SUSE-SU-2013:1736-1: moderate: Security update for curl
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Wed Nov 20 07:04:13 MST 2013
SUSE Security Update: Security update for curl
______________________________________________________________________________
Announcement ID: SUSE-SU-2013:1736-1
Rating: moderate
References: #765342 #769247 #814655 #824517
Cross-References: CVE-2013-1944 CVE-2013-2174
Affected Products:
SUSE Linux Enterprise Server 11 SP1 for VMware LTSS
SUSE Linux Enterprise Server 11 SP1 LTSS
______________________________________________________________________________
An update that solves two vulnerabilities and has two fixes
is now available. It includes one version update.
Description:
This is a LTSS roll-up update for the download library
curl, fixing security issues and bugs.
*
A heap-based buffer overflow in the
curl_easy_unescape function in lib/escape.c in cURL and
libcurl allowed remote attackers to cause a denial of
service (application crash) or possibly execute arbitrary
code via a crafted string ending in a "%" (percent)
character. (CVE-2013-2174)
*
The tailMatch function in cookie.c in cURL and
libcurl did not properly match the path domain when sending
cookies, which allowed remote attackers to steal cookies
via a matching suffix in the domain of a URL.
(CVE-2013-1944)
Additionally, the following bug was fixed:
* If a proxy offers NTML and Negotiate authentication
and libcurl is set to not use the Negotiate scheme then the
request never returns when the proxy answers with HTTP 407.
(bnc#769247, bnc#765342)
Security Issues:
* CVE-2013-2174
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2174
>
* CVE-2013-1944
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1944
>
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 11 SP1 for VMware LTSS:
zypper in -t patch slessp1-curl-8453
- SUSE Linux Enterprise Server 11 SP1 LTSS:
zypper in -t patch slessp1-curl-8453
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (i586 x86_64) [New Version: 7.19.7]:
curl-7.19.7-1.20.27.9
libcurl4-7.19.7-1.20.27.9
- SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (x86_64) [New Version: 7.19.7]:
libcurl4-32bit-7.19.7-1.20.27.9
- SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 7.19.7]:
curl-7.19.7-1.20.27.9
libcurl4-7.19.7-1.20.27.9
- SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64) [New Version: 7.19.7]:
libcurl4-32bit-7.19.7-1.20.27.9
References:
http://support.novell.com/security/cve/CVE-2013-1944.html
http://support.novell.com/security/cve/CVE-2013-2174.html
https://bugzilla.novell.com/765342
https://bugzilla.novell.com/769247
https://bugzilla.novell.com/814655
https://bugzilla.novell.com/824517
http://download.novell.com/patch/finder/?keywords=b9c5f7f6584661b3c628c7965dcd5b65
More information about the sle-security-updates
mailing list