Debian Bug report logs -
#700002
curl: CVE-2013-0249
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Thu, 7 Feb 2013 08:39:02 UTC
Severity: grave
Tags: patch, security
Found in versions curl/7.26.0-1, curl/7.28.0-3, curl/7.28.1-1
Fixed in versions curl/7.29.0-1, curl/7.26.0-1+wheezy1
Done: Alessandro Ghedini <ghedo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Alessandro Ghedini <ghedo@debian.org>:
Bug#700002; Package curl.
(Thu, 07 Feb 2013 08:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Alessandro Ghedini <ghedo@debian.org>.
(Thu, 07 Feb 2013 08:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: curl
Severity: grave
Tags: security
Justification: user security hole
http://curl.haxx.se/docs/adv_20130206.html
Remember we're in freeze, so please upload only the minimal security fix.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Alessandro Ghedini <ghedo@debian.org>:
Bug#700002; Package curl.
(Fri, 08 Feb 2013 16:54:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Alessandro Ghedini <alessandro@ghedini.me>:
Extra info received and forwarded to list. Copy sent to Alessandro Ghedini <ghedo@debian.org>.
(Fri, 08 Feb 2013 16:54:08 GMT) (full text, mbox, link).
Message #10 received at 700002@bugs.debian.org (full text, mbox, reply):
tags 700002 patch
kthxbye
On Thu, Feb 7, 2013 at 9:33 AM, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> Package: curl
> Severity: grave
> Tags: security
> Justification: user security hole
>
> http://curl.haxx.se/docs/adv_20130206.html
>
> Remember we're in freeze, so please upload only the minimal security fix.
The patch is available at http://curl.haxx.se/curl-sasl.patch
I'll be able to prepare the uploads only on saturday evening/sunday, so if you
want to do an NMU for wheezy earlier than that please go ahead.
Added tag(s) patch.
Request was from Alessandro Ghedini <alessandro@ghedini.me>
to control@bugs.debian.org.
(Fri, 08 Feb 2013 16:54:09 GMT) (full text, mbox, link).
Marked as found in versions curl/7.26.0-1.
Request was from Alessandro Ghedini <ghedo@debian.org>
to control@bugs.debian.org.
(Sun, 10 Feb 2013 14:39:09 GMT) (full text, mbox, link).
Marked as found in versions curl/7.28.0-3.
Request was from Alessandro Ghedini <ghedo@debian.org>
to control@bugs.debian.org.
(Sun, 10 Feb 2013 14:39:10 GMT) (full text, mbox, link).
Marked as found in versions curl/7.28.1-1.
Request was from Alessandro Ghedini <ghedo@debian.org>
to control@bugs.debian.org.
(Sun, 10 Feb 2013 14:39:11 GMT) (full text, mbox, link).
Reply sent
to Alessandro Ghedini <ghedo@debian.org>:
You have taken responsibility.
(Mon, 11 Feb 2013 14:51:09 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Mon, 11 Feb 2013 14:51:09 GMT) (full text, mbox, link).
Message #23 received at 700002-close@bugs.debian.org (full text, mbox, reply):
Source: curl
Source-Version: 7.29.0-1
We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 700002@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alessandro Ghedini <ghedo@debian.org> (supplier of updated curl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 11 Feb 2013 14:48:03 +0100
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg
Architecture: source amd64
Version: 7.29.0-1
Distribution: unstable
Urgency: high
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Alessandro Ghedini <ghedo@debian.org>
Description:
curl - command line tool for transferring data with URL syntax
libcurl3 - easy-to-use client-side URL transfer library (OpenSSL flavour)
libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours)
libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour)
libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour)
libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour)
Closes: 700002
Changes:
curl (7.29.0-1) unstable; urgency=high
.
