Gentoo Archives: gentoo-announce

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201701-47 ] cURL: Multiple vulnerabilities
Date: Thu, 19 Jan 2017 19:28:31
Message-Id: 250ed97b-651c-3836-78d5-8dc25c201940@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201701-47
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: cURL: Multiple vulnerabilities
9 Date: January 19, 2017
10 Bugs: #536014, #573102, #583394, #590482, #592974, #593716,
11 #597760, #603370, #603574
12 ID: 201701-47
13
14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16 Synopsis
17 ========
18
19 Multiple vulnerabilities have been found in cURL, the worst of which
20 could allow remote attackers to execute arbitrary code.
21
22 Background
23 ==========
24
25 cURL is a tool and libcurl is a library for transferring data with URL
26 syntax.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 net-misc/curl < 7.52.1 >= 7.52.1
35
36 Description
37 ===========
38
39 Multiple vulnerabilities have been discovered in cURL. Please review
40 the CVE identifiers and bug reports referenced for details.
41
42 Impact
43 ======
44
45 Remote attackers could conduct a Man-in-the-Middle attack to obtain
46 sensitive information, cause a Denial of Service condition, or execute
47 arbitrary code.
48
49 Workaround
50 ==========
51
52 There is no known workaround at this time.
53
54 Resolution
55 ==========
56
57 All cURL users should upgrade to the latest version:
58
59 # emerge --sync
60 # emerge --ask --oneshot --verbose ">=net-misc/curl-7.52.1"
61
62 References
63 ==========
64
65 [ 1 ] CVE-2014-8150
66 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8150
67 [ 2 ] CVE-2014-8151
68 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8151
69 [ 3 ] CVE-2016-0755
70 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0755
71 [ 4 ] CVE-2016-3739
72 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3739
73 [ 5 ] CVE-2016-5419
74 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5419
75 [ 6 ] CVE-2016-5420
76 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5420
77 [ 7 ] CVE-2016-5421
78 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5421
79 [ 8 ] CVE-2016-7141
80 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7141
81 [ 9 ] CVE-2016-7167
82 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7167
83 [ 10 ] CVE-2016-8615
84 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8615
85 [ 11 ] CVE-2016-8616
86 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8616
87 [ 12 ] CVE-2016-8617
88 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8617
89 [ 13 ] CVE-2016-8618
90 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8618
91 [ 14 ] CVE-2016-8619
92 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8619
93 [ 15 ] CVE-2016-8620
94 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8620
95 [ 16 ] CVE-2016-8621
96 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8621
97 [ 17 ] CVE-2016-8622
98 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8622
99 [ 18 ] CVE-2016-8623
100 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8623
101 [ 19 ] CVE-2016-8624
102 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8624
103 [ 20 ] CVE-2016-8625
104 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8625
105 [ 21 ] CVE-2016-9586
106 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9586
107 [ 22 ] CVE-2016-9594
108 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9594
109
110 Availability
111 ============
112
113 This GLSA and any updates to it are available for viewing at
114 the Gentoo Security Website:
115
116 https://security.gentoo.org/glsa/201701-47
117
118 Concerns?
119 =========
120
121 Security is a primary focus of Gentoo Linux and ensuring the
122 confidentiality and security of our users' machines is of utmost
123 importance to us. Any security concerns should be addressed to
124 security@g.o or alternatively, you may file a bug at
125 https://bugs.gentoo.org.
126
127 License
128 =======
129
130 Copyright 2017 Gentoo Foundation, Inc; referenced text
131 belongs to its owner(s).
132
133 The contents of this document are licensed under the
134 Creative Commons - Attribution / Share Alike license.
135
136 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature