Bug#705274: marked as done (curl: CVE-2013-1944: libcurl cookie domain tailmatch)

Sat, 13 Apr 2013 01:51:33 -0700 

Your message dated Sat, 13 Apr 2013 08:47:43 +0000
with message-id <e1uqw7b-0007ht...@franck.debian.org>
and subject line Bug#705274: fixed in curl 7.29.0-2.1
has caused the Debian Bug report #705274,
regarding curl: CVE-2013-1944: libcurl cookie domain tailmatch
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
705274: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=705274
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: curl
Severity: grave
Tags: security

Hi,
the following vulnerability was published for curl.

CVE-2013-1944[0]:
libcurl cookie domain tailmatch

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2013-1944
[1] http://curl.haxx.se/docs/adv_20130412.html

Alessandro Ghedini was already aware of it and prepared debdiffs
stable and wheezy.

This is more to track the issue as bug in BTS.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: curl
Source-Version: 7.29.0-2.1

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 705...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 12 Apr 2013 13:55:34 +0200
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev 
libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg
Architecture: source amd64
Version: 7.29.0-2.1
Distribution: unstable
Urgency: high
Maintainer: Alessandro Ghedini <gh...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Description: 
 curl       - command line tool for transferring data with URL syntax
 libcurl3   - easy-to-use client-side URL transfer library (OpenSSL flavour)
 libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours)
 libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
 libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
 libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS 
flavour)
 libcurl4-nss-dev - development files and documentation for libcurl (NSS 
flavour)
 libcurl4-openssl-dev - development files and documentation for libcurl 
(OpenSSL flavour)
Closes: 704093 705274
Changes: 
 curl (7.29.0-2.1) unstable; urgency=high
 .
   * Non-maintainer upload.
 .
   [ Alessandro Ghedini ]
   * Do not compress *.pdf files (Closes: #704093)
 .
   [ Salvatore Bonaccorso ]
   * Add 09_CVE-213-1944.patch.
     Fix CVE-2013-1944: fix tailmatching to prevent cross-domain leakage.
     Cookies set for 'example.com' could accidentaly also be sent by libcurl
     to the 'bexample.com' (ie with a prefix to the first domain name).
     (Closes: #705274)
   * Add testcase for CVE-2013-1944.
Checksums-Sha1: 
 b1bfaa541a1b186daf14343d257428f588a21b6d 2517 curl_7.29.0-2.1.dsc
 1fbc32fee63d62bd363703305e0ccde10d00b2eb 30867 curl_7.29.0-2.1.debian.tar.gz
 94ec41ef3d8c7407eefefa44709cb41b9dae8b5c 282462 curl_7.29.0-2.1_amd64.deb
 b4418019002a4c2e2fd578e4e968a9e2b116586e 333984 libcurl3_7.29.0-2.1_amd64.deb
 0dae1597b4f10c8d0362d87dc7532528caf51a81 325506 
libcurl3-gnutls_7.29.0-2.1_amd64.deb
 f3db6731469edf18a1ea6b2abc7155752efccf16 331740 
libcurl3-nss_7.29.0-2.1_amd64.deb
 d7d339eac4ef23274587109874dcc085cac1f279 1318218 
