cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: is CVE-2014-0139 fixed in libcurl-7.19.7-40.el6_6.4.x86_64

From: Patrick Rael <prael_at_lumeta.com>
Date: Wed, 18 Feb 2015 09:58:38 -0700

On 02/18/2015 09:47 AM, Paul Howarth wrote:
> On 18/02/15 16:07, Patrick Rael wrote:
>> Hi,
>> I need to confirm if the CVE-2014-0139 fix is in libcurl.
>> Normally we do this
>> by checking the rpm changelog for CVEs, it did find CVE-2014-0138, but I
>> can't get
>> confirmation for 0139. I see lots of comments about fixes that were
>> checked into
>> github and showing actual lines added, but nothing in the changelog so I
>> can't confirm it.
>>
>> # cat /etc/centos-release
>> CentOS release 6.6 (Final)
>>
>> # rpm -qa | grep curl
>> libcurl-7.19.7-40.el6_6.4.x86_64
>> python-pycurl-7.19.0-8.el6.x86_64
>> curl-7.19.7-40.el6_6.4.x86_64
>>
>> # rpm -q libcurl --changelog | egrep "CVE-2014-0138|CVE-2014-0139"
>> - fix connection re-use when using different log-in credentials
>> (CVE-2014-0138)
>>
>> # rpm -q curl --changelog | egrep "CVE-2014-0138|CVE-2014-0139"
>> - fix connection re-use when using different log-in credentials
>> (CVE-2014-0138)
>>
>>
>> Note: CentOS rpm versions don't match the redhat rpm versions, that's
>> why we use
>> the changelog to check for the fix.
>
> This is news to me. In what way are they different?

For almost all CVEs of various rpms that we see there are fixed rpms for
redhat,
the fix usually goes like this: update to this rpm name-ver-rel-arch or
this version.
But we find that in CentOS we can't find that ver-rel, but we find what
appears to be
an older ver-rel, and we check the changelog and there we find the fixed
CVEs.

From https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0139 we see this:
...
Versions 7.1 to and including 7.35.0 are affected. The flaw is fixed in
version 7.36.0
...

As I look at libcurl-7.19.7-40.el6_6.4.x86_64 , I see 7.19.7 version is
much less than 7.36.0.
Am I reading it right? We have learned to just ignore the RH
"fixed-in-version" and just
check the changelog of the latest CentOS rpm pkg.

Thanks for the quick reply!

>
>> Thanks for any help!
>
> CVE-2014-0139 does not affect EL-6 because it uses the NSS backend:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1079149#c8
>
> Paul.
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html

-- 
Patrick Rael
Contractor, Lumeta Corporation
Network Situational Awareness
Phone: 703-298-3276

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-02-18

This message: [ Message body ]
Next message: Valerio Borsò: "RE: Ntlm proxy and Http 407 error"
Previous message: Paul Howarth: "Re: is CVE-2014-0139 fixed in libcurl-7.19.7-40.el6_6.4.x86_64"
In reply to: Paul Howarth: "Re: is CVE-2014-0139 fixed in libcurl-7.19.7-40.el6_6.4.x86_64"
Next in thread: Kamil Dudka: "Re: is CVE-2014-0139 fixed in libcurl-7.19.7-40.el6_6.4.x86_64"
Reply: Kamil Dudka: "Re: is CVE-2014-0139 fixed in libcurl-7.19.7-40.el6_6.4.x86_64"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]