lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <m1ElnLI-000ohNC@finlandia.Infodrom.North.DE> Date: Mon Dec 12 13:07:20 2005 From: joey at infodrom.org (Martin Schulze) Subject: [SECURITY] [DSA 919-1] New curl packages fix potential security problem -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 919-1 security@...ian.org http://www.debian.org/security/ Martin Schulze December 12th, 2005 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : curl Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2005-4077 CVE-2005-3185 BugTraq ID : 15756 15102 15647 Debian Bug : 342339 342696 Several problems were discovered in libcurl, a multi-protocol file transfer library. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2005-3185 A vulnerability has been discovered a buffer overflow in libcurl that could allow the execution of arbitrary code. CVE-2005-4077 Stefan Esser discovered several off-by-one errors that allows local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs. For the old stable distribution (woody) these problems have been fixed in version 7.9.5-1woody1. For the stable distribution (sarge) these problems have been fixed in version 7.13.2-2sarge4. This update also includes a bugfix against data corruption. For the unstable distribution (sid) these problems have been fixed in version 7.15.1-1. We recommend that you upgrade your libcurl packages. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1.dsc Size/MD5 checksum: 603 c7980d3b9589f2ef20390a70e0b4de74 http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1.diff.gz Size/MD5 checksum: 16631 e35ec4ff7161fa158c04c8cbf716d159 http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5.orig.tar.gz Size/MD5 checksum: 682397 a4df6bb5aa8962c204e73c8f98077928 Alpha architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_alpha.deb Size/MD5 checksum: 118498 584184fdc57b0b302b1c16b293222492 http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_alpha.deb Size/MD5 checksum: 195922 6a58bcdea99e866fdfbad573b3d6ef8d http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_alpha.deb Size/MD5 checksum: 116574 799b6ccd5c223cd8580c8e4fc610fef8 ARM architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_arm.deb Size/MD5 checksum: 114452 028489639e478d66a6223c7a2175cac9 http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_arm.deb Size/MD5 checksum: 172978 ad531498826aaa48ec0e2eb5c2df7207 http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_arm.deb Size/MD5 checksum: 101852 c7df9a970ef2f5a1ac11f6aae2c539be Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_i386.deb Size/MD5 checksum: 112954 55c016b60375a465dd139b25a9860e3b http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_i386.deb Size/MD5 checksum: 163696 c88d95d412ef529c8eebc9d21a5d6006 http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_i386.deb Size/MD5 checksum: 100482 ca2e1ea6b2508888814e75101a9936bf Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_ia64.deb Size/MD5 checksum: 122062 7476d36d7530caab9aa08c8c24bc7b17 http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_ia64.deb Size/MD5 checksum: 210310 5ef9167039cdf11ba26f5380265e9f0e http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_ia64.deb Size/MD5 checksum: 139432 6c924348404f96a9d534485d231da013 HP Precision architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_hppa.deb Size/MD5 checksum: 116424 a94545e972184368284431251dc81bc0 http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_hppa.deb Size/MD5 checksum: 186366 a9ef087b21652930a452f9aa61e17040 http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_hppa.deb Size/MD5 checksum: 112976 9f67b8e55d8578f97913aef8135251cc Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_m68k.deb Size/MD5 checksum: 112776 246260a28117b2c1fc01d9754e4dc4fe http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_m68k.deb Size/MD5 checksum: 159130 3e9ce9d21bbdce3688ddbaf4f260ac2f http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_m68k.deb Size/MD5 checksum: 97160 01ce2ddf9d7a91373bc02086a0718225 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_mips.deb Size/MD5 checksum: 115468 6e64a1534418bb425a1ad1dc2be0e1f9 http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_mips.deb Size/MD5 checksum: 183938 5978db39fe8acd2a4042c6f184129211 http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_mips.deb Size/MD5 checksum: 105234 2e48fba8ba1392918aa0c0ad95b0d237 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_mipsel.deb Size/MD5 checksum: 115494 0c3bdfc2517c81dda03e999505711af5 http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_mipsel.deb Size/MD5 checksum: 183856 aef61efcb299d750e575eb1e8cc0a500 http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_mipsel.deb