The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[USN-484-1] curl vulnerability


<< Previous INDEX Search src / Print Next >>
Date: Tue, 17 Jul 2007 10:34:39 -0700
From: Kees Cook <kees@ubuntu.com.>
To: [email protected]
Subject: [USN-484-1] curl vulnerability
Message-ID: <20070717173439.GR11087@outflux.net.>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="zn4k3Q+N5puqXur4"
Content-Disposition: inline
Organization: Ubuntu
X-MIMEDefang-Filter: outflux$Revision: 1.281 $
X-HELO: gorgon.outflux.net
X-Scanned-By: MIMEDefang 2.57 on 10.2.0.1
X-Virus-Scanned: antivirus-gw at tyumen.ru


--zn4k3Q+N5puqXur4
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
Ubuntu Security Notice USN-484-1              July 17, 2007
curl vulnerability
CVE-2007-3564
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  libcurl3-gnutls                          7.15.1-1ubuntu2.1

Ubuntu 6.10:
  libcurl3-gnutls                          7.15.4-1ubuntu2.2

Ubuntu 7.04:
  libcurl3-gnutls                          7.15.5-1ubuntu2.1

After a standard system upgrade you need to reboot your computer to
effect the necessary changes.

Details follow:

It was discovered that the GnuTLS certificate verification methods
implemented in Curl did not check for expiration and activation dates.
When performing validations, tools using libcurl3-gnutls would
incorrectly allow connections to sites using expired certificates.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.1-1ubuntu2=
=2E1.diff.gz
      Size/MD5:   183225 3495d3c1b7b0f9812ff978832c31d8f9
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.1-1ubuntu2=
=2E1.dsc
      Size/MD5:      938 53a58f1db4d0112f1260c78d275c0aab
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.1.orig.tar=
=2Egz
      Size/MD5:  1769992 63be206109486d4653c73823aa2b34fa

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.15.1-=
1ubuntu2.1_all.deb
      Size/MD5:    30978 acb278121d48167cb0f3e9db406008b5

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.1-1ubuntu2=
=2E1_amd64.deb
      Size/MD5:   169270 8fd332bf91134007ceaf24da11708ccf
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.1-=
1ubuntu2.1_amd64.deb
      Size/MD5:   540160 5673d9d6fcf82116353c6852a8416f90
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.1-1ubuntu2.1_amd64.deb
      Size/MD5:   716182 ec0bda4317f51ad725862516675eed6e
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E1-1ubuntu2.1_amd64.deb
      Size/MD5:   167432 5876792ccc569ddcbc436113dd611beb
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.1-1ubuntu2.1_amd64.deb
      Size/MD5:   723088 21274f88ab48e9821fc33985abbb07f7
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.1-1ubu=
ntu2.1_amd64.deb
      Size/MD5:   172480 e43c732e1e6d540f7b43218c5b86e9c9

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.1-1ubuntu2=
=2E1_i386.deb
      Size/MD5:   168134 69ac42a25f62527aa840944cc901bc10
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.1-=
1ubuntu2.1_i386.deb
      Size/MD5:   506336 76d27984aaa318f56d9067a0d19fa5c1
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.1-1ubuntu2.1_i386.deb
      Size/MD5:   699734 5e49df506a1adcff171f01fb8d434c9f
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E1-1ubuntu2.1_i386.deb
      Size/MD5:   160052 3b0c0cb10c664372254f40549a166d02
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.1-1ubuntu2.1_i386.deb
      Size/MD5:   704014 8fcd4f08a3e43688955a83bafc3ff3f7
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.1-1ubu=
ntu2.1_i386.deb
      Size/MD5:   164924 616bf253b7a11307a2286011a506ce35

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.1-1ubuntu2=
=2E1_powerpc.deb
      Size/MD5:   171800 67ec27bc7cbed2aa5008f6a352911d3c
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.1-=
1ubuntu2.1_powerpc.deb
      Size/MD5:   541294 23e8698d68d7f6552b4e14be50621a06
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.1-1ubuntu2.1_powerpc.deb
      Size/MD5:   722380 e3e939692fc21f1c84b7d8bb47cbfefd
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E1-1ubuntu2.1_powerpc.deb
      Size/MD5:   169640 b9e35693d65476da2c171c38a1705781
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.1-1ubuntu2.1_powerpc.deb
      Size/MD5:   728238 ccba1d1a54f1e655b404c3ab554d355f
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.1-1ubu=
ntu2.1_powerpc.deb
      Size/MD5:   174284 30c380963c37ccff4635b46e431f0c40

