[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20051014133155.GB13924@piware.de>
Date: Fri Oct 14 14:32:12 2005
From: martin.pitt at canonical.com (Martin Pitt)
Subject: [USN-205-1] Curl and wget vulnerabilities
===========================================================
Ubuntu Security Notice USN-205-1 October 14, 2005
curl, wget vulnerabilities
CAN-2005-3185
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)
The following packages are affected:
libcurl2
libcurl3
wget
The problem can be corrected by upgrading the affected package to the
following versions:
Ubuntu 4.10:
libcurl2 7.12.0.is.7.11.2-1ubuntu0.2
Ubuntu 5.04:
libcurl2 1:7.11.2-12ubuntu3.2
libcurl3 7.12.3-2ubuntu3.2
Ubuntu 5.10:
libcurl3 7.14.0-2ubuntu1.1
wget 1.10-2ubuntu0.1
In general, a standard system upgrade is sufficient to effect the
necessary changes. However, if you have the Apache web server
installed, you need to restart it with
sudo /etc/init.d/apache2 restart
to make sure that Apache uses the updated Curl library.
Details follow:
A buffer overflow has been found in the NTLM authentication handler of
the Curl library and wget. By tricking an user or automatic system
that uses the Curl library, the curl application, or wget into
visiting a specially-crafted web site, a remote attacker could exploit
this to execute arbitrary code with the privileges of the calling
user.
The Ubuntu 4.10 and 5.04 versions of wget are not affected by this.
Updated packages for Ubuntu 4.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.2.diff.gz
Size/MD5: 160693 33fd9275c2cb8eb2d1c64907418f17c1
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.2.dsc
Size/MD5: 707 eb53d05be8edddff7682d01524d6fffd
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2.orig.tar.gz
Size/MD5: 1435629 25e6617ea7dec34d072426942b77801f
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.2_amd64.deb
Size/MD5: 108704 23aad1ad58b9a51f82c50abb83497317
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dbg_7.12.0.is.7.11.2-1ubuntu0.2_amd64.deb
Size/MD5: 1043840 b2acaba139ef78225314f3ef2175bc69
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dev_7.12.0.is.7.11.2-1ubuntu0.2_amd64.deb
Size/MD5: 568238 5095e501e5fc65f75ddf055d751d5f69
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-gssapi_7.12.0.is.7.11.2-1ubuntu0.2_amd64.deb
Size/MD5: 112040 bfc514504ff0898ef87749e138a36f1f
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2_7.12.0.is.7.11.2-1ubuntu0.2_amd64.deb
Size/MD5: 224744 f58e0e9c9c16233579c6a7155a1d585e
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.2_i386.deb
Size/MD5: 107882 9764d045f57bd73949f8e04e6e9bee4e
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dbg_7.12.0.is.7.11.2-1ubuntu0.2_i386.deb
Size/MD5: 1029158 b9b7e352e2caa013b779ee2b2d567cc9
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dev_7.12.0.is.7.11.2-1ubuntu0.2_i386.deb
Size/MD5: 556734 ad2e921671e7b8d101110f85f21e9657
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-gssapi_7.12.0.is.7.11.2-1ubuntu0.2_i386.deb
Size/MD5: 110044 8ea041119444cff6e1bae8feaa473d4a
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2_7.12.0.is.7.11.2-1ubuntu0.2_i386.deb
Size/MD5: 222982 adbb21cdc1a69f4ffd055e06064c747c
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.2_powerpc.deb
Size/MD5: 110204 6e3c5a2dd81fabe800a140211948d896
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dbg_7.12.0.is.7.11.2-1ubuntu0.2_powerpc.deb
Size/MD5: 1052982 269cea1705aafc866068d103b577a915
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dev_7.12.0.is.7.11.2-1ubuntu0.2_powerpc.deb
Size/MD5: 573634 3d2426cdc56331107781c30e15c61458
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-gssapi_7.12.0.is.7.11.2-1ubuntu0.2_powerpc.deb
Size/MD5: 116446 b2489d686aa3117ee3c148ded72ae91d
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2_7.12.0.is.7.11.2-1ubuntu0.2_powerpc.deb
Size/MD5: 229588 f9d604f7f30225b76ae46700c8c8b7df
Updated packages for Ubuntu 5.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3-2ubuntu3.1.diff.gz
Size/MD5: 1261546 be3df128a235f59670e92685004ccdb1
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3-2ubuntu3.1.dsc
Size/MD5: 832 bc7457a3aa27c5d889c09847f0b62974
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3-2ubuntu3.2.diff.gz
Size/MD5: 1261590 5188b612f9a5c7d5e280fccb12d8ac02
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3-2ubuntu3.2.dsc
Size/MD5: 832 264904c761e21e7c4d2f72fd8cdc8ccd
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3.orig.tar.gz
Size/MD5: 2135477 653d1227c58ca870f95c488db62033f8
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3-2ubuntu3.2_amd64.deb
Size/MD5: 166298 d060a434dfb10c3a169c253e4ba56461
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-dev_7.11.2-12ubuntu3.2_amd64.deb
Size/MD5: 341376 c409235fdfe2c2245510b38a77bf794d
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2_7.11.2-12ubuntu3.2_amd64.deb
Size/MD5: 225678 f14b801c68990e1f23296decbf34f33d
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.12.3-2ubuntu3.2_amd64.deb
Size/MD5: 991662 1538f3addaa9e6375d29c3bfd780fc20
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.12.3-2ubuntu3.2_amd64.deb
Size/MD5: 1217422 a5e692fba45c2df0a9654d266ca79bc4
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl3-gssapi_7.12.3-2ubuntu3.2_amd64.deb
Size/MD5: 137874 05a9449b5044393392ec323f3e1e6d70
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.12.3-2ubuntu3.2_amd64.deb
Size/MD5: 254250 50daddd8be0ac62f185fa61e54b0f7b7
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3-2ubuntu3.2_i386.deb
Size/MD5: 165432 9cc856bcb3a2ffd36aedef324705a484
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-dev_7.11.2-12ubuntu3.2_i386.deb
Size/MD5: 328024 d93bc4d2d92499e2283b794c928eef1e
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2_7.11.2-12ubuntu3.2_i386.deb
Size/MD5: 223856 17eae5634df05924a22aef0c142f7891
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.12.3-2ubuntu3.2_i386.deb
Size/MD5: 989598 e9407dffd07dd2b51376c3d41df45e5f
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.12.3-2ubuntu3.2_i386.deb
Size/MD5: 1202722 62c665c0888bb506e8d74f76d8968414
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl3-gssapi_7.12.3-2ubuntu3.2_i386.deb
Size/MD5: 134946 347cd59c616b389217d571e877a88e71
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.12.3-2ubuntu3.2_i386.deb
Size/MD5: 251718 1726eda9f084d12bf0b9d07df889f30a
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3-2ubuntu3.2_powerpc.deb
Size/MD5: 168816 ba7348387bdfe8b9c2db4d5cba3ec2c2
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-dev_7.11.2-12ubuntu3.2_powerpc.deb
Size/MD5: 346022 3e962937da92dc998546ebf58a3c30a1
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2_7.11.2-12ubuntu3.2_powerpc.deb
Size/MD5: 230506 3a34d094f0b0fd8d3014e36044ab7322
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.12.3-2ubuntu3.2_powerpc.deb
Size/MD5: 1601262 8091c58cf6f26bd5974e4a1159d0330e
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.12.3-2ubuntu3.2_powerpc.deb
Size/MD5: 1223446 f1ee786efe6884f52f7ae15b8080faa3
