Debian Bug report logs -
#631615
CVE-2011-2192: libcurl inappropriate GSSAPI delegation
Reported by: Giuseppe Iuculano <iuculano@debian.org>
Date: Sat, 25 Jun 2011 12:27:02 UTC
Severity: serious
Tags: security
Found in version curl/7.21.6-1
Fixed in versions curl/7.21.6-2, curl/7.21.0-2
Done: Ramakrishnan Muthukrishnan <rkrishnan@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ramakrishnan Muthukrishnan <rkrishnan@debian.org>:
Bug#631615; Package curl.
(Sat, 25 Jun 2011 12:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <iuculano@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ramakrishnan Muthukrishnan <rkrishnan@debian.org>.
(Sat, 25 Jun 2011 12:27:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: curl
Version: 7.21.6-1
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Please see http://curl.haxx.se/docs/adv_20110623.html
Cheers,
Giuseppe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk4F07cACgkQNxpp46476aqlfwCeP8tSFJPpNkME0Jr4snwc00Um
4dsAnRIq4WskZHnxV1JBmEAmyWonbVMy
=jc5G
-----END PGP SIGNATURE-----
Reply sent
to Ramakrishnan Muthukrishnan <rkrishnan@debian.org>:
You have taken responsibility.
(Sat, 25 Jun 2011 19:36:03 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <iuculano@debian.org>:
Bug acknowledged by developer.
(Sat, 25 Jun 2011 19:36:03 GMT) (full text, mbox, link).
Message #10 received at 631615-close@bugs.debian.org (full text, mbox, reply):
Source: curl
Source-Version: 7.21.6-2
We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive:
curl_7.21.6-2.debian.tar.gz
to main/c/curl/curl_7.21.6-2.debian.tar.gz
curl_7.21.6-2.dsc
to main/c/curl/curl_7.21.6-2.dsc
curl_7.21.6-2_amd64.deb
to main/c/curl/curl_7.21.6-2_amd64.deb
libcurl3-dbg_7.21.6-2_amd64.deb
to main/c/curl/libcurl3-dbg_7.21.6-2_amd64.deb
libcurl3-gnutls_7.21.6-2_amd64.deb
to main/c/curl/libcurl3-gnutls_7.21.6-2_amd64.deb
libcurl3-nss_7.21.6-2_amd64.deb
to main/c/curl/libcurl3-nss_7.21.6-2_amd64.deb
libcurl3_7.21.6-2_amd64.deb
to main/c/curl/libcurl3_7.21.6-2_amd64.deb
libcurl4-gnutls-dev_7.21.6-2_amd64.deb
to main/c/curl/libcurl4-gnutls-dev_7.21.6-2_amd64.deb
libcurl4-nss-dev_7.21.6-2_amd64.deb
to main/c/curl/libcurl4-nss-dev_7.21.6-2_amd64.deb
libcurl4-openssl-dev_7.21.6-2_amd64.deb
to main/c/curl/libcurl4-openssl-dev_7.21.6-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 631615@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ramakrishnan Muthukrishnan <rkrishnan@debian.org> (supplier of updated curl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 25 Jun 2011 23:37:04 +0530
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg
Architecture: source amd64
Version: 7.21.6-2
Distribution: unstable
Urgency: high
Maintainer: Ramakrishnan Muthukrishnan <rkrishnan@debian.org>
Changed-By: Ramakrishnan Muthukrishnan <rkrishnan@debian.org>
Description:
curl - Get a file from an HTTP, HTTPS or FTP server
libcurl3 - Multi-protocol file transfer library (OpenSSL)
libcurl3-dbg - libcurl compiled with debug symbols
libcurl3-gnutls - Multi-protocol file transfer library (GnuTLS)
libcurl3-nss - Multi-protocol file transfer library (NSS)
libcurl4-gnutls-dev - Development files and documentation for libcurl (GnuTLS)
libcurl4-nss-dev - Development files and documentation for libcurl (NSS)
libcurl4-openssl-dev - Development files and documentation for libcurl (OpenSSL)
Closes: 631615
Changes:
curl (7.21.6-2) unstable; urgency=high
.
