Bug#518423: marked as done ([CVE-2009-0037] libcurl Arbitrary File Access)

Debian Bug Tracking System Wed, 11 Mar 2009 08:44:44 -0700

Your message dated Wed, 11 Mar 2009 15:17:04 +0000
with message-id <e1lhqb6-0000ke...@ries.debian.org>
and subject line Bug#518423: fixed in curl 7.18.2-8.1
has caused the Debian Bug report #518423,
regarding [CVE-2009-0037] libcurl Arbitrary File Access
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
518423: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518423
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libcurl3
Version: 7.18.2-8
Severity: critical
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

See http://curl.haxx.se/docs/adv_20090303.html. Ubuntu already fixed it,
so there is a patch available.

Regards, Daniel


- -- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (850, 'unstable'), (550, 'stable'), (500, 'oldstable'), (110, 
'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libcurl3 depends on:
ii  ca-certificates       20081127           Common CA certificates
ii  libc6                 2.9-4              GNU C Library: Shared libraries
ii  libidn11              1.12-1             GNU Libidn library, implementation
ii  libkrb53              1.6.dfsg.4~beta1-9 Transitional library package/krb4 
ii  libldap-2.4-2         2.4.15-1           OpenLDAP libraries
ii  libssh2-1             1.0-1              SSH2 client-side library
ii  libssl0.9.8           0.9.8g-15          SSL shared libraries
ii  zlib1g                1:1.2.3.3.dfsg-13  compression library - runtime

libcurl3 recommends no packages.

libcurl3 suggests no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmwZlEACgkQm0bx+wiPa4xz1ACeNEM3PVCMa2UXD5HzJ7kiuYJD
e7QAnR7nBm77AsE7H3La/YXUwe++PMti
=Gv74
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: curl
Source-Version: 7.18.2-8.1

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive:

