You are here
Home > Preporuke > Sigurnosni propusti programskog paketa curl

Sigurnosni propusti programskog paketa curl

==========================================================================
Ubuntu Security Notice USN-2167-1
April 14, 2014

curl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 13.10
– Ubuntu 12.10
– Ubuntu 12.04 LTS
– Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in curl.

Software Description:
– curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Steve Holme discovered that libcurl incorrectly reused wrong connections
when using protocols other than HTTP and FTP. This could lead to the use of
unintended credentials, possibly exposing sensitive information.
(CVE-2014-0138)

Richard Moore discovered that libcurl incorrectly validated wildcard SSL
certificates that contain literal IP addresses. An attacker could possibly
exploit this to perform a man in the middle attack to view sensitive
information or alter encrypted communications. (CVE-2014-0139)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.10:
libcurl3 7.32.0-1ubuntu1.4
libcurl3-gnutls 7.32.0-1ubuntu1.4
libcurl3-nss 7.32.0-1ubuntu1.4

Ubuntu 12.10:
libcurl3 7.27.0-1ubuntu1.9
libcurl3-gnutls 7.27.0-1ubuntu1.9
libcurl3-nss 7.27.0-1ubuntu1.9

Ubuntu 12.04 LTS:
libcurl3 7.22.0-3ubuntu4.8
libcurl3-gnutls 7.22.0-3ubuntu4.8
libcurl3-nss 7.22.0-3ubuntu4.8

Ubuntu 10.04 LTS:
libcurl3 7.19.7-1ubuntu1.7
libcurl3-gnutls 7.19.7-1ubuntu1.7

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2167-1
CVE-2014-0138, CVE-2014-0139

Package Information:
https://launchpad.net/ubuntu/+source/curl/7.32.0-1ubuntu1.4
https://launchpad.net/ubuntu/+source/curl/7.27.0-1ubuntu1.9
https://launchpad.net/ubuntu/+source/curl/7.22.0-3ubuntu4.8
https://launchpad.net/ubuntu/+source/curl/7.19.7-1ubuntu1.7

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird – http://www.enigmail.net/

iQIbBAEBCgAGBQJTTCkaAAoJEGVp2FWnRL6TNKQP9jd1tgrx8sz+X2Gkwpu5bF5o
hy+XHplUVurnfjN4/gsV/QY+cTfU2gh16njvIzftcsqAkSZCwEb7a4h251UatAuY
82gnBUyrSYYrCxCC4JELwHRK6KidELhvDIKe7qh+ypsX5DODGCjMbbRF0RzRohD7
GJpbLvRpWjOJIKai24xY664i9xcQWaER8iOuBAfQTGpsL0j7Zhcx1etG48XO3GHY
l1RCocqNlx4jeFkuOPdlCaBxzDZwgW1JO21NlmqiuHCzr+A6m7YsuBez8daPpMCr
UwF3aj2ikgbU2twVJ6wkURyaDv7KRydXN8HTTRRdtR/5zbJwJ7GrT8AZO7uBBq6L
1fsK8n4z80U2NqlXtLpAulAHM2w+B9cL4hoYwGQNVOyn8aeS/mvnbNUZq5L6LfnZ
LKBLhdZpuL/xK9Y5Wv+vqgtHkE0J3+OoK+AmVfusGpXS1wm5n1qxCSuR22UIRPS1
a2qVh+z/ZT8lXPU2i2z6lCl/pF8f9KL43WI6gAbhI7u5zJ0efbOUwBkmvuGggjV9
Twm1IJfmrfzj7L6YgONFGLo4YfPKjshtk30XKfJwFaRNpiUKSNgajd8bTShcm1Nv
b8VlHY2YZuFtSb3gmTKqsUYBpsltXznLAhEXbTfuRia/JB1n1WAgESeix4QO7zO6
o1CYDeUrJsydA0I1a2A=
=SUUk
—–END PGP SIGNATURE—–

Top
More in Preporuke
Ranjivost programskog paketa strongswan

Otkrivena je ranjivost u charon pozadinskom procesu za upravljanje IKEv2 u programskom paketu strongswan. Ranjivost se očitovala neispravnim upravljanjem pojedinih...

Close