Size/MD5 checksum: 105328 830278f24a115bf4dfa2a57517507faa PowerPC architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_powerpc.deb Size/MD5 checksum: 115064 36a580ccb525717018023223252a2dad http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_powerpc.deb Size/MD5 checksum: 181490 7af33b2711cea9edd18a1e0bf76b7908 http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_powerpc.deb Size/MD5 checksum: 106400 362227268352e1b6345d665e46cad9f4 IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_s390.deb Size/MD5 checksum: 114380 e67536f6369452d7eb9c68a526b50acc http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_s390.deb Size/MD5 checksum: 167516 6a47b2681d358a72dd2da46cd282cde3 http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_s390.deb Size/MD5 checksum: 104362 f48b9e5257fb2d933676f1bdedf65700 Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_sparc.deb Size/MD5 checksum: 114212 dcc862dfac0b145a85dd41ee26b8f68a http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_sparc.deb Size/MD5 checksum: 173280 9d4005552173802f517f84c7b7ff6e7c http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_sparc.deb Size/MD5 checksum: 107954 1bcfdf01ff3c281aca72220de9c36285 Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4.dsc Size/MD5 checksum: 810 da7861471f869f9a9ec5134d5fd38d19 http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4.diff.gz Size/MD5 checksum: 171255 d385dd607b786b7f850a9f24babcc65a http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2.orig.tar.gz Size/MD5 checksum: 2201086 b3bd4a303f35f9a2a3ed3671cedf8329 Alpha architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_alpha.deb Size/MD5 checksum: 150884 bd55a60b515ee8c2465fd17f7de29d50 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_alpha.deb Size/MD5 checksum: 251276 2f8cc5197eb54c78b18f25f63207d286 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_alpha.deb Size/MD5 checksum: 1010862 797c1b435ae57f09704840682615fed9 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_alpha.deb Size/MD5 checksum: 1279412 1d9b9bcaeb4f55b4e1029ab24b74cb7f http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_alpha.deb Size/MD5 checksum: 132164 b81c4278c3cbdf9c78266ca451110745 AMD64 architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_amd64.deb Size/MD5 checksum: 148002 b56233f49b100362e368b03e66218720 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_amd64.deb Size/MD5 checksum: 239260 d13d8eaecec3d63810e1ed73a6268ee2 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_amd64.deb Size/MD5 checksum: 1004100 712cffdd8bb0678bbd5372f8038bf743 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_amd64.deb Size/MD5 checksum: 1237918 5b7ab2089d6c421223ab1d5bca45ccc8 http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_amd64.deb Size/MD5 checksum: 119332 a29338d6eebb002f76b64eb8db25669d ARM architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_arm.deb Size/MD5 checksum: 147036 4d7dd6a1e18101e9f82ca47bd71adee6 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_arm.deb Size/MD5 checksum: 232254 7e7aa0f0d63d809380c5cf16a7bd9998 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_arm.deb Size/MD5 checksum: 1006512 1b6bba8334374b9a0973834db013deec http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_arm.deb Size/MD5 checksum: 1236324 d6e759826948dfc0b85100aa0721acbd http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_arm.deb Size/MD5 checksum: 112850 6a4bb805155911126e0da34c9a69caba Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_i386.deb Size/MD5 checksum: 146622 b5c28b5df70be2f14ccc38ba76445184 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_i386.deb Size/MD5 checksum: 237394 deeefb82e0e50917d334cd58e941c703 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_i386.deb Size/MD5 checksum: 1003560 5a072f044f577601edf276a80eee1a16 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_i386.deb Size/MD5 checksum: 1223642 101c390bd001489d4338f18b64c7564f http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_i386.deb Size/MD5 checksum: 118476 0b34194348da0cf2e73833791321f8be Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_ia64.deb Size/MD5 checksum: 156700 c40c8b873384b31606d0f86f62f87d62 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_ia64.deb Size/MD5 checksum: 279198 15bb908f6a841d8ffab2051484691d6d http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_ia64.deb Size/MD5 checksum: 1014686 c515f26ae840693a7af303b939e533de http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_ia64.deb Size/MD5 checksum: 1293752 a96384202ca09ebb218eb7ab0872da4d http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_ia64.deb Size/MD5 checksum: 