[Fwd: [Bug 1234] New: Security flaws in cURL 7.13.0]

Dan Osterrath Dan.Osterrath at gmx.de
Wed Feb 23 23:51:32 PST 2005


JFYI.

PS: What a nice bug id. Any awards for me? ;-)

-------- Original-Nachricht --------
Betreff: 	[Bug 1234] New: Security flaws in cURL 7.13.0
Datum: 	Thu, 24 Feb 2005 00:23:16 -0700 (MST)
Von: 	blfs-bugs at linuxfromscratch.org
Antwort an: 	BLFS Book Maintenance List <blfs-book at linuxfromscratch.org>
An: 	blfs-book at linuxfromscratch.org



http://blfs-bugs.linuxfromscratch.org/show_bug.cgi?id=1234

           Summary: Security flaws in cURL 7.13.0
           Product: Beyond LinuxFromScratch
           Version: SVN
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P1
         Component: BOOK
        AssignedTo: blfs-book at linuxfromscratch.org
        ReportedBy: Dan.Osterrath at gmx.de
         QAContact: blfs-book at linuxfromscratch.org


There are two security leaks in the current version of cURL.
http://www.idefense.com/application/poi/display?id=202&type=vulnerabilities&flashstatus=false
http://www.idefense.com/application/poi/display?id=203&type=vulnerabilities

iDefense only verified verison 7.12.1 but the cURL news page doesn't state
explicitely that 7.13.0 is clean.
http://curl.haxx.se/news.html

Unfortunately there seems to be only one official patch for the first issue
(NTLM authentication).
http://cool.haxx.se/cvs.cgi/curl/lib/http_ntlm.c.diff?r1=1.36&r2=1.37
The date of revision 1.36 confirms the suspicion that even the current version
is affected.

The second issue (kerberos authentication) seems to be still unpatched. At least
there is a suggestion on the website from iDefense. (see upper links)



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are the QA contact for the bug, or are watching the QA contact.
--
http://linuxfromscratch.org/mailman/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxfromscratch.org/pipermail/lfs-security/attachments/20050224/2b47c4ea/attachment.sig>


More information about the lfs-security mailing list