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl3-gssapi_7.12.3-2ubuntu3.2_powerpc.deb
Size/MD5: 142712 f75b25faffb8b55e79d87edb5090bc7a
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.12.3-2ubuntu3.2_powerpc.deb
Size/MD5: 258902 d0f5ba7c2d5f5fa1ef71da7d0aad5f9d
Updated packages for Ubuntu 5.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.14.0-2ubuntu1.1.diff.gz
Size/MD5: 171935 bd696832115631be3437931979a7bc81
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.14.0-2ubuntu1.1.dsc
Size/MD5: 807 cd41419746b702761af634927f80f96d
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.14.0.orig.tar.gz
Size/MD5: 2236640 3466045eab2170a393807a9eace17c55
http://security.ubuntu.com/ubuntu/pool/main/w/wget/wget_1.10-2ubuntu0.1.diff.gz
Size/MD5: 15110 a5041bc3e727c24a069450829bf864a6
http://security.ubuntu.com/ubuntu/pool/main/w/wget/wget_1.10-2ubuntu0.1.dsc
Size/MD5: 608 894aceffb35b5901212a885d2adf2e4e
http://security.ubuntu.com/ubuntu/pool/main/w/wget/wget_1.10.orig.tar.gz
Size/MD5: 1593119 caddc199d2cb31969e32b19fd365b0c5
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.14.0-2ubuntu1.1_amd64.deb
Size/MD5: 153862 7e3cc87e3cdcef650371f8ebf90cddef
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.14.0-2ubuntu1.1_amd64.deb
Size/MD5: 454946 76c891a1c9bb12f60b6b6bd577a4d219
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.14.0-2ubuntu1.1_amd64.deb
Size/MD5: 1253682 b13d381410dd3a8896115757d57c3787
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl3-gssapi_7.14.0-2ubuntu1.1_amd64.deb
Size/MD5: 125936 0439521d95ae8f0d1b1cf6b90d10b19e
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.14.0-2ubuntu1.1_amd64.deb
Size/MD5: 247532 9e98e2fb56471c2a380170bc5de12006
http://security.ubuntu.com/ubuntu/pool/main/w/wget/wget_1.10-2ubuntu0.1_amd64.deb
Size/MD5: 243188 3d86698111ea91f50dfabed4352ed810
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.14.0-2ubuntu1.1_i386.deb
Size/MD5: 152796 3ec868fe8b7c4fbfcc5da416247b04b9
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.14.0-2ubuntu1.1_i386.deb
Size/MD5: 427344 ecc07e97ee49b903199c81a136f25888
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.14.0-2ubuntu1.1_i386.deb
Size/MD5: 1236096 56a32936a04f90e7ec8d51d032d10dd3
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl3-gssapi_7.14.0-2ubuntu1.1_i386.deb
Size/MD5: 119364 be32f2271bc227fb7e58f8aa0de19714
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.14.0-2ubuntu1.1_i386.deb
Size/MD5: 240952 84322061f55b1a3495e60edf943079be
http://security.ubuntu.com/ubuntu/pool/main/w/wget/wget_1.10-2ubuntu0.1_i386.deb
Size/MD5: 232324 681fd7679b97b1a9175b3bd271ee60fd
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.14.0-2ubuntu1.1_powerpc.deb
Size/MD5: 156644 cd21f3af210cdca64b287d8977526156
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.14.0-2ubuntu1.1_powerpc.deb
Size/MD5: 461116 a73628cc8922bf2ef1b3804ff874e28e
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.14.0-2ubuntu1.1_powerpc.deb
Size/MD5: 1258606 d0c0746747b2c7b0dff11da2f880255b
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl3-gssapi_7.14.0-2ubuntu1.1_powerpc.deb
Size/MD5: 128110 4555a6f390c2acd97717a94ea509d732
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.14.0-2ubuntu1.1_powerpc.deb
Size/MD5: 249118 32cbed3880ee40da4e6098cf2bfdc0a8
http://security.ubuntu.com/ubuntu/pool/main/w/wget/wget_1.10-2ubuntu0.1_powerpc.deb
Size/MD5: 238082 829accc5ec3c9c204780bc9267230b41
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051014/60df6a3c/attachment.bin
Powered by blists - more mailing lists