[security-announce] curl: Security update

Sona Sarmadi sona.sarmadi at enea.com
Thu May 7 14:30:34 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	Enea Linux Security Advisory

=========================================================
Product/package: curl 7.35.0
Severity: Moderate
CVE Names: CVE-2014-3613
=========================================================

This security update fixes incorrect handling of IP addresses in
cookie domain.

The patch and README files are gpg signed by ESRT (Enea Security
Response Team) for verification of origin.
To verify the integrity of patches download the ESRT public Key from:
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x773EF6EF68716A14

For detailed info refer to https://linux.enea.com/4.0/patches/README.asc

Signed/SHA512 patch/README files
================================
0070-curl-Security-Advisory-curl-CVE-2014-3613.README.asc
0070-curl-Security-Advisory-curl-CVE-2014-3613.patch.asc
0070-curl-Security-Advisory-curl-CVE-2014-3613.patch.sha

Description
===========
By not detecting and rejecting domain names for partial literal
IP addresses properly when parsing received HTTP cookies, libcurl
can be fooled to both sending cookies to wrong sites and into
allowing arbitrary sites to set cookies for others.

References:
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3613
http://curl.haxx.se/docs/adv_20140910A.html

How to apply the patches
=======================
- - - - - - - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order.

wget https://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

- - - - - - - Fetch and apply the new patch
wget
https://linux.enea.com/4.0/patches/0070-curl-Security-Advisory-curl-CVE-
2014-3613.patch.asc
patch -p1 < ./0070-curl-Security-Advisory-curl-CVE-2014-3613.patch.asc

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJVS1rqAAoJEHc+9u9ocWoUQJIP/iBpP4cYuK9IRPvXqiFY/API
V6wd7ZLLnaWHpcTNJCeTyXdKeI4cfbHVz5j40JnDpGb4hzNx1R4nX/BjCY1Vwx0g
Hr/cypNdc33qMXSoZqYlkjrWI+e1buCrLYiHK9LdyqlGSfoeV/jEmoJ7/HOYIV+1
Du2Uo0p4VI/R+76L/30TvU61sU5DG6Y2KFq05bQuBVOXz3hcR8whYhnuuukbSlm1
IGOfnBa7iKq7mkh/DTqWro8jGzFh0SaNZJ5vAS6642TyJfqrGU7dKUfVnQJz3Q/i
5D+q63VSXmKuk62CZUzT2VZoWrhOK7VUvJZ5rIAqH1AHJZzpRnekzjtOlBshQXNQ
Bef4Z/CDAuKBtNEVQI7mteTFqKcN6PUGfMznBWFyr7Bez67KN9B6TAASJLvgntZ8
IefASNsMkwYdJeu6ITTMAuzYfCQaCrdYDBjQ3S5JnthRCTkq0C8uQsqdG9+UMnh1
m0mDJRFm2y1AoSWA4mmvWFCk8xmaVs3o6n+X3tof7EUQC2mc36OheKWlk13kKZZ2
ltShDO/i2eqN3NDAB6Wavm5972ohttI/feom2I8/ORPiCg2FkwLw55/ktaeSVQQR
5L6Dz4IYD2dG7c3/WZjWJkNNMfFeIO2GYo6bJ54REIgHfGGmy2uQ8aVUO9M25a8N
4tf2jb8LYoYlBlRWjf0K
=SLZp
-----END PGP SIGNATURE-----


More information about the security-announce mailing list