona Sarmadi sona.sarmadi at enea.com
Mon May 18 14:22:31 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	Enea Linux Security Advisory

=========================================================
Product/package: curl 7.35.0
Severity: Moderate
CVE Names: CVE-2014-8150
=========================================================
This security update fixes URL request injection vulnerability.

The patch and README files are gpg signed by ESRT (Enea Security
Response Team) for verification of origin.
To verify the integrity of patches download the ESRT public Key from:
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x773EF6EF68716A14

For detailed info refer to https://linux.enea.com/4.0/patches/README.asc

Signed/SHA512 patch/README files
================================
0074-curl-CVE-2014-8150.README.asc
0074-curl-CVE-2014-8150.patch.asc
0074-curl-CVE-2014-8150.patch.sha

Description
===========
CRLF injection vulnerability in libcurl 6.0 through 7.x before
7.40.0, when using an HTTP proxy, allows remote attackers to
inject arbitrary HTTP headers and conduct HTTP response splitting
attacks via CRLF sequences in a URL.

References:
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8150
http://curl.haxx.se/docs/adv_20150108B.html

How to apply the patches
=======================
 - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order.

wget https://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

 - Fetch and apply the new patch
wget https://linux.enea.com/4.0/patches/0074-curl-CVE-2014-8150.patch.as
c
patch -p1 < ./0074-curl-CVE-2014-8150.patch.asc

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJVWdmHAAoJEHc+9u9ocWoUiV4P/RGN8DcGsvu/qNXTIoD+97RK
xTHsMXZenODatD7JncUEO/MJtiLDRI1Os3OOuf2Y8+AoawKdOSijvAy1g+wlf4Rv
EgzumZnFQUe4UeJ9cJKNeExMR411Ybq8gsiRb729NfI58YASFLR9orf39+ZTIK4a
dFkTNzM0cHL1IdMMgqXzxeU3MWlvQHnEqdSN5QzDqjYY3NWUSzQfkQXJjO+ugS4Z
4kbE4lhrMDbrfYPFQOj0TyBBniieqLxwWjK3uRA8+D5GlcFItjrpwh0vqywQ/yig
YU6j2DJ2e/3ccgUgdHiJ3NOedY7SXsQIkcr7WtUddxXbVf547SU8Y3XSmFSeHiZl
sQNZzJGhAldaqAaRNx6gRQmmSRwGsdMOHv+Zv7j/Fx0EYO02AgMiaNUwmIE0ZW2S
/rufSMfXFXlTKiC0CXkNNVHg3bEn33h3Sz7Rb4obwx5TZqoYe7e+rKFQntyEuuYK
YSFiOwfC2wFhyAcEKp5DrSHxldNIKjn4aZ+WuV4hPlIGyrGYMABuyT8woWdPRk87
kPK4+gAGv6RVyl7sk9X8F2MgUc4D5KQ2eqcEtNE49CZmM6+Cv3bO6T3/+3fHhktK
RX5Qz3Dn99pZLP/HGyxKg+PQrkT0n+Bh3gjxIlVqGFaenxzlrBkNHt/0RXg+a9Qe
NLjMKfUiHRWYVyMbbodk
=S6aZ
-----END PGP SIGNATURE-----



More information about the security-announce mailing list