cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: is CVE-2014-0139 fixed in libcurl-7.19.7-40.el6_6.4.x86_64

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Wed, 18 Feb 2015 18:24:08 +0100

On Wednesday 18 February 2015 09:58:38 Patrick Rael wrote:
> For almost all CVEs of various rpms that we see there are fixed rpms for
> redhat,
> the fix usually goes like this: update to this rpm name-ver-rel-arch or
> this version.
> But we find that in CentOS we can't find that ver-rel, but we find what
> appears to be
> an older ver-rel, and we check the changelog and there we find the fixed
> CVEs.
>
> From https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0139 we see this:
> ...
> Versions 7.1 to and including 7.35.0 are affected. The flaw is fixed in
> version 7.36.0
> ...
>
> As I look at libcurl-7.19.7-40.el6_6.4.x86_64 , I see 7.19.7 version is
> much less than 7.36.0.
> Am I reading it right? We have learned to just ignore the RH
> "fixed-in-version" and just
> check the changelog of the latest CentOS rpm pkg.

You are mixing upstream versioning with RHEL/CentOS versioning. It is true
that it was fixed in upstream version 7.36.0. However, you cannot expect us
to rebase curl in Enterprise Linux because of a relatively isolated security
fix. We usually just cherry-pick the fixes from upstream and apply them on
the enterprise version of curl.

As Paul already pointed out, you need to look at the statement in Bugzilla
(instead of the "Fixed In Version" field) to check whether the vulnerability
is fixed in a particular version of RHEL.

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-02-18