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.1-1ubuntu2=
=2E1_sparc.deb
      Size/MD5:   168952 11e523b5ea0a6a8ed122022938f2d1e3
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.1-=
1ubuntu2.1_sparc.deb
      Size/MD5:   509942 656036d90a8029426d9dd5fa80f517c6
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.1-1ubuntu2.1_sparc.deb
      Size/MD5:   709192 de1d0d8efeccde3a6b52bf2bd3e514cf
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E1-1ubuntu2.1_sparc.deb
      Size/MD5:   162602 5e14a206a09a7ddc3595289c1a35c1b8
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.1-1ubuntu2.1_sparc.deb
      Size/MD5:   713824 ceeb282e90f8c6b80d89bc3e9327c783
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.1-1ubu=
ntu2.1_sparc.deb
      Size/MD5:   166782 da0a4c662e98a1f6259da2938b9f8eef

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.4-1ubuntu2=
=2E2.diff.gz
      Size/MD5:    19451 625518d2bbd325db46f7ad4b8debb602
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.4-1ubuntu2=
=2E2.dsc
      Size/MD5:      942 cb3054669cfaa0c51fd757c7a44a3fc7
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.4.orig.tar=
=2Egz
      Size/MD5:  1870439 345f407f85bcb36075bc298afe1de953

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.15.4-=
1ubuntu2.2_all.deb
      Size/MD5:    21136 2b95b5bbaa86a48b91c8d87a705524f2

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.4-1ubuntu2=
=2E2_amd64.deb
      Size/MD5:   162426 11806b9335aafa82394377a74f3d65ea
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.4-=
1ubuntu2.2_amd64.deb
      Size/MD5:   823074 c11ddf6ce511e4809288377ca4aa86a7
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.4-1ubuntu2.2_amd64.deb
      Size/MD5:   754916 04724c0ed915bcbde748bfacf10a67f8
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E4-1ubuntu2.2_amd64.deb
      Size/MD5:   163132 3785598197c9679a1d91fe8837a060d3
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.4-1ubuntu2.2_amd64.deb
      Size/MD5:   762206 966aa201d7b17f6a87203f653eb4129d
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.4-1ubu=
ntu2.2_amd64.deb
      Size/MD5:   168776 4a6f82f361c1d22dce1f0f9b0de40470

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.4-1ubuntu2=
=2E2_i386.deb
      Size/MD5:   162164 c07e1caeed913625260853ffdfbb8292
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.4-=
1ubuntu2.2_i386.deb
      Size/MD5:   793760 45fafcd13f0811bd18d60ab88d36cd84
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.4-1ubuntu2.2_i386.deb
      Size/MD5:   740392 0586b53f280bd090412b2eedd2d05c93
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E4-1ubuntu2.2_i386.deb
      Size/MD5:   160358 7cf3f3ec250428f231e4f7e51bb995b2
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.4-1ubuntu2.2_i386.deb
      Size/MD5:   746886 2660f92e5102ba65063641684c4f9974
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.4-1ubu=
ntu2.2_i386.deb
      Size/MD5:   165236 ff76d9c64e8dd24a459b36db41676d45

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.4-1ubuntu2=
=2E2_powerpc.deb
      Size/MD5:   165102 57061fd7b192ceea122997ee2bf27213
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.4-=
1ubuntu2.2_powerpc.deb
      Size/MD5:   834210 efd1b06827be6eab2561865a3408ff0c
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.4-1ubuntu2.2_powerpc.deb
      Size/MD5:   762694 d352501e7b5c265e0ce6c85c2719f1a5
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E4-1ubuntu2.2_powerpc.deb
      Size/MD5:   167004 c7cd2b73b3f64c882a0715de14ed2450
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.4-1ubuntu2.2_powerpc.deb
      Size/MD5:   768164 093a76af0add856e798c6daa08264bbe
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.4-1ubu=
ntu2.2_powerpc.deb
      Size/MD5:   171810 7776d430c0a5dbedd07e9a1ce551600f

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.4-1ubuntu2=
=2E2_sparc.deb
      Size/MD5:   162060 918b2cadf93b5db7325316ccd335e937
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.4-=
1ubuntu2.2_sparc.deb
      Size/MD5:   782900 bf43ee4867468402d58554cfc2dce35f
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.4-1ubuntu2.2_sparc.deb
      Size/MD5:   746044 c9e6206f8bd3856c27a43953f98ae08b
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E4-1ubuntu2.2_sparc.deb
      Size/MD5:   158508 d0bda91940feb11e3d5193b3ab5c11ee
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.4-1ubuntu2.2_sparc.deb
      Size/MD5:   752404 723a03cc344739a4a76ac93aa54c7413
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.4-1ubu=
ntu2.2_sparc.deb
      Size/MD5:   163744 f3bb65fc94b8421eae7c0980f76b7cec