* Fix for the inappropriate GSSAPI delegation vulnerability (CVE-2011-2192).
(closes: #631615)
Checksums-Sha1:
c36c50468d06d3ba2112df5ec97fdcb3ef990a8d 1530 curl_7.21.6-2.dsc
c7e04fd65495e43d140f7d1361e2c716b3a12e04 95370 curl_7.21.6-2.debian.tar.gz
4ab35502bbe63b96bbccac3dcc57f4f736a9a217 258288 curl_7.21.6-2_amd64.deb
b1c7c10e2812c17a4a0bfafda39402c0a9c0b8fd 317950 libcurl3_7.21.6-2_amd64.deb
90fcb893c10f075132bd04e9917e27093740ca05 298934 libcurl3-gnutls_7.21.6-2_amd64.deb
b9040d557cbcdfee64480eaba61fee8a675d45d7 305576 libcurl3-nss_7.21.6-2_amd64.deb
1d88461bd274f5aefb04c00ad91e53f7902e8b9e 1195940 libcurl4-openssl-dev_7.21.6-2_amd64.deb
07bdb12853ced1b0c2afc47a22282ca1c8e80b1c 1172274 libcurl4-gnutls-dev_7.21.6-2_amd64.deb
41c635e6d8b463c28a9ab13442e326b6c79c0f1c 1178844 libcurl4-nss-dev_7.21.6-2_amd64.deb
82c689579687fc38a5d9d37bbbde3e2b8802d6ad 145916 libcurl3-dbg_7.21.6-2_amd64.deb
Checksums-Sha256:
1414787c0dbebd2ea809a8aed8a0886a75b53d9a7c6304f379ac23daf1aab1ba 1530 curl_7.21.6-2.dsc
0c67c6a666c980b386b5838ed26343eada86fa695ec6b6de5d1f870015ea593b 95370 curl_7.21.6-2.debian.tar.gz
e1088ec27d7b01480e61922ec924c36fff7010c819c7f4afe30ee8fd97d6dfae 258288 curl_7.21.6-2_amd64.deb
7633de010676fba061d15e8a36ab9b61b64e2c12ab5129d044409d73817bedad 317950 libcurl3_7.21.6-2_amd64.deb
82bf56b512d87bbaa7b5bca75ff656601394c5ed8fe52c75cd7acbbe6c05098f 298934 libcurl3-gnutls_7.21.6-2_amd64.deb
7744b3095b631f87eff8a446227ef3c816aced73f0c082fdbb7813dbdcd8fcc2 305576 libcurl3-nss_7.21.6-2_amd64.deb
f86c27ff7d8ca1834265876a9287685f804062dcc630a0ea79c72847f0c01633 1195940 libcurl4-openssl-dev_7.21.6-2_amd64.deb
9d3fc0f66e8b3b84a823f86afecc6d9ecf90b905875612163609825117d062ea 1172274 libcurl4-gnutls-dev_7.21.6-2_amd64.deb
c62133f13c33cf3d85708dc99331855d2044b3d59d7719b4383af707b87a2628 1178844 libcurl4-nss-dev_7.21.6-2_amd64.deb
e549b35677e15765c1ac35adfc84e5eeaf02b7a4fb99656c2277cfe925e7f13a 145916 libcurl3-dbg_7.21.6-2_amd64.deb
Files:
58d34be0948193309548bed8933c9750 1530 web optional curl_7.21.6-2.dsc
87e62d6e82c1de594691ae0854db64f1 95370 web optional curl_7.21.6-2.debian.tar.gz
1deb1cde27dd6096db9207328d7fc00c 258288 web optional curl_7.21.6-2_amd64.deb
520117637d3f51393b12d7a914c4569c 317950 libs optional libcurl3_7.21.6-2_amd64.deb
e64d65f7de42aaa5d2aa6bf3371c04a4 298934 libs optional libcurl3-gnutls_7.21.6-2_amd64.deb
13b4ca8f7025803202e39a3b97abd3d3 305576 libs optional libcurl3-nss_7.21.6-2_amd64.deb
670701f5d2ad562fa5d9ad1aa3a234e6 1195940 libdevel optional libcurl4-openssl-dev_7.21.6-2_amd64.deb
93b696757f30b5fa453928b5ecc7ec72 1172274 libdevel optional libcurl4-gnutls-dev_7.21.6-2_amd64.deb
56d6f42b27351f85067547c71427bfb7 1178844 libdevel optional libcurl4-nss-dev_7.21.6-2_amd64.deb
70acc289dff7e0ace16c4fa13c95665f 145916 debug extra libcurl3-dbg_7.21.6-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk4GNC0ACgkQFyn1hmqfPDiBHACgnxudflcJnyl+cCAJGrFQN173
egwAoKxxP29i2aEAGywwHHZ9LaxEMt/6
=TNcD
-----END PGP SIGNATURE-----
Reply sent
to Ramakrishnan Muthukrishnan <rkrishnan@debian.org>:
You have taken responsibility.
