[security-announce] Security Update: curl: Upgrade 7.47.1 -> 7.53.1

Sona Sarmadi sona.sarmadi at enea.com
Mon Apr 24 11:05:52 CEST 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

		Enea Linux Security Advisory

====================================================================
Product/package: Enea Linux 6.0: (cURL)
Architecture: ALL
CVE Name: See below
====================================================================

cURL software package as used in Enea Linux 6.0 has been upgraded to
7.53.1 to address some recent vulnerabilities.

Security vulnerabilities fixed between 7.47.1 and 7.53.1 versions:
=================================================================
CVE-2017-7468: TLS session resumption client cert bypass (this flaw is
a regression and identical to CVE-2016-5419 reported on August 3rd
2016, but affecting a different version range.)
CVE-2017-7407: --write-out out of buffer read
CVE-2017-2629: SSL_VERIFYSTATUS ignored
CVE-2016-9594: uninitialized random
CVE-2016-9586: printf floating point buffer overflow
CVE-2016-9952: Win CE schannel cert wildcard matches too much
CVE-2016-9953: Win CE schannel cert name out of buffer read
CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host
CVE-2016-7167: curl escape and unescape integer overflows
CVE-2016-7141: Incorrect reuse of client certificates
CVE-2016-5419: TLS session resumption client cert bypass
CVE-2016-5420: Re-using connections with wrong client cert
CVE-2016-5421: use of connection struct after free
CVE-2016-4802: Windows DLL hijacking
CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL

References:
https://curl.haxx.se/docs/security.html
https://curl.haxx.se/changes.html


Reference to Enea Linux patch
============================
https://git.enea.com/cgit/linux/poky.git/patch/?id=3fc5d271f554e07c88b11
95812e48a0d86291395

How to get the latest patches
=============================
- - If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-6.0
$ repo sync

- - If you have not yet cloned needed repositories, do it as described
below. (Security patches are fetched implicitly when cloning the repos).

Use repo tool to download the source for the Enea Linux 6.0 standard,
follow the steps below:
1. Make sure that the repo tool is installed. If not, follow the
instructions below:

$ curl https://storage.googleapis.com/git-repo-downloads/repo >
~/bin/repo $ chmod a+x ~/bin/repo

The instruction assumes that ~/bin exists and is included in the PATH
variable.

2.Use the repo tool to download the source:
$ mkdir Enea-Linux-6.0
$ cd Enea-Linux-6.0
$ repo init -u git://git.enea.com/linux/el_manifests-standard.git -b
krogoth -m <manifest file>
$ repo sync

The parameter <manifest file> depends on the target:
P2041RDB: p2041rdb/default.xml
LS1021a-IoT: ls1021aiot/default.xml
QEMUARM: qemuarm/default.xml
QEMUPCC: qemuppc/default.xml
QEMUX86: qemux86/default.xml

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

For gerneral security refer to Enea Linux Security page:
http://www.enea.com/solutions/Enea-Linux/Security/

For the CVEs fixed at Enea Linux releases see CVE list:
http://www.enea.com/products/security/security-updates

For custom packages/releases please use the Support Channel:
http://www.enea.com/solutions/support.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJY/b/wAAoJEAilI68fskZdjPgIALMzIS9sU/GU9n4+ZRDZ56m5
OUoxZKnv1zbCIA7vMXtFUiJOhcXOzdE2S3kkXOhsmRI+BNNICQlDrV165v9cOqg4
xrEUheQ2ylNq7adwcObMDM1zsHSSr6Afjh0yvmoPmhrqPS4a1ZvjSdwOdI2Ejuar
X6snUS1rEB4KewwOY8wbDXCUjF2T0SyEVBO0dPAHB61Mhv6+iy8bx6UkloO4+lx7
RIiHARyQaxjNJF3P5nMWarDDVU/RnazNtLjrnQIuRDbfnmMXmugtg462/za1O9lp
rIxJp86WTwGVEHve6n23aZXvxdr81a4e1NZ4BkPTFxLL/BeZ6qLekNks1eGOl6s=
=JJ3l
-----END PGP SIGNATURE-----


More information about the security-announce mailing list