libcurl4-openssl-dev_7.29.0-2.1_amd64.deb
 efce9cb44ddca788289833fbe13bc3f680d2584e 1307654 
libcurl4-gnutls-dev_7.29.0-2.1_amd64.deb
 3bf2a8d84ed5a750dc30ff82eaeb2037d5eca20c 1314316 
libcurl4-nss-dev_7.29.0-2.1_amd64.deb
 429be12d0e049719b3f5376a288bbda3ecde56d5 3463610 
libcurl3-dbg_7.29.0-2.1_amd64.deb
Checksums-Sha256: 
 865729790b95a077928ea3ab8d713b59112bcb4a79a6bc539e1b01d6b22a6a68 2517 
curl_7.29.0-2.1.dsc
 2dba5084e6db0479d7d37323765b24a4dcb8b18b36ed1cbaf594e3f0e6a6fd81 30867 
curl_7.29.0-2.1.debian.tar.gz
 c2b2f8faf5fac4daa298b4e54767e041091e2d1b0983228c6534a42cc9c0302a 282462 
curl_7.29.0-2.1_amd64.deb
 9e146676be96308f1712c7a87101b18969f676bba981baa146763ae9c32fbf8c 333984 
libcurl3_7.29.0-2.1_amd64.deb
 17803a04fa2c34efad9308cdc867ad5f1be2ab1f9bcf7d9fc20b2d86f3aeb31a 325506 
libcurl3-gnutls_7.29.0-2.1_amd64.deb
 31d47a09a1eda3b34b005e62870a1dfa4c92127c44b02a795d00eff18f6cd205 331740 
libcurl3-nss_7.29.0-2.1_amd64.deb
 4834476ddd0cebc4d8e446d3ea8c9129ed9833570d5a78149c72e48e39b8e81f 1318218 
libcurl4-openssl-dev_7.29.0-2.1_amd64.deb
 eeeeb552f8ceacafaa35cb96fe3bda279d5f367daa4333dcf3daa9af2e295470 1307654 
libcurl4-gnutls-dev_7.29.0-2.1_amd64.deb
 b5d43f7c4e5b941c93972409f3190162c78f7701595d55ae021b0c9d6f8512bb 1314316 
libcurl4-nss-dev_7.29.0-2.1_amd64.deb
 2c621a0e6cd0d56d4424a6ec19d6530ddd124464a1b60c4b078ffadddc5ca44e 3463610 
libcurl3-dbg_7.29.0-2.1_amd64.deb
Files: 
 c6ad3f5578941c7a2f665b73908eb204 2517 web optional curl_7.29.0-2.1.dsc
 5f06308c4f7d640f282186c08615fa9e 30867 web optional 
curl_7.29.0-2.1.debian.tar.gz
 67c4ad4d680e628e9ef13f51a1ea50c6 282462 web optional curl_7.29.0-2.1_amd64.deb
 92b7a77c2c325c7834f28496d39c0cbf 333984 libs optional 
libcurl3_7.29.0-2.1_amd64.deb
 0285629a654b56e90e1479a2542c64f2 325506 libs optional 
libcurl3-gnutls_7.29.0-2.1_amd64.deb
 2a4ae0f80367dfc88c0fed0bd22b38cf 331740 libs optional 
libcurl3-nss_7.29.0-2.1_amd64.deb
 53d791eea85070465e377328efdb4f1a 1318218 libdevel optional 
libcurl4-openssl-dev_7.29.0-2.1_amd64.deb
 815c25043f20d27b20597cc6b7874b24 1307654 libdevel optional 
libcurl4-gnutls-dev_7.29.0-2.1_amd64.deb
 5743fb230708e234e1c9c939d20c02f2 1314316 libdevel optional 
libcurl4-nss-dev_7.29.0-2.1_amd64.deb
 2cca6d36e4f8d9ecb64cc9149d6c8b04 3463610 debug extra 
libcurl3-dbg_7.29.0-2.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRaRqUAAoJEHidbwV/2GP+4SMQAIP21HUBb+mE+w4hHn/wmWEP
g93dCVF78BQIInCkFpL7C7zIKM3g9kSZxY/mtiiRWitRtlCExv6taaIMIA5AeSdj
X0Fs5IkUwLB8Zn9h13+4opKstxU5mo3zA0Fckif/H/SX18j8p0Oe2rhDzBbOCdLk
aHgJlorLxukhcjwpo0QvgK8I8wyDk0miVyhjAp6ntIGzueNlG5U6WPQ0in4VrnN7
siOD/ZC8mo2MR50d5avyEo4vNOjU5U32x4fd3U3KNnXelkUa4uxdfZ5mGP44ODQa
yDAXKt6pMxSZJz4Pr3cq923y46DNcPc52LZ9EwGtaKilzYxZML5V+NN4z5W/aVW4
OrIB4adB916cJNMqbSjfjKKMAk5dg/wpNJ2qxX8xnHZlGbofqBoQKSW/dGSexhOI
LCkwBTJ5h8i592IWxxHcd9DUtthEzyGgQVJzne4X2imkrCDzswP2Jf1f187i44a1
yZNkJthnPzn5YCLijqt00a/SdkSyAQgiZ1kwAaDytCO2OFNbbzD/a2lbmz94B0Xw
9hjYVXzxeou0Pgoe7CLrpP8LADkorD26GYC9CpMRczvEuPwPzavCzDI+XQsvSsHv
uGkAhYmmnh6r+9tIi8uad16s8zzL9vAeZXOEUkmzYQZo4nSBgSCaIGahQI/zUP91
osnIonwpXL9dLQtvNJ3a
=ipQt
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to