curl_7.18.2-8.1.diff.gz
  to pool/main/c/curl/curl_7.18.2-8.1.diff.gz
curl_7.18.2-8.1.dsc
  to pool/main/c/curl/curl_7.18.2-8.1.dsc
curl_7.18.2-8.1_amd64.deb
  to pool/main/c/curl/curl_7.18.2-8.1_amd64.deb
libcurl3-dbg_7.18.2-8.1_amd64.deb
  to pool/main/c/curl/libcurl3-dbg_7.18.2-8.1_amd64.deb
libcurl3-gnutls_7.18.2-8.1_amd64.deb
  to pool/main/c/curl/libcurl3-gnutls_7.18.2-8.1_amd64.deb
libcurl3_7.18.2-8.1_amd64.deb
  to pool/main/c/curl/libcurl3_7.18.2-8.1_amd64.deb
libcurl4-gnutls-dev_7.18.2-8.1_amd64.deb
  to pool/main/c/curl/libcurl4-gnutls-dev_7.18.2-8.1_amd64.deb
libcurl4-openssl-dev_7.18.2-8.1_amd64.deb
  to pool/main/c/curl/libcurl4-openssl-dev_7.18.2-8.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 518...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <n...@debian.org> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 11 Mar 2009 15:33:08 +0100
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl4-openssl-dev libcurl4-gnutls-dev 
libcurl3-dbg
Architecture: source amd64
Version: 7.18.2-8.1
Distribution: unstable
Urgency: high
Maintainer: Domenico Andreoli <ca...@debian.org>
Changed-By: Nico Golde <n...@debian.org>
Description: 
 curl       - Get a file from an HTTP, HTTPS or FTP server
 libcurl3   - Multi-protocol file transfer library (OpenSSL)
 libcurl3-dbg - libcurl compiled with debug symbols
 libcurl3-gnutls - Multi-protocol file transfer library (GnuTLS)
 libcurl4-gnutls-dev - Development files and documentation for libcurl (GnuTLS)
 libcurl4-openssl-dev - Development files and documentation for libcurl 
(OpenSSL)
Closes: 518423
Changes: 
 curl (7.18.2-8.1) unstable; urgency=high
 .
   * Non-maintainer upload by the security team.
   * Include upstream patch to prevent overwriting and reading arbitrary
     local files or command execution via malicious redirects depending on
     the setup curl is used in.
     NOTE: This update introduces a new option called CURLOPT_REDIR_PROTOCOLS
     which includes the protocols curl will follow on redirects, scp and file
     are not included by default (CVE-2009-0037; Closes: #518423).
Checksums-Sha1: 
 5d86f1c5a62a9dbf0a6d5dfd4b1c1b2d1ef7d456 1402 curl_7.18.2-8.1.dsc
 c08b70a2a04bffdb5f7c9693a7e96b0c0b4225ee 27463 curl_7.18.2-8.1.diff.gz
 201e466faddd0b2d1ddfea8dbdcf07f8815df266 209292 curl_7.18.2-8.1_amd64.deb
 168e65729c0cbfe9ce490cac00039d01abebfe9f 230774 libcurl3_7.18.2-8.1_amd64.deb
 7363c7adf13e8e56dfd34701fc346825eb03361b 214634 
libcurl3-gnutls_7.18.2-8.1_amd64.deb
 7c1f31999070b009ce1b2c0621031987470eef8d 951892 
libcurl4-openssl-dev_7.18.2-8.1_amd64.deb
 063cc9300736d13a8e0766638c779ebb676c7952 931676 
libcurl4-gnutls-dev_7.18.2-8.1_amd64.deb
 8499ed1e212a0196660bde6905b0a4b877a7b099 1180246 
libcurl3-dbg_7.18.2-8.1_amd64.deb
Checksums-Sha256: 
 2d257683cc160bbbc3fd357852ce74d6f14e459a390fca1cf9e6a88c411c662d 1402 
curl_7.18.2-8.1.dsc
 d7bb99e6a2334519a0db16fa11a03af98a8ed5649c805eeadcfbce2cc51588f7 27463 
curl_7.18.2-8.1.diff.gz
 833218d98cc56e476b654be3858ee911f91247a284a65fb0f099ac899cd8ed77 209292 
curl_7.18.2-8.1_amd64.deb
 c0fe7861386408e28d9e038c2b10dd07f84b387cf659879dc94f2eb9dc2690bd 230774 
libcurl3_7.18.2-8.1_amd64.deb
 8d21a992290a5aa9e3fd03919dc37a52fd67fe6f2c3a104e8e48a5c508590892 214634 
libcurl3-gnutls_7.18.2-8.1_amd64.deb
 119e00b147abcb74738f29ca98b37578ef32102bfc5f41d4e84f8a7cc406929b 951892 
libcurl4-openssl-dev_7.18.2-8.1_amd64.deb
 8b4a0d71b8e43bd867c02ab4dce57f27608a59a7be610a34288a39b0cb99de9d 931676 
libcurl4-gnutls-dev_7.18.2-8.1_amd64.deb
 64d30157ad6f8d0e3cc70462a002ee60bf7a0cd89a5383812005cc387790aabe 1180246 
libcurl3-dbg_7.18.2-8.1_amd64.deb
Files: 
 b74779128eabfe37571c5112ce10e91b 1402 web optional curl_7.18.2-8.1.dsc
 0a643b8439c6d1fa7b91c0b27da5d781 27463 web optional curl_7.18.2-8.1.diff.gz
 736a5cdfbebef5180d02a4f47fe6f66a 209292 web optional curl_7.18.2-8.1_amd64.deb
 11c1a30604adef38c161df23ecae82a8 230774 libs optional 
libcurl3_7.18.2-8.1_amd64.deb
 debce426c791274182376458f48a1615 214634 libs optional 
libcurl3-gnutls_7.18.2-8.1_amd64.deb
 a33a48f2fbf9c1bc51303e0b4e25c0e3 951892 libdevel optional 
libcurl4-openssl-dev_7.18.2-8.1_amd64.deb
 0a5d0758b31a6dfffee57e59e16b95d7 931676 libdevel optional 
libcurl4-gnutls-dev_7.18.2-8.1_amd64.deb
 286f14c07e59801ebb19d0b89a0f74c1 1180246 libdevel extra 
libcurl3-dbg_7.18.2-8.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkm30iAACgkQHYflSXNkfP/CRgCfeExSasg9ZuGGYbEGTzGuL595
6MYAn1IIlBuFYc2cWFnBz0cbqFCmJpbY
=qld8
-----END PGP SIGNATURE-----

--- End Message ---

Bug#518423: marked as done ([CVE-2009-0037] libcurl Arbitrary File Access)

Reply via email to