* New upstream release
- Fix buffer overflow when negotiating SASL DIGEST-MD5 authentication
as per CVE-2013-0249 (Closes: #700002)
http://curl.haxx.se/docs/adv_20130206.html
- Set urgency=high accordingly
* Install all the examples
* Update 90_gnutls.patch and 99_nss.patch
* Refresh patches
* Correctly pass CPPFLAGS to ./configure
* Upload to unstable
Checksums-Sha1:
16f2e1b240b4dc8e1fafed70ebc68d050cf6bc23 2507 curl_7.29.0-1.dsc
6f5fd02bd9db83d5a1e2f52c8fa3566a60eda4f1 3260535 curl_7.29.0.orig.tar.gz
af75eb715fb641e338eeaa6464d6b2a8f84c4f43 30838 curl_7.29.0-1.debian.tar.gz
92b29250e4034a2712bba9fa85a93d9e05823406 281992 curl_7.29.0-1_amd64.deb
36ee3149ed673560ca6509d66311a5c767426dcc 333804 libcurl3_7.29.0-1_amd64.deb
976a607ef095052eeac31156dde5eefcefc5f90c 325306 libcurl3-gnutls_7.29.0-1_amd64.deb
742c7fb492324ef925de11ac991100691b5adab1 331552 libcurl3-nss_7.29.0-1_amd64.deb
dc0c74dac3cc98bf86902de570b3fa59b6d82964 1358788 libcurl4-openssl-dev_7.29.0-1_amd64.deb
610f112f02cc0fefbce7299f1d0168a11e271709 1346474 libcurl4-gnutls-dev_7.29.0-1_amd64.deb
beba1d50c50a63a32595bb5a60167a2fca3cfbf6 1353002 libcurl4-nss-dev_7.29.0-1_amd64.deb
4932be0cf374ec4d197df6ee04bba99b28aa6784 3465662 libcurl3-dbg_7.29.0-1_amd64.deb
Checksums-Sha256:
a7ca42cc2f005c35da90f068f06799a966bc2b5f8a6529bb5aa1ba8f683a09b4 2507 curl_7.29.0-1.dsc
67dc5b952ac489191b62dbe95b18d336b821649f61404a280186c72e8cd0b9d6 3260535 curl_7.29.0.orig.tar.gz
2e774616fa0b678bff17100dea3ba5ca6cfd7620be7a37889bcda59b2b0b26b9 30838 curl_7.29.0-1.debian.tar.gz
30fa98626839e7eb905122ddea68cee60b749770292b69701388c43c86fe2a3f 281992 curl_7.29.0-1_amd64.deb
f5af515f5a290dd5d6373f029657ddc507f777d381f6bd8fd4def084047a5074 333804 libcurl3_7.29.0-1_amd64.deb
8ff2bcdeeb4c010af663af61561fbaa87c47282cc8e5180eb20c0d2abe42e187 325306 libcurl3-gnutls_7.29.0-1_amd64.deb
f674a19656edaedc6da71fad394a75be46ea2d3817b28875a8dd1752aba562e5 331552 libcurl3-nss_7.29.0-1_amd64.deb
6bafdabfa03c40b30b619d70dfc0a054b51b13922c2fda28d87d9aed5d1c839a 1358788 libcurl4-openssl-dev_7.29.0-1_amd64.deb
856e20a9800858d14bd512053a289fe6bb7b5b29fa2bf6c4d904c75b4d4bbebd 1346474 libcurl4-gnutls-dev_7.29.0-1_amd64.deb
fed5dc9a6fccd8610f564abb76f5761479e7549230a2f781fb66d8d4e72f8f44 1353002 libcurl4-nss-dev_7.29.0-1_amd64.deb
f67c3e443df636f215f9f84ef454e7037917faf2528dcb4a16f9e61c618ffcee 3465662 libcurl3-dbg_7.29.0-1_amd64.deb
Files:
765a5d5632fc22eae4ec6389c2d5e79a 2507 web optional curl_7.29.0-1.dsc
4f57d3b4a3963038bd5e04dbff385390 3260535 web optional curl_7.29.0.orig.tar.gz
92573ea1fd611afb48f61a34c669028c 30838 web optional curl_7.29.0-1.debian.tar.gz
2fb712c1e8518e8587154552f458546f 281992 web optional curl_7.29.0-1_amd64.deb
940c5137ffb5838d33bbe83c3a34f7c9 333804 libs optional libcurl3_7.29.0-1_amd64.deb
6a02284e483634f7655b8305558939fa 325306 libs optional libcurl3-gnutls_7.29.0-1_amd64.deb
8fbc7a50b161c0a55e72f5c9c08a27cc 331552 libs optional libcurl3-nss_7.29.0-1_amd64.deb
3b35db53e0d836235eff48fbb14da252 1358788 libdevel optional libcurl4-openssl-dev_7.29.0-1_amd64.deb
7f7fcc59ca0e2a4f81372c2225283ca3 1346474 libdevel optional libcurl4-gnutls-dev_7.29.0-1_amd64.deb
58e631f043a09e8ece878b15cb213060 1353002 libdevel optional libcurl4-nss-dev_7.29.0-1_amd64.deb
55d7f8cee133aef4f66904f88505d381 3465662 debug extra libcurl3-dbg_7.29.0-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJRGP4RAAoJEK+lG9bN5XPLNwYQAJ3FZtjt+pKXrCOSjuMJ9EcG
Jc2mZo50bevccBzBfw0mGvMw5H9oPkjY73Kg3ZOJNj/A0saZgJ2CL5/fD7OqjFJ9
UTP9wm7Y+lY8dX/HducVso9EFJvl032PbeQJeVK0/ItNLamkjt1pHRoupEjkY5Ei
MiGyNbFc6grMlNjaxrQmUwWHrcIaqXtqWa16/OB5kBaVGiqAKZ3StnTZS0yvaxmP
w8YjefS5YEqz69ydejCw35hESVDceTRiWjXuItFQqrMldbi23dm9eK2h72CxtcIX
zDZCjjF//QpaM2uJ5x1r3g03c2/AqFDP1Rr7WIDf4Tr8hcBOvVu+wfLHI4AZj8ky
MYvdptGAr3kVsGqgvtb21DtycHZwZn8rwNvFb87404EeaqquoWgwXXz8r00viDGE
SIycBHAPvBRn9Tkl9qgOLpq6h4gGBdOcfqh4fTQBWpyZarY/c/kTVHhZVQv3QKGy
Tcol5iimIP2409IiSUxCAFPV4Wn9hEQy13I8nfuyH9q/6U0xYg3zPx+IPSYMaIRw
XDlOMp6vhUOW52q3ilDTyBdFljsJxLoNj5fOgpKPh4UMlcaWkb/ejjoKK0iksL87
86s/GEGjjfLVmNdzopszS6fVahwSNoPXkTd2Ke7it3ryz9IbD89F88vWh8JGG+lV
MIrJmDcA5TtVecG4XWgs
=BdQu
-----END PGP SIGNATURE-----
Reply sent
to Alessandro Ghedini <ghedo@debian.org>:
You have taken responsibility.
(Tue, 12 Feb 2013 11:36:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Tue, 12 Feb 2013 11:36:03 GMT) (full text, mbox, link).
Message #28 received at 700002-close@bugs.debian.org (full text, mbox, reply):
Source: curl
Source-Version: 7.26.0-1+wheezy1
We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 700002@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alessandro Ghedini <ghedo@debian.org> (supplier of updated curl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 10 Feb 2013 19:14:47 +0100
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg
Architecture: source amd64
Version: 7.26.0-1+wheezy1
Distribution: testing-proposed-updates
Urgency: high
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Alessandro Ghedini <ghedo@debian.org>
Description:
curl - command line tool for transferring data with URL syntax
libcurl3 - easy-to-use client-side URL transfer library (OpenSSL flavour)
libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours)
libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour)
libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour)
libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour)
Closes: 700002
Changes:
curl (7.26.0-1+wheezy1) testing-proposed-updates; urgency=high
.
* Fix buffer overflow when negotiating SMTP DIGEST-MD5 authentication
as per CVE-2013-0249 (Closes: #700002)
http://curl.haxx.se/docs/adv_20130206.html
* Set urgency=high accordingly
Checksums-Sha1:
8c87692f8fbbccb9a20329708cd3f3c3a4153e18 2531 curl_7.26.0-1+wheezy1.dsc
83370e7dad0211d002f6fd64ca640885c52aa178 30433 curl_7.26.0-1+wheezy1.debian.tar.gz
23eb5b69c620ee2053d901e2d1442b54d98e9137 269708 curl_7.26.0-1+wheezy1_amd64.deb
949365c8fa3a51e5d4526056e72f57763d7aef68 330666 libcurl3_7.26.0-1+wheezy1_amd64.deb
a5de06bd7cf1b9d95d2f6b469a60510b3f36fcd8 321504 libcurl3-gnutls_7.26.0-1+wheezy1_amd64.deb
9c719f1cef1be3c0aa398ff5ae46d1e638bbe2f9 328192 libcurl3-nss_7.26.0-1+wheezy1_amd64.deb
8d2a20ad3d493b99e0610dac4c8812befc089760 1269944 libcurl4-openssl-dev_7.26.0-1+wheezy1_amd64.deb
0dc5b3fab0b70e9d26f767b74c6d041d5429de86 1258122 libcurl4-gnutls-dev_7.26.0-1+wheezy1_amd64.deb
