SUSE-SU-2013:1736-1: moderate: Security update for curl

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed Nov 20 07:04:13 MST 2013


   SUSE Security Update: Security update for curl
______________________________________________________________________________

Announcement ID:    SUSE-SU-2013:1736-1
Rating:             moderate
References:         #765342 #769247 #814655 #824517 
Cross-References:   CVE-2013-1944 CVE-2013-2174
Affected Products:
                    SUSE Linux Enterprise Server 11 SP1 for VMware LTSS
                    SUSE Linux Enterprise Server 11 SP1 LTSS
______________________________________________________________________________

   An update that solves two vulnerabilities and has two fixes
   is now available. It includes one version update.

Description:


   This is a LTSS roll-up update for the download library
   curl, fixing  security issues and bugs.

   *

   A heap-based buffer overflow in the
   curl_easy_unescape function in lib/escape.c in cURL and
   libcurl allowed remote attackers to cause a denial of
   service (application crash) or possibly execute arbitrary
   code via a crafted string ending in a "%" (percent)
   character. (CVE-2013-2174)

   *

   The tailMatch function in cookie.c in cURL and
   libcurl did not properly match the path domain when sending
   cookies, which allowed remote attackers to steal cookies
   via a matching suffix in the domain of a URL.
   (CVE-2013-1944)

   Additionally, the following bug was fixed:

   * If a proxy offers NTML and Negotiate authentication
   and libcurl is set to not use the Negotiate scheme then the
   request never returns when the proxy answers with HTTP 407.
   (bnc#769247, bnc#765342)

   Security Issues:

   * CVE-2013-2174
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2174
   >
   * CVE-2013-1944
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1944
   >


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS:

      zypper in -t patch slessp1-curl-8453

   - SUSE Linux Enterprise Server 11 SP1 LTSS:

      zypper in -t patch slessp1-curl-8453

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (i586 x86_64) [New Version: 7.19.7]:

      curl-7.19.7-1.20.27.9
      libcurl4-7.19.7-1.20.27.9

   - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (x86_64) [New Version: 7.19.7]:

      libcurl4-32bit-7.19.7-1.20.27.9

   - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 7.19.7]:

      curl-7.19.7-1.20.27.9
      libcurl4-7.19.7-1.20.27.9

   - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64) [New Version: 7.19.7]:

      libcurl4-32bit-7.19.7-1.20.27.9


References:

   http://support.novell.com/security/cve/CVE-2013-1944.html
   http://support.novell.com/security/cve/CVE-2013-2174.html
   https://bugzilla.novell.com/765342
   https://bugzilla.novell.com/769247
   https://bugzilla.novell.com/814655
   https://bugzilla.novell.com/824517
   http://download.novell.com/patch/finder/?keywords=b9c5f7f6584661b3c628c7965dcd5b65



More information about the sle-security-updates mailing list