[USN-484-1] curl vulnerability
Date: Tue, 17 Jul 2007 10:34:39 -0700
From: Kees Cook <kees@ubuntu.com.>
To: [email protected]
Subject: [USN-484-1] curl vulnerability
Message-ID: <20070717173439.GR11087@outflux.net.>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="zn4k3Q+N5puqXur4"
Content-Disposition: inline
Organization: Ubuntu
X-MIMEDefang-Filter: outflux$Revision: 1.281 $
X-HELO: gorgon.outflux.net
X-Scanned-By: MIMEDefang 2.57 on 10.2.0.1
X-Virus-Scanned: antivirus-gw at tyumen.ru
--zn4k3Q+N5puqXur4
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
Ubuntu Security Notice USN-484-1 July 17, 2007
curl vulnerability
CVE-2007-3564
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libcurl3-gnutls 7.15.1-1ubuntu2.1
Ubuntu 6.10:
libcurl3-gnutls 7.15.4-1ubuntu2.2
Ubuntu 7.04:
libcurl3-gnutls 7.15.5-1ubuntu2.1
After a standard system upgrade you need to reboot your computer to
effect the necessary changes.
Details follow:
It was discovered that the GnuTLS certificate verification methods
implemented in Curl did not check for expiration and activation dates.
When performing validations, tools using libcurl3-gnutls would
incorrectly allow connections to sites using expired certificates.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.1-1ubuntu2=
=2E1.diff.gz
Size/MD5: 183225 3495d3c1b7b0f9812ff978832c31d8f9
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.1-1ubuntu2=
=2E1.dsc
Size/MD5: 938 53a58f1db4d0112f1260c78d275c0aab
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.1.orig.tar=
=2Egz
Size/MD5: 1769992 63be206109486d4653c73823aa2b34fa
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.15.1-=
1ubuntu2.1_all.deb
Size/MD5: 30978 acb278121d48167cb0f3e9db406008b5
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.1-1ubuntu2=
=2E1_amd64.deb
Size/MD5: 169270 8fd332bf91134007ceaf24da11708ccf
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.1-=
1ubuntu2.1_amd64.deb
Size/MD5: 540160 5673d9d6fcf82116353c6852a8416f90
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.1-1ubuntu2.1_amd64.deb
Size/MD5: 716182 ec0bda4317f51ad725862516675eed6e
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E1-1ubuntu2.1_amd64.deb
Size/MD5: 167432 5876792ccc569ddcbc436113dd611beb
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.1-1ubuntu2.1_amd64.deb
Size/MD5: 723088 21274f88ab48e9821fc33985abbb07f7
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.1-1ubu=
ntu2.1_amd64.deb
Size/MD5: 172480 e43c732e1e6d540f7b43218c5b86e9c9
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.1-1ubuntu2=
=2E1_i386.deb
Size/MD5: 168134 69ac42a25f62527aa840944cc901bc10
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.1-=
1ubuntu2.1_i386.deb
Size/MD5: 506336 76d27984aaa318f56d9067a0d19fa5c1
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.1-1ubuntu2.1_i386.deb
Size/MD5: 699734 5e49df506a1adcff171f01fb8d434c9f
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E1-1ubuntu2.1_i386.deb
Size/MD5: 160052 3b0c0cb10c664372254f40549a166d02
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.1-1ubuntu2.1_i386.deb
Size/MD5: 704014 8fcd4f08a3e43688955a83bafc3ff3f7
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.1-1ubu=
ntu2.1_i386.deb
Size/MD5: 164924 616bf253b7a11307a2286011a506ce35
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.1-1ubuntu2=
=2E1_powerpc.deb
Size/MD5: 171800 67ec27bc7cbed2aa5008f6a352911d3c
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.1-=
1ubuntu2.1_powerpc.deb
Size/MD5: 541294 23e8698d68d7f6552b4e14be50621a06
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.1-1ubuntu2.1_powerpc.deb
Size/MD5: 722380 e3e939692fc21f1c84b7d8bb47cbfefd
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E1-1ubuntu2.1_powerpc.deb
Size/MD5: 169640 b9e35693d65476da2c171c38a1705781
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.1-1ubuntu2.1_powerpc.deb
Size/MD5: 728238 ccba1d1a54f1e655b404c3ab554d355f
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.1-1ubu=
ntu2.1_powerpc.deb
Size/MD5: 174284 30c380963c37ccff4635b46e431f0c40
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.1-1ubuntu2=
=2E1_sparc.deb
Size/MD5: 168952 11e523b5ea0a6a8ed122022938f2d1e3
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.1-=
1ubuntu2.1_sparc.deb
Size/MD5: 509942 656036d90a8029426d9dd5fa80f517c6
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.1-1ubuntu2.1_sparc.deb
Size/MD5: 709192 de1d0d8efeccde3a6b52bf2bd3e514cf
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E1-1ubuntu2.1_sparc.deb
Size/MD5: 162602 5e14a206a09a7ddc3595289c1a35c1b8
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.1-1ubuntu2.1_sparc.deb
Size/MD5: 713824 ceeb282e90f8c6b80d89bc3e9327c783
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.1-1ubu=
ntu2.1_sparc.deb
Size/MD5: 166782 da0a4c662e98a1f6259da2938b9f8eef
Updated packages for Ubuntu 6.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.4-1ubuntu2=
=2E2.diff.gz
Size/MD5: 19451 625518d2bbd325db46f7ad4b8debb602
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.4-1ubuntu2=
=2E2.dsc
Size/MD5: 942 cb3054669cfaa0c51fd757c7a44a3fc7
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.4.orig.tar=
=2Egz
Size/MD5: 1870439 345f407f85bcb36075bc298afe1de953
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.15.4-=
1ubuntu2.2_all.deb
Size/MD5: 21136 2b95b5bbaa86a48b91c8d87a705524f2
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.4-1ubuntu2=
=2E2_amd64.deb
Size/MD5: 162426 11806b9335aafa82394377a74f3d65ea
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.4-=
1ubuntu2.2_amd64.deb
Size/MD5: 823074 c11ddf6ce511e4809288377ca4aa86a7
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.4-1ubuntu2.2_amd64.deb
Size/MD5: 754916 04724c0ed915bcbde748bfacf10a67f8
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E4-1ubuntu2.2_amd64.deb
Size/MD5: 163132 3785598197c9679a1d91fe8837a060d3
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.4-1ubuntu2.2_amd64.deb
Size/MD5: 762206 966aa201d7b17f6a87203f653eb4129d
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.4-1ubu=
ntu2.2_amd64.deb
Size/MD5: 168776 4a6f82f361c1d22dce1f0f9b0de40470
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.4-1ubuntu2=
=2E2_i386.deb
Size/MD5: 162164 c07e1caeed913625260853ffdfbb8292
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.4-=
1ubuntu2.2_i386.deb
Size/MD5: 793760 45fafcd13f0811bd18d60ab88d36cd84
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.4-1ubuntu2.2_i386.deb
Size/MD5: 740392 0586b53f280bd090412b2eedd2d05c93
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E4-1ubuntu2.2_i386.deb
Size/MD5: 160358 7cf3f3ec250428f231e4f7e51bb995b2
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.4-1ubuntu2.2_i386.deb
Size/MD5: 746886 2660f92e5102ba65063641684c4f9974
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.4-1ubu=
ntu2.2_i386.deb
Size/MD5: 165236 ff76d9c64e8dd24a459b36db41676d45
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.4-1ubuntu2=
=2E2_powerpc.deb
Size/MD5: 165102 57061fd7b192ceea122997ee2bf27213
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.4-=
1ubuntu2.2_powerpc.deb
Size/MD5: 834210 efd1b06827be6eab2561865a3408ff0c
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.4-1ubuntu2.2_powerpc.deb
Size/MD5: 762694 d352501e7b5c265e0ce6c85c2719f1a5
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E4-1ubuntu2.2_powerpc.deb
Size/MD5: 167004 c7cd2b73b3f64c882a0715de14ed2450
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.4-1ubuntu2.2_powerpc.deb
Size/MD5: 768164 093a76af0add856e798c6daa08264bbe
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.4-1ubu=
ntu2.2_powerpc.deb
Size/MD5: 171810 7776d430c0a5dbedd07e9a1ce551600f
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.4-1ubuntu2=
=2E2_sparc.deb
Size/MD5: 162060 918b2cadf93b5db7325316ccd335e937
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.4-=
1ubuntu2.2_sparc.deb
Size/MD5: 782900 bf43ee4867468402d58554cfc2dce35f
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.4-1ubuntu2.2_sparc.deb
Size/MD5: 746044 c9e6206f8bd3856c27a43953f98ae08b
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E4-1ubuntu2.2_sparc.deb
Size/MD5: 158508 d0bda91940feb11e3d5193b3ab5c11ee
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.4-1ubuntu2.2_sparc.deb
Size/MD5: 752404 723a03cc344739a4a76ac93aa54c7413
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.4-1ubu=
ntu2.2_sparc.deb
Size/MD5: 163744 f3bb65fc94b8421eae7c0980f76b7cec
Updated packages for Ubuntu 7.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.5-1ubuntu2=
=2E1.diff.gz
Size/MD5: 19959 74448240e99df445a95c3dfc9a5fedfa
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.5-1ubuntu2=
=2E1.dsc
Size/MD5: 1017 e5ac62cfcd246daa79c8ea31fe1873d0
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.5.orig.tar=
=2Egz
Size/MD5: 1897973 61997c0d852d38c3a85b445f4fc02892
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.15.5-=
1ubuntu2.1_all.deb
Size/MD5: 23086 66ff60f3a9606bfcbd9161555ba98ffd
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.5-1ubuntu2=
=2E1_amd64.deb
Size/MD5: 164778 a60ca725ef39a67311e1cf625182dd70
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.5-=
1ubuntu2.1_amd64.deb
Size/MD5: 833362 3b2afe676373e1590e739d51e1a2effa
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.5-1ubuntu2.1_amd64.deb
Size/MD5: 769302 46e4ce27971b0085e4e9b8621ac78325
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E5-1ubuntu2.1_amd64.deb
Size/MD5: 166572 47c34f6db4f6ac2e279f431dfa43f919
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.5-1ubuntu2.1_amd64.deb
Size/MD5: 774430 724da4b31b2af0e494587ea67e627c05
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.5-1ubu=
ntu2.1_amd64.deb
Size/MD5: 171922 3740c0419c27f58699ad0cbf1f62bc9d
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.5-1ubuntu2=
=2E1_i386.deb
Size/MD5: 163624 9b363c065850cdc5de4c0c2c8d577c8e
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.5-=
1ubuntu2.1_i386.deb
Size/MD5: 803414 61aebe04fe304b8071dc3e3c6d599f54
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.5-1ubuntu2.1_i386.deb
Size/MD5: 754982 46d39efe3b3cf381fa9768b206907561
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E5-1ubuntu2.1_i386.deb
Size/MD5: 163688 9aa531b89e7a91c7dd423f61b6d1e9ea
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.5-1ubuntu2.1_i386.deb
Size/MD5: 761626 7ca1a3498af64e00a0b14d475c318cf6
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.5-1ubu=
ntu2.1_i386.deb
Size/MD5: 168614 c8847b248ea0a07c2880a39e8c273b24
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.5-1ubuntu2=
=2E1_powerpc.deb
Size/MD5: 168188 fba30c479bb726600efbbe247dacdfcc
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.5-=
1ubuntu2.1_powerpc.deb
Size/MD5: 846224 0e24e1e334bb9a9c2307a5dc06a4ea73
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.5-1ubuntu2.1_powerpc.deb
Size/MD5: 774878 f608fffc2d89b530081ea487edc4f023
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E5-1ubuntu2.1_powerpc.deb
Size/MD5: 173086 c88e11092d9204a6a80e23100a9e02d3
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.5-1ubuntu2.1_powerpc.deb
Size/MD5: 783072 90e2eadef1e4e2073dd5db9b4a1b0bfb
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.5-1ubu=
ntu2.1_powerpc.deb
Size/MD5: 178630 089d0eda4d96a7049a019e381d098ab3
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.5-1ubuntu2=
=2E1_sparc.deb
Size/MD5: 164324 12f65aeaeb95a0b15e68b2f98694cf94
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.5-=
1ubuntu2.1_sparc.deb
Size/MD5: 795758 a20f9a4bbc35483e8e54f278759f1015
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.5-1ubuntu2.1_sparc.deb
Size/MD5: 760786 33ae03fb796e3048bb092b54fbad9814
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E5-1ubuntu2.1_sparc.deb
Size/MD5: 161990 ca9d9ddf030b10d33cf71bd9bacde2cf
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.5-1ubuntu2.1_sparc.deb
Size/MD5: 767010 f20906df0712ffe167ac6dffb14137f5
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.5-1ubu=
ntu2.1_sparc.deb
Size/MD5: 167104 fcef10350591f8799ccc2ff9f77b9035
--zn4k3Q+N5puqXur4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGnP2vH/9LqRcGPm0RAtvXAJ4jR9mfxfvMQpi0MufJjODyhkveugCdE9d0
XLO0kfIsoZstz+S87tMOFPA=
=Q95m
-----END PGP SIGNATURE-----
--zn4k3Q+N5puqXur4--