160754 e197fcb10908f1201b12105d6a4fe988 HP Precision architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_hppa.deb Size/MD5 checksum: 150516 e80d05b29994e4a4aa921a060f1aaa4a http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_hppa.deb Size/MD5 checksum: 251178 95c1f4a011dd7509e631326175c6f4ac http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_hppa.deb Size/MD5 checksum: 1002034 069328e53c666557d876adc4c7df762a http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_hppa.deb Size/MD5 checksum: 1253588 66b90d2a50a329df1a6d2deb5db11caf http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_hppa.deb Size/MD5 checksum: 132258 345e3389c3d58356d4324b6cb09b4ce1 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_m68k.deb Size/MD5 checksum: 144622 dcd9d447dc466637937f1390df4efe8c http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_m68k.deb Size/MD5 checksum: 227834 d354dcd599d04d9c592b8fdbbe833775 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_m68k.deb Size/MD5 checksum: 998522 83c7e2d7474f2bc623d3fa19db556c94 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_m68k.deb Size/MD5 checksum: 1211958 a3e925c82c058b01971a781462d56fe9 http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_m68k.deb Size/MD5 checksum: 108658 c59d11114a8209e7fec2b5fd608e3864 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_mips.deb Size/MD5 checksum: 149912 722a66107541a6d2ae823f46b1459743 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_mips.deb Size/MD5 checksum: 237422 08c3c48899e33babbc9bc8f3d8b8d97d http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_mips.deb Size/MD5 checksum: 1007542 26b4bee9ab3ece84e1a2ef5bc0cfa815 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_mips.deb Size/MD5 checksum: 1246952 ab4a46b14f124baad25a1c15e5f84f5d http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_mips.deb Size/MD5 checksum: 118446 76a1ed48d045c6eec4ac3a9246adf369 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_mipsel.deb Size/MD5 checksum: 150000 68e58cb1e4a76411d44f0cc28bed3dac http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_mipsel.deb Size/MD5 checksum: 237988 53b75c49f88e29ea3b0615a33d1d179f http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_mipsel.deb Size/MD5 checksum: 1010926 a31f246e13a31e422d6abd4637e7d79f http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_mipsel.deb Size/MD5 checksum: 1247194 ae4a7ceb8e33c0f6d6e0ea017c1fd5a7 http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_mipsel.deb Size/MD5 checksum: 118908 499638c1e407f837d438eb3ee25b71c5 PowerPC architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_powerpc.deb Size/MD5 checksum: 150630 9d498e220cf3f1ea0bed9eba37895994 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_powerpc.deb Size/MD5 checksum: 243434 e115acf14a63f9c2a19d42b1963ca7a0 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_powerpc.deb Size/MD5 checksum: 1640952 fa15696dc540f1615672417c997761b3 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_powerpc.deb Size/MD5 checksum: 1245276 db89abb638e975cdbcc0381b4123ea10 http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_powerpc.deb Size/MD5 checksum: 124126 78380f53d3d3656f87ea7d407e0ecd37 IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_s390.deb Size/MD5 checksum: 148600 4660101e4a8bd44eb68ef9ea80d95502 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_s390.deb Size/MD5 checksum: 246602 de14f2625c352dc0f96981759b7ae94d http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_s390.deb Size/MD5 checksum: 1025394 ea2821337cbbefffa7833cc8f2f73aae http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_s390.deb Size/MD5 checksum: 1240726 1942bd69e7d06c8fa4f0aefda94a2b54 http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_s390.deb Size/MD5 checksum: 127424 a7412a250bd42c0cfe74d054a76e4352 Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_sparc.deb Size/MD5 checksum: 147624 92c2113d31613a17dad62bf4585bb96d http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_sparc.deb Size/MD5 checksum: 236962 defcd15ad18e2110105685aa592c36cb http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_sparc.deb Size/MD5 checksum: 996594 515599851d6c7bc75edd4bd2a85e1b22 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_sparc.deb Size/MD5 checksum: 1232322 4680ad497ca64e90d3a8cfc10f134ca7 http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_sparc.deb Size/MD5 checksum: 117968 8b50fcf2af77f3f5b075797c3f5db265 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@...ts.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD4DBQFDnXUzW5ql+IAeqTIRAmxbAJji1JPfzDpUQi+smmNU5/TsirpDAJ40kBPm yi4IyEbiGOj4PQSTFUBrog== =w5uH -----END PGP SIGNATURE-----