#1234 closed defect (fixed)
Security flaws in cURL 7.13.0 (7.13.1 released)
| Reported by: | Owned by: | Randy McMurchy | |
|---|---|---|---|
| Priority: | highest | Milestone: | |
| Component: | BOOK | Version: | SVN |
| Severity: | critical | Keywords: | |
| Cc: |
Description ¶
There are two security leaks in the current version of cURL. http://www.idefense.com/application/poi/display?id=202&type=vulnerabilities&flashstatus=false http://www.idefense.com/application/poi/display?id=203&type=vulnerabilities
iDefense only verified verison 7.12.1 but the cURL news page doesn't state explicitely that 7.13.0 is clean. http://curl.haxx.se/news.html
Unfortunately there seems to be only one official patch for the first issue (NTLM authentication). http://cool.haxx.se/cvs.cgi/curl/lib/http_ntlm.c.diff?r1=1.36&r2=1.37 The date of revision 1.36 confirms the suspicion that even the current version is affected.
The second issue (kerberos authentication) seems to be still unpatched. At least there is a suggestion on the website from iDefense. (see upper links)
Change History (7)
by , 20 years ago
| Attachment: | curl-7.13.0.ntlm_security_fix.patch added |
|---|
comment:1 by , 20 years ago
| Milestone: | future → 6.0 |
|---|---|
| op_sys: | All → Linux |
| Severity: | normal → critical |
The maintainer has mentioned that a new release containing fixes for both bugs will be avialable in a few days.
comment:2 by , 20 years ago
| Summary: | Security flaws in cURL 7.13.0 → Security flaws in cURL 7.13.0 (7.13.1 released) |
|---|
Version 7.13.1 has been released with fixes for both the krb4 and NTLM issues.
comment:3 by , 20 years ago
| Owner: | changed from to |
|---|
comment:4 by , 20 years ago
| Status: | new → assigned |
|---|
comment:5 by , 20 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Updated BLFS to cURL-7.13.1
NTLM security fix