Bug 9713 - curl new security issue CVE-2013-1944
: curl new security issue CVE-2013-1944
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/547396/
: has_procedure mga2-32-ok mga2-64-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-04-12 18:00 CEST by David Walser
Modified: 2013-04-18 00:31 CEST (History)
2 users (show)

See Also:
Source RPM: curl-7.28.1-5.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-04-12 18:00:29 CEST
Upstream has issued an advisory today (April 12):
http://curl.haxx.se/docs/adv_20130412.html

The issue is fixed upstream in 7.30.0 and with a patch.

The patch is currently checked into Cauldron and Mageia 2 SVN.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-04-13 23:22:16 CEST
Patched packages uploaded for Mageia 2 and Cauldron.

Advisory:
========================

Updated curl packages fix security vulnerability:

libcurl is vulnerable to a cookie leak vulnerability when doing requests across
domains with matching tails. This vulnerability can be used to hijack sessions
in targetted attacks since registering domains using a known domain's name as
an ending is trivial (CVE-2013-1944).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1944
http://curl.haxx.se/docs/adv_20130412.html
========================

Updated packages in core/updates_testing:
========================
curl-7.24.0-1.1.mga2
libcurl4-7.24.0-1.1.mga2
libcurl-devel-7.24.0-1.1.mga2
curl-examples-7.24.0-1.1.mga2

from curl-7.24.0-1.1.mga2.src.rpm
Comment 2 David Walser 2013-04-16 19:51:05 CEST
Ubuntu has issued an advisory for this on April 15:
http://www.ubuntu.com/usn/usn-1801-1/
Comment 3 David Walser 2013-04-16 19:54:52 CEST
Re-diffed patch from Ubuntu added to Mageia 1 SVN.
Comment 4 claire robinson 2013-04-17 21:35:07 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=4307#c11
Comment 5 claire robinson 2013-04-17 21:59:05 CEST
Testing complete mga2 32

Curl also as a comprehensive testsuite which runs at build time.
Comment 6 claire robinson 2013-04-17 22:03:53 CEST
Testing complete mga2 64

Validating

SRPM & advisory in comment 1

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 7 Thomas Backlund 2013-04-18 00:31:00 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0121

Note You need to log in before you can comment on or make changes to this bug.