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.5-1ubuntu2=
=2E1.diff.gz
      Size/MD5:    19959 74448240e99df445a95c3dfc9a5fedfa
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.5-1ubuntu2=
=2E1.dsc
      Size/MD5:     1017 e5ac62cfcd246daa79c8ea31fe1873d0
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.5.orig.tar=
=2Egz
      Size/MD5:  1897973 61997c0d852d38c3a85b445f4fc02892

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.15.5-=
1ubuntu2.1_all.deb
      Size/MD5:    23086 66ff60f3a9606bfcbd9161555ba98ffd

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.5-1ubuntu2=
=2E1_amd64.deb
      Size/MD5:   164778 a60ca725ef39a67311e1cf625182dd70
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.5-=
1ubuntu2.1_amd64.deb
      Size/MD5:   833362 3b2afe676373e1590e739d51e1a2effa
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.5-1ubuntu2.1_amd64.deb
      Size/MD5:   769302 46e4ce27971b0085e4e9b8621ac78325
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E5-1ubuntu2.1_amd64.deb
      Size/MD5:   166572 47c34f6db4f6ac2e279f431dfa43f919
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.5-1ubuntu2.1_amd64.deb
      Size/MD5:   774430 724da4b31b2af0e494587ea67e627c05
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.5-1ubu=
ntu2.1_amd64.deb
      Size/MD5:   171922 3740c0419c27f58699ad0cbf1f62bc9d

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.5-1ubuntu2=
=2E1_i386.deb
      Size/MD5:   163624 9b363c065850cdc5de4c0c2c8d577c8e
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.5-=
1ubuntu2.1_i386.deb
      Size/MD5:   803414 61aebe04fe304b8071dc3e3c6d599f54
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.5-1ubuntu2.1_i386.deb
      Size/MD5:   754982 46d39efe3b3cf381fa9768b206907561
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E5-1ubuntu2.1_i386.deb
      Size/MD5:   163688 9aa531b89e7a91c7dd423f61b6d1e9ea
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.5-1ubuntu2.1_i386.deb
      Size/MD5:   761626 7ca1a3498af64e00a0b14d475c318cf6
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.5-1ubu=
ntu2.1_i386.deb
      Size/MD5:   168614 c8847b248ea0a07c2880a39e8c273b24

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.5-1ubuntu2=
=2E1_powerpc.deb
      Size/MD5:   168188 fba30c479bb726600efbbe247dacdfcc
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.5-=
1ubuntu2.1_powerpc.deb
      Size/MD5:   846224 0e24e1e334bb9a9c2307a5dc06a4ea73
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.5-1ubuntu2.1_powerpc.deb
      Size/MD5:   774878 f608fffc2d89b530081ea487edc4f023
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E5-1ubuntu2.1_powerpc.deb
      Size/MD5:   173086 c88e11092d9204a6a80e23100a9e02d3
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.5-1ubuntu2.1_powerpc.deb
      Size/MD5:   783072 90e2eadef1e4e2073dd5db9b4a1b0bfb
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.5-1ubu=
ntu2.1_powerpc.deb
      Size/MD5:   178630 089d0eda4d96a7049a019e381d098ab3

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.15.5-1ubuntu2=
=2E1_sparc.deb
      Size/MD5:   164324 12f65aeaeb95a0b15e68b2f98694cf94
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.15.5-=
1ubuntu2.1_sparc.deb
      Size/MD5:   795758 a20f9a4bbc35483e8e54f278759f1015
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls-dev_=
7.15.5-1ubuntu2.1_sparc.deb
      Size/MD5:   760786 33ae03fb796e3048bb092b54fbad9814
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.15=
=2E5-1ubuntu2.1_sparc.deb
      Size/MD5:   161990 ca9d9ddf030b10d33cf71bd9bacde2cf
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-openssl-dev=
_7.15.5-1ubuntu2.1_sparc.deb
      Size/MD5:   767010 f20906df0712ffe167ac6dffb14137f5
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.15.5-1ubu=
ntu2.1_sparc.deb
      Size/MD5:   167104 fcef10350591f8799ccc2ff9f77b9035


--zn4k3Q+N5puqXur4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGnP2vH/9LqRcGPm0RAtvXAJ4jR9mfxfvMQpi0MufJjODyhkveugCdE9d0
XLO0kfIsoZstz+S87tMOFPA=
=Q95m
-----END PGP SIGNATURE-----

--zn4k3Q+N5puqXur4--


<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру