12577 – [Update Request] Update curl package to fix CVE-2014-0015: re-use of wrong HTTP NTLM connection

Bug 12577 - [Update Request] Update curl package to fix CVE-2014-0015: re-use of wrong HTTP NTLM connection

Summary: [Update Request] Update curl package to fix CVE-2014-0015: re-use of wrong HT...

Status:	RESOLVED DUPLICATE of bug 12476

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://curl.haxx.se/docs/adv_20140129...
Whiteboard:	MGA3TOO
Keywords:

Depends on:
Blocks:

Reported:	2014-02-04 18:34 CET by Funda Wang
Modified:	2014-02-04 19:42 CET (History)
CC List:	1 user (show)

See Also:
Source RPM:	curl-7.34.0-1.1.mga4, curl-7.28.1-6.3.mga3
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Funda Wang 2014-02-04 18:34:51 CET

libcurl can in some circumstances re-use the wrong connection when asked to do an NTLM-authenticated HTTP or HTTPS request(CVE-2014-0015). The package was updated and rebuilt to have this vulnerability fixed by merging upstream patch.


Reproducible: 

Steps to Reproduce:

Funda Wang 2014-02-04 18:35:28 CET

Hardware: i586 => All
Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-02-04 19:42:31 CET

Thanks Funda.  Please check Bugzilla first :o)

*** This bug has been marked as a duplicate of bug 12476 ***

Status: NEW => RESOLVED
CC: (none) => luigiwalser
Resolution: (none) => DUPLICATE

Note You need to log in before you can comment on or make changes to this bug.