[security-announce] curl: Security update

Sona Sarmadi sona.sarmadi at enea.com
Mon May 18 14:19:44 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	Enea Linux Security Advisory

=========================================================
Product/package: curl 7.35.0
Severity: Moderate
CVE Names: CVE-2014-3707
=========================================================
This security update fixes a bug that can lead to libcurl
eventually sending off sensitive data that was not intended
for sending.

The patch and README files are gpg signed by ESRT (Enea Security
Response Team) for verification of origin.
To verify the integrity of patches download the ESRT public Key from:
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x773EF6EF68716A14

For detailed info refer to https://linux.enea.com/4.0/patches/README.asc

Signed/SHA512 patch/README files
================================
0073-curl-CVE-2014-3707.README.asc
0073-curl-CVE-2014-3707.patch.asc
0073-curl-CVE-2014-3707.patch.sha

Description
===========
The curl_easy_duphandle function in libcurl 7.17.1 through
7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option,
does not properly copy HTTP POST data for an easy handle,
which triggers an out-of-bounds read that allows remote web
servers to read sensitive memory information.

References:
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3707
http://curl.haxx.se/docs/adv_20141105.html

How to apply the patches
=======================
 - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order.

wget https://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

 - Fetch and apply the new patch
wget https://linux.enea.com/4.0/patches/0073-curl-CVE-2014-3707.patch.as
c
patch -p1 < ./0073-curl-CVE-2014-3707.patch.asc

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJVWdjgAAoJEHc+9u9ocWoUdecP/jUcpK9tS8giCcoJAvAfB0t7
mkyngxMuLD2fdanxUXmlgRfHld+vQLAtSUJd+bWEZ7cOQqpHMP3sw6IQ6hiQCoLh
q+5JXuf9MhdInlSlkmE7TAduW7xUIOL9sEoMK9dj/Fya6+IxJgdcSQIrE7xDKc+h
Uj1M8nPU3J7Bs4LmVGiSL1mTNdrr7u/6OzzFik+6eR6dMjBP0W+jhBULsrYj/2NL
ua7uOs9l42GUfKC2JlpSw7R1ZZWBs6E1d6LqUQLQBOTWRFEmylJ0tyU3in2rxnTp
CQ/pcrhDWYniBnMAW6EA5chIiq9MVnlZny/e9+XDz2hWlFRON+6+RkJKax8GLTU9
EgsS3/lrmQICMAjvIs4/lrF5pzpiRqzsjzgMKcWjfh31PHgRWoakFaLUS2XT+3Nb
wTLpeyynkAB4cbT+FSk4ii6mOVv62uCL9IV2wW5jIW4zwh1h4hWGCeV50o10BITR
ztO9X0mJUvgN1YiHn9f972Y4hnuXOPVpcI79c21u8H00Lk0xv8l9fbaMrLIcgzvG
UzqxNoXSlohjOFsXzlbGvzeAruqVee4mP+I8h61EuJ5IU1LatBGm/ynrp2jjqx1G
prrHWPLazboILO4p2T8lNMnYKZ6BAHj02Td34CUekQ7nuztJJU8/sbIcFLaDn5PL
QaxZk4Dw4eNEFjjxk027
=M62v
-----END PGP SIGNATURE-----


More information about the security-announce mailing list