(Sat, 02 Jul 2011 13:57:15 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <iuculano@debian.org>:
Bug acknowledged by developer.
(Sat, 02 Jul 2011 13:57:15 GMT) (full text, mbox, link).
Message #15 received at 631615-close@bugs.debian.org (full text, mbox, reply):
Source: curl
Source-Version: 7.21.0-2
We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive:
curl_7.21.0-2.debian.tar.gz
to main/c/curl/curl_7.21.0-2.debian.tar.gz
curl_7.21.0-2.dsc
to main/c/curl/curl_7.21.0-2.dsc
curl_7.21.0-2_amd64.deb
to main/c/curl/curl_7.21.0-2_amd64.deb
libcurl3-dbg_7.21.0-2_amd64.deb
to main/c/curl/libcurl3-dbg_7.21.0-2_amd64.deb
libcurl3-gnutls_7.21.0-2_amd64.deb
to main/c/curl/libcurl3-gnutls_7.21.0-2_amd64.deb
libcurl3_7.21.0-2_amd64.deb
to main/c/curl/libcurl3_7.21.0-2_amd64.deb
libcurl4-gnutls-dev_7.21.0-2_amd64.deb
to main/c/curl/libcurl4-gnutls-dev_7.21.0-2_amd64.deb
libcurl4-openssl-dev_7.21.0-2_amd64.deb
to main/c/curl/libcurl4-openssl-dev_7.21.0-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 631615@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ramakrishnan Muthukrishnan <rkrishnan@debian.org> (supplier of updated curl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 26 Jun 2011 20:53:39 +0530
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl4-openssl-dev libcurl4-gnutls-dev libcurl3-dbg
Architecture: source amd64
Version: 7.21.0-2
Distribution: stable-security
Urgency: high
Maintainer: Ramakrishnan Muthukrishnan <rkrishnan@debian.org>
Changed-By: Ramakrishnan Muthukrishnan <rkrishnan@debian.org>
Description:
curl - Get a file from an HTTP, HTTPS or FTP server
libcurl3 - Multi-protocol file transfer library (OpenSSL)
libcurl3-dbg - libcurl compiled with debug symbols
libcurl3-gnutls - Multi-protocol file transfer library (GnuTLS)
libcurl4-gnutls-dev - Development files and documentation for libcurl (GnuTLS)
libcurl4-openssl-dev - Development files and documentation for libcurl (OpenSSL)
Closes: 631615
Changes:
curl (7.21.0-2) stable-security; urgency=high
.
* debian/patches/curl-gssapi-delegation: Fix for GSSAPI delegation
vulnerability as detailed in CVE-2011-2192. More information and
the patch at <http://curl.haxx.se/docs/adv_20110623.html>.
(closes: #631615)
Checksums-Sha1:
11769803ef85224798159ee54980b50fbf2d089a 1483 curl_7.21.0-2.dsc
d0e5a1184315b9abb9cc54d77d4a0200526f046d 2714501 curl_7.21.0.orig.tar.gz
c93f4da1f71022e0b9f797537b41ae7c2b922112 92023 curl_7.21.0-2.debian.tar.gz
82f4a7581a626f29ce51db85fd0b7a48a1ecda14 228886 curl_7.21.0-2_amd64.deb
6655372bca0ab93c6f96dc4b56d829bfb9ce9714 284746 libcurl3_7.21.0-2_amd64.deb
0c7e801c775518b6a5b80d627971a73db49cc669 265686 libcurl3-gnutls_7.21.0-2_amd64.deb
3ebac80e7aea47239404e4a81c64c2d9a4592446 1099584 libcurl4-openssl-dev_7.21.0-2_amd64.deb
b2fe612672dab1f1a2dcb614b4ce816560fcdd4c 1076426 libcurl4-gnutls-dev_7.21.0-2_amd64.deb
187b063e8f349bd2d9a655673b7ac9cbbf5ca70a 106590 libcurl3-dbg_7.21.0-2_amd64.deb
Checksums-Sha256:
e710aa4e09ad14d5ada762f8fb19f58338b84569f56143987fcd9749112ae0c5 1483 curl_7.21.0-2.dsc
b3e2047c6f70eb321557af980a9554f0a98fb122d9636f1c98833262eed8de1d 2714501 curl_7.21.0.orig.tar.gz
c76fc200b8c29da64b8b3808fa1b3f408e57c2bf0b82822ed1f8aeed239c4495 92023 curl_7.21.0-2.debian.tar.gz
4c31985f23ac62ac66b75e7c955c427b6fd538356f8e0cccf64dc0409d45f69d 228886 curl_7.21.0-2_amd64.deb
218918c1fe6f849da98424f9c45c34e84e1cef3c6ccfa5468aa0e77be6aa9526 284746 libcurl3_7.21.0-2_amd64.deb
05f49303e86bae0817b1dd1f7b43445f1396076eec8ac2b777113407969ee235 265686 libcurl3-gnutls_7.21.0-2_amd64.deb
3f5cd29f1b7f37d3888b29739e5904fd6e588346a31a1455fcde90e6dfb71e1b 1099584 libcurl4-openssl-dev_7.21.0-2_amd64.deb
e0496ad0b614ad7256955c468ba41f0d91ed90bd5c4dd26abf69c9800e92187b 1076426 libcurl4-gnutls-dev_7.21.0-2_amd64.deb
a61967e13cd71206a27305c6fe28084450d885f49449ada569fa88f720b91b39 106590 libcurl3-dbg_7.21.0-2_amd64.deb
Files:
16e4e81fcbbf2db63dd7d8cad2368ce1 1483 web optional curl_7.21.0-2.dsc
6dfb911a254a1b5ca8b534b98f2196aa 2714501 web optional curl_7.21.0.orig.tar.gz
747563503807e70467a5085eb201d305 92023 web optional curl_7.21.0-2.debian.tar.gz
dca17f4d80e7f12752fc9a586859068c 228886 web optional curl_7.21.0-2_amd64.deb
5bdd11051e1a3fc4c4b64c82e558a085 284746 libs optional libcurl3_7.21.0-2_amd64.deb
dc106cecf7bbd23666f5a19e2a60c19b 265686 libs optional libcurl3-gnutls_7.21.0-2_amd64.deb
6970782868a19b5e375f43471a050243 1099584 libdevel optional libcurl4-openssl-dev_7.21.0-2_amd64.deb
a707af526e75a6867a4f79dd4a24d6d6 1076426 libdevel optional libcurl4-gnutls-dev_7.21.0-2_amd64.deb
c5fa5280ad7e1035ec7ea6f6c696feaa 106590 debug extra libcurl3-dbg_7.21.0-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk4HZboACgkQFyn1hmqfPDhtnQCcDpxvfSmv7iCn/gh9Tn/yjQYh
3wcAn1qz63SAYo2GUjr99fnsREQ2k9ow
=T/Wa
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 31 Jul 2011 07:32:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:31:31 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon