curl: CVE-2016-7141: Incorrect reuse of client certificates (nss backend)

Debian Bug report logs - #836918
curl: CVE-2016-7141: Incorrect reuse of client certificates (nss backend)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: curl: CVE-2016-7141: Incorrect reuse of client certificates (nss backend)

Date: Wed, 07 Sep 2016 10:32:38 +0200

Source: curl
Version: 7.50.1-1
Severity: important
Tags: security upstream patch

Hi,

the following vulnerability was published for curl.

CVE-2016-7141[0]:
Incorrect reuse of client certificates

A patch is attached to [1].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-7141
[1] http://seclists.org/oss-sec/2016/q3/413

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 836918-close@bugs.debian.org (full text, mbox, reply):

From: Alessandro Ghedini <ghedo@debian.org>

To: 836918-close@bugs.debian.org

Subject: Bug#836918: fixed in curl 7.51.0-1

Date: Thu, 03 Nov 2016 23:35:27 +0000

Source: curl
Source-Version: 7.51.0-1

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 836918@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessandro Ghedini <ghedo@debian.org> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 03 Nov 2016 22:46:14 +0000
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg libcurl4-doc
Architecture: source amd64 all
Version: 7.51.0-1
Distribution: unstable
Urgency: medium
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Alessandro Ghedini <ghedo@debian.org>
Description:
 curl       - command line tool for transferring data with URL syntax
 libcurl3   - easy-to-use client-side URL transfer library (OpenSSL flavour)
 libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours)
 libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
 libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
 libcurl4-doc - documentation for libcurl
 libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour)
 libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour)
 libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour)
Closes: 836918 837945
Changes:
 curl (7.51.0-1) unstable; urgency=medium
 .
   * New upstream release
     - Fix cookie injection for other servers as per CVE-2016-8615
       https://curl.haxx.se/docs/adv_20161102A.html
     - Fix case insensitive password comparison as per CVE-2016-8616
       https://curl.haxx.se/docs/adv_20161102B.html
     - Fix OOB write via unchecked multiplication as per CVE-2016-8617
       https://curl.haxx.se/docs/adv_20161102C.html
     - Fix double-free in curl_maprintf as per CVE-2016-8618
       https://curl.haxx.se/docs/adv_20161102D.html
     - Fix double-free in krb5 code as per CVE-2016-8619
       https://curl.haxx.se/docs/adv_20161102E.html
     - Fix glob parser write/read out of bounds as per CVE-2016-8620
       https://curl.haxx.se/docs/adv_20161102F.html
     - Fix curl_getdate read out of bounds as per CVE-2016-8621
       https://curl.haxx.se/docs/adv_20161102G.html
     - Fix URL unescape heap overflow via integer truncation as per CVE-2016-8622
       https://curl.haxx.se/docs/adv_20161102H.html
     - Fix use-after-free via shared cookies as per CVE-2016-8623
       https://curl.haxx.se/docs/adv_20161102I.html
     - Fix invalid URL parsing with '#' as per CVE-2016-8624
       https://curl.haxx.se/docs/adv_20161102J.html
     - Fix IDNA 2003 makes curl use wrong host
       https://curl.haxx.se/docs/adv_20161102K.html
     - Fix escape and unescape integer overflows as
       per CVE-2016-7167 (Closes: #837945)
       https://curl.haxx.se/docs/adv_20160914.html
     - Fix incorrect reuse of client certificates (NSS backend)
       as per CVE-2016-7141 (Closes: #836918)
       https://curl.haxx.se/docs/adv_20160907.html
   * Drop 02_art_http_scripting.patch (file not shipped anymore)
   * Refresh patches
   * Temporarily disable IDN support
   * Don't install pdf and html docs (they are not shipped in the tarball anymore)
   * Install markdown docs
Checksums-Sha1:
 073daee259c41e6779839d1f6ef59807f4540944 2681 curl_7.51.0-1.dsc
 d967f37db1a2b49eb3ccc682b97c46e948dfd19a 3441753 curl_7.51.0.orig.tar.gz
 aad50a0bc1c6416f3b5f59293cc2038018d7661c 27016 curl_7.51.0-1.debian.tar.xz
 5fa3785860333c85f401f6602a421793aa8e3247 128066 curl-dbgsym_7.51.0-1_amd64.deb
 6266886e82636ac31c27459ea2c8de298ca372da 222254 curl_7.51.0-1_amd64.deb
 5dacefa80356a7bc61d07024c42e8549a218680a 3951626 libcurl3-dbg_7.51.0-1_amd64.deb
 030a45249592cbf7e41b171e8fe811f8a006ca6d 283742 libcurl3-gnutls_7.51.0-1_amd64.deb
 1f344ffb5c2a859667b788baf77e6eed0036f472 290302 libcurl3-nss_7.51.0-1_amd64.deb
 78dd81f304a5fb3c66953663a3f9d8883867f63c 286282 libcurl3_7.51.0-1_amd64.deb
 b05f4e833f37c3117698ad1f92fd43a8de8f3e3a 800326 libcurl4-doc_7.51.0-1_all.deb
 ac2db320f2b8cc4fb2400d4490421aff1542a18d 365940 libcurl4-gnutls-dev_7.51.0-1_amd64.deb
 0fe584375c5401c28317bb6018c6f40d753f77c6 372682 libcurl4-nss-dev_7.51.0-1_amd64.deb
 a961cec9e1c7571b16929de4b706879f66e2b6cf 368044 libcurl4-openssl-dev_7.51.0-1_amd64.deb
Checksums-Sha256:
 e139d0221798b98174533e4219c7841bd1880a85ce776fb44d9d67d3e9c77808 2681 curl_7.51.0-1.dsc
 65b5216a6fbfa72f547eb7706ca5902d7400db9868269017a8888aa91d87977c 3441753 curl_7.51.0.orig.tar.gz
 be7ec42a13fc8167a5dd8bd092324594f05632b8eb7faef94128281310cc7e6f 27016 curl_7.51.0-1.debian.tar.xz
 ea81de52f7fe5e5cc1100c820f7435dc34de58f141b76a0fcc2885f614126c1e 128066 curl-dbgsym_7.51.0-1_amd64.deb
 25a2fcd051b93fb8ee9fe9f42d09a680b00adc8a359b7fc497f8009d7892efcc 222254 curl_7.51.0-1_amd64.deb
 f9d38671382aa489469242f292eaa9ac55ef81579cffbb13ef09080a988678e1 3951626 libcurl3-dbg_7.51.0-1_amd64.deb
 301e72f6cd523c16bca160223c4af90ee588cabf8d926ee38843043bf48d3b7d 283742 libcurl3-gnutls_7.51.0-1_amd64.deb
 7483d0f3b362212fa7749f36179136645eb85d53d096a23645a706697d758080 290302 libcurl3-nss_7.51.0-1_amd64.deb
 670c638fe8ceaa4893b9f8fa053f49dd691c0f18f96c8e292fd0b875dba78d19 286282 libcurl3_7.51.0-1_amd64.deb
 9a0660465e7d50dee3a3800bfd5d8549dd6ef43f113bb6e4fb029e47243c1f29 800326 libcurl4-doc_7.51.0-1_all.deb
 14c0b036dc5103ba6870c91fdd317b2680a2ad78bcf1b6a1a8212f19c52bcd66 365940 libcurl4-gnutls-dev_7.51.0-1_amd64.deb
 490e87f3858aaa1ab160b9f2972847bca5b5a2887b26c7e2316dd1e8bea1ad97 372682 libcurl4-nss-dev_7.51.0-1_amd64.deb
 79c090d949e2d6b4ac00687473cd5ce02749d52966d53b9ea242a461f24df211 368044 libcurl4-openssl-dev_7.51.0-1_amd64.deb
Files:
 b9bd94cabdd990e60a053f2822e7a8fa 2681 web optional curl_7.51.0-1.dsc
 490e19a8ccd1f4a244b50338a0eb9456 3441753 web optional curl_7.51.0.orig.tar.gz
 4352cee9e0db41aeb02a79634fb048c1 27016 web optional curl_7.51.0-1.debian.tar.xz
 f0cae778ba0ae8bd4b15f38b3887a59e 128066 debug extra curl-dbgsym_7.51.0-1_amd64.deb
 28e74d63ef76e1e0dae52cd05d956a7c 222254 web optional curl_7.51.0-1_amd64.deb
 036d8435a92c52eadb01dcc534eb80c1 3951626 debug extra libcurl3-dbg_7.51.0-1_amd64.deb
 620d73cee382579be2667d4a177bd378 283742 libs optional libcurl3-gnutls_7.51.0-1_amd64.deb
 bf289966f653f96a5f8c006116794110 290302 libs optional libcurl3-nss_7.51.0-1_amd64.deb
 10c542998dfc3535a724d5e8e4de96f5 286282 libs optional libcurl3_7.51.0-1_amd64.deb
 1b6e474c092791a9a127cdc6e895272a 800326 doc optional libcurl4-doc_7.51.0-1_all.deb
 9b61cbbee97c4e98bd6f76c1aa7a9692 365940 libdevel optional libcurl4-gnutls-dev_7.51.0-1_amd64.deb
 51541c66442289f1f28e9ffc7de05510 372682 libdevel optional libcurl4-nss-dev_7.51.0-1_amd64.deb
 b9654f2ab0b87238849482d7fb8f4683 368044 libdevel optional libcurl4-openssl-dev_7.51.0-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYG8UYAAoJEG8My+AhYkcouooQAJbyXW6xkYI7ZyrZJH8Mvm7i
lwxt3Nx4IUP3VIeY8q9OApb9FMPya3B6EvPAq3tCmFNlOuIcXY7LfZz19lOUCPJS
qcQqtFm0gpaO2hTnyJRR2yEx7GSTNAcokdYEcGi9mFaTbAk8Kni2bOgBZtkEdrRM
wed/X87ou1OpsMuZSeopTVeqGqfYCbOilRNTeiggFAaZEoyxl15moRv2RO1S4hgu
dxzDaRIJMWSt/dEM9076m0EG7hG3VDEKdfh9zeiJIeipfpzFoOdv0nkBqFETw+1F
hTjVUw6HSuJVAdTm9ZhQ5/sTigIAyPNcalW5TTRkYRWbrRsYHsiJbezLdaIeKE/D
OoErCkb/FghvCwGzGNlW+zqkniDy7GyDJXj2nZOzYhAXzu4s7sfdOs29mHxCTTvR
6C2lF5tZOV4nVs5jkfj83uFY49sx5cYuMZcelkwnKmjqvoUc6Au5s2xSO9qiVyZf
p3UZ5lbo+iyX7A9WVwjQNMh0EbsEObmzgyILFtrrkoVk0JDfzrJyVpPrnnfYpz67
fMF6vtGW/i6s5ZdSoBk5Q7UvhnjfYBEaV9JkXr/A3N/k7VGy8DzBtr4YaAL76rqW
+w4SbHUBXqCInfVQhLweff1eblz5DmnbR4a4kbEi8BsVEzR0L9nIZd7o3N3121eS
U0FwFrJwnGx2TJuobfXK
=pLFy
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.