49680dafa4627f2f283c3855a800ff06139bea30 1265036 libcurl4-nss-dev_7.26.0-1+wheezy1_amd64.deb
83cb9e8247cd4238f6db55fd57c68f5dc71a759c 3296072 libcurl3-dbg_7.26.0-1+wheezy1_amd64.deb
Checksums-Sha256:
e5b555d42b490e3110b885a96a7487239949a7aff5099e250cebb8b11ae78ae1 2531 curl_7.26.0-1+wheezy1.dsc
84d4dceab6eb7f778932f3a02e042ed0d804a6e64b3c8870c3c0201fad1ddc71 30433 curl_7.26.0-1+wheezy1.debian.tar.gz
590eba24ef04b1ab86c29ffabcb8c93c68e5065988bdcda233ac99d256f48000 269708 curl_7.26.0-1+wheezy1_amd64.deb
e6f47011aeacac638ffacd1b89a1cf37efb85d8c8ce5cbdacc04477f9555342f 330666 libcurl3_7.26.0-1+wheezy1_amd64.deb
33580b94713c5a39bb8c580bdec87372f24c68d413135130187627d004a07467 321504 libcurl3-gnutls_7.26.0-1+wheezy1_amd64.deb
69103e54ae2fd36a7bca525e484bda3f42730c06079daae1ca72436fa2f427ed 328192 libcurl3-nss_7.26.0-1+wheezy1_amd64.deb
bc6f0cd39e501bb1dbc065db6cdbdf19c8b8e3df8d0951454812aed5e36a31be 1269944 libcurl4-openssl-dev_7.26.0-1+wheezy1_amd64.deb
47b4f5dd8550c09d73fc34159660150659d51c7d8ccff47ae4dc51c74b2dcd3b 1258122 libcurl4-gnutls-dev_7.26.0-1+wheezy1_amd64.deb
ba767984ea1df5168c061d9eb24be2b1a35a90c98a1601bdaf2d608d2f997c54 1265036 libcurl4-nss-dev_7.26.0-1+wheezy1_amd64.deb
832e22ebe2b43faa15c2dfeb6bcdced64dbd8bcd993e51df2da3bc20a75bbf3c 3296072 libcurl3-dbg_7.26.0-1+wheezy1_amd64.deb
Files:
d381ceb5d6690dc4f6d46c9556a472da 2531 web optional curl_7.26.0-1+wheezy1.dsc
4e5309450ca4794257fb20eca0b005c1 30433 web optional curl_7.26.0-1+wheezy1.debian.tar.gz
36ab25d8e5e74bece2a27c808fcf3d88 269708 web optional curl_7.26.0-1+wheezy1_amd64.deb
489388763c9e2b1ee096cf50b03202eb 330666 libs optional libcurl3_7.26.0-1+wheezy1_amd64.deb
6369f68ecfe53ba13ee6c93ecaeffecb 321504 libs optional libcurl3-gnutls_7.26.0-1+wheezy1_amd64.deb
ba1001b0a87f91d1ad1f0b1a478562b1 328192 libs optional libcurl3-nss_7.26.0-1+wheezy1_amd64.deb
21019388336fcb0794e864da422e3da2 1269944 libdevel optional libcurl4-openssl-dev_7.26.0-1+wheezy1_amd64.deb
7b44d7f05447e814c2657740d9382ab1 1258122 libdevel optional libcurl4-gnutls-dev_7.26.0-1+wheezy1_amd64.deb
53902b9a8bd1e1e81754d6765b24f31a 1265036 libdevel optional libcurl4-nss-dev_7.26.0-1+wheezy1_amd64.deb
63b28fa1e8cb092a22e66d465aeeac47 3296072 debug extra libcurl3-dbg_7.26.0-1+wheezy1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJRGiP/AAoJEK+lG9bN5XPLZ7wP/iTpaTU5ah7KTJduYA2r/Gn+
FziEYwgyaj3B/dbZ9A08b62ATtXoHPe4AJB9uxdEC2pM4U7RBvp/rKpthAVpWgq/
DryD7b6xQGRivvYe55DpWKc4TOlJe/5DukH8L+E1mhlIDFpsXchmqxTdu7XMZT9p
vcUb63DnTlJhokeYEtsgJEbGlehInqXCMaBS/TjHx7zoA/JQhXu1mCkORotBtybW
XTPI1v+rFiCQqbfKC8CkKgs+nru3ScdpZZmIDTwmIwyrwLbwOKKeQLLS/mAO0fP+
HepUwFIQFV2oQfYrfigPDEKS5JT+aap53pMtBCtG3s6Ck4UDItsCZGN3+LthoCcZ
v6YtMkJoebl8/9/4M3eeJeTPgsZl5ox6QEwL1n6jq8MPgra30vrFN8BD7r+8hUpI
MWfCLw2bw6+khCCOWnU66/BbdLcLtJtyp40rtrAklecCA4tTt1nWEgHAs0abZdNr
mxLX9DWNk25Q4EozzvQsBNOWgqZxrtNGYpy884ptB+LhhInuEQq+Rt+cVFLkl/5B
Tv/HF9ZGuy7udzWkZ84B+Sk7AudesztPUOpoJ21QlYiGbkdkLZ6R4h/EYyWQt1tb
ikkW9leW0/D3sl3yxdDbcuW2tdWFcSiysQapEg/+9uhAClNduQUgWRrIPV+nBMMd
wzmvj3X7G2RvY4FI2Yqz
=S/d0
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 13 Mar 2013 07:25:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:37:17 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon