Your message dated Sun, 30 Mar 2014 15:19:26 +0000 with message-id <e1wuhwa-0000qt...@franck.debian.org> and subject line Bug#742728: fixed in curl 7.36.0-1 has caused the Debian Bug report #742728, regarding curl: CVE-2014-0138 CVE-2014-0139 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 742728: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742728 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: curl Version: 7.21.0-1 Severity: grave Tags: security upstream fixed-upstream Hi Alessandro, For having this referenced also in the Debian BTS, the following vulnerabilities were published for curl. CVE-2014-0138[0]: libcurl wrong re-use of connections CVE-2014-0139[1]: libcurl IP address wildcard certificate validation If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2014-0138 [1] http://security-tracker.debian.org/tracker/CVE-2014-0139 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: curl Source-Version: 7.36.0-1 We believe that the bug you reported is fixed in the latest version of curl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 742...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Alessandro Ghedini <gh...@debian.org> (supplier of updated curl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 30 Mar 2014 15:36:35 +0200 Source: curl Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg libcurl4-doc Architecture: source amd64 all Version: 7.36.0-1 Distribution: unstable Urgency: high Maintainer: Alessandro Ghedini <gh...@debian.org> Changed-By: Alessandro Ghedini <gh...@debian.org> Description: curl - command line tool for transferring data with URL syntax libcurl3 - easy-to-use client-side URL transfer library (OpenSSL flavour) libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours) libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour) libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour) libcurl4-doc - documentation for libcurl libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour) libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour) libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour) Closes: 742728 Changes: curl (7.36.0-1) unstable; urgency=high . * New upstream release (Closes: #742728) - Fix connection re-use when using different log-in credentials as per CVE-2014-0138 http://curl.haxx.se/docs/adv_20140326A.html - Reject IP address wildcard matches as per CVE-2014-0139 http://curl.haxx.se/docs/adv_20140326B.html - Set urgency=high accordingly * Add 08_fix-imap-tests.patch to fix tests broken by the fix for CVE-2014-0138 Checksums-Sha1: ba7b79e8187076b7181e0ea69e508f75e31d65e4 2531 curl_7.36.0-1.dsc 35e9fb187c7512ee0206aad8ffeb4cdbf3ed80b2 3564934 curl_7.36.0.orig.tar.gz 39a3b8758080c8da0d411040b9f6aecd0960abc3 25168 curl_7.36.0-1.debian.tar.xz 5205df4b4a3ac65e9caed898f3247b732543b4f4 196000 curl_7.36.0-1_amd64.deb b80dcb6a8e751e30f839d99f3f0446c59ed24ba8 252702 libcurl3_7.36.0-1_amd64.deb b2f7d9b033c9f95e13b5789408ab6f125f1500a9 244836 libcurl3-gnutls_7.36.0-1_amd64.deb 970eb90c1b5c6ac573107e50c5f38f02c037feff 254944 libcurl3-nss_7.36.0-1_amd64.deb 05366b308c8cc352938e323ebe5b52c1e7e84598 328192 libcurl4-openssl-dev_7.36.0-1_amd64.deb ea5493fd98a07a16145c7071cdc68dda4b090bd5 320042 libcurl4-gnutls-dev_7.36.0-1_amd64.deb 01f9599ab5c3b258faf3007a798306a9e8be2b80 331034 libcurl4-nss-dev_7.36.0-1_amd64.deb 66114c3cdbd4b3efcd295b3dcbc1d9093104e3a7 3540590 libcurl3-dbg_7.36.0-1_amd64.deb 5bb1eb918efb74ac4abcb1c62253c22d925a7adc 1002088 libcurl4-doc_7.36.0-1_all.deb Checksums-Sha256: 47fb41b06ceb22c8509ba378b817a437d0f9cba0279c4b455c674697ba42d25d 2531 curl_7.36.0-1.dsc 33015795d5650a2bfdd9a4a28ce4317cef944722a5cfca0d1563db8479840e90 3564934 curl_7.36.0.orig.tar.gz c01374cf15713a79d3fed9fb37389188405217facce7ea0be07bdf9c71e961f0 25168 curl_7.36.0-1.debian.tar.xz f43f16bc15503448eec7d0614cd0a1f67a9f08bdab42d4b99364892ae0da3f8a 196000 curl_7.36.0-1_amd64.deb b2002bf329dc40f7940877969a491106433e015f29d702b8d3fa9e3228f58698 252702 libcurl3_7.36.0-1_amd64.deb b56b40229055552d4b5fc1df708791c3e35e3e8487fda217d6afc16a677d83a6 244836 libcurl3-gnutls_7.36.0-1_amd64.deb 8a655d2c0585f33dcb359bcfec5c4d0cded45c123f7489ab355916813e82908b 254944 libcurl3-nss_7.36.0-1_amd64.deb ac7a2b1f2499c09cdcd906db6e2f1b59959b449131d0bc2ba31809ee6cf06797 328192 libcurl4-openssl-dev_7.36.0-1_amd64.deb 360ba834ba98c81bf755254cb7ff4a3e6cc6701caa551cf97a54822e2723c517 320042 libcurl4-gnutls-dev_7.36.0-1_amd64.deb ffb9ddc6f19d98acbd4bc386300f6eb055b416cbd90829ac571a6a9d12023bbb 331034 libcurl4-nss-dev_7.36.0-1_amd64.deb cbd5f9d8587bda1eb1fbbb225f7c1c2a53224c6d1761708ad452b65238533071 3540590 libcurl3-dbg_7.36.0-1_amd64.deb 6610a7570cd46fdccc354bf9dbe0a8d30c33a79f3815244180ae807653b80658 1002088 libcurl4-doc_7.36.0-1_all.deb Files: 7b830175f87e4b9cf91ccbbe673cf8bb 2531 web optional curl_7.36.0-1.dsc 643a7030b27449e76413d501d4b8eb57 3564934 web optional curl_7.36.0.orig.tar.gz 13fde822eefbb5e236649195e50029ed 25168 web optional curl_7.36.0-1.debian.tar.xz 6f05054060774536cae3aedbd020ff55 196000 web optional curl_7.36.0-1_amd64.deb 8a6cf42af773180848c709007943ea39 252702 libs optional libcurl3_7.36.0-1_amd64.deb d3123ebdb19371297a7524ffd9894614 244836 libs optional libcurl3-gnutls_7.36.0-1_amd64.deb 9deba2538a8020831a41ef5ca883f91c 254944 libs optional libcurl3-nss_7.36.0-1_amd64.deb 9c9847532a6a44b11e134a4c4e02251f 328192 libdevel optional libcurl4-openssl-dev_7.36.0-1_amd64.deb e3d4679111462b3e9c19176622b61804 320042 libdevel optional libcurl4-gnutls-dev_7.36.0-1_amd64.deb 22ef7d39670eb3271e91b1ffd3bf8b8d 331034 libdevel optional libcurl4-nss-dev_7.36.0-1_amd64.deb 866facfd7efea7befb7d93448bffe64f 3540590 debug extra libcurl3-dbg_7.36.0-1_amd64.deb 4232ba1df3abdcaff4f6d66379c4fe1d 1002088 doc optional libcurl4-doc_7.36.0-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTOCRoAAoJEK+lG9bN5XPL3B8P/2sz1rthsVJhHEzQbCBKeulc pdxQgC3UU1kZATq2lIULTfy97hfroMQMVhCXgkOKN5zTRyg808ljRK6CWFJG+oWD ePUA4SLMwu9SxyorJ/Tjs8R9mNSu4swOkGk+dbGyIuMOXTt7ZygS/eL4xT1he4Pg mLvcn4G5odpoE1PnsyjBXaGZshVMRCrx+jxIKk9EZDGr0lc2bwQUEWBm2KGqp58l CaYvy2Jdv8RkiI1uu4kL5oU1+vugJXiFgK7HujPVAX4nO67jihJxjlGENIl8P33d mAKXyEoYjcq6MrSvPBHJfvf4MO3SbpFCks5gIBna8o44z2lfq+j4xTCwjwPudpKq Ub7abHcA1KlnxW6Dm6/1YVkZPF3xzdN4i4XJbgFFhJFdG9E6/1zvl1nDnKB+TFPM oALsenYCdN8tVstfkljYX5jROjD1DxL07oPxIAsSa3t+bTaEPvLgYD2CvzxS7PXu MgOnS7dYTQJ898DjzvnIxg8Y8ddsDnhz5W6ART3+7mvcTvj8doaPwmSeCP5u6zsF alDC1PcEQYW1QfVYqXbHUzmam4K9YA3O2UYvlRi9QjuyOsUPWKWYAI9VAb90xzB9 ifgyEBiDO6DS7FQ9MDK5X00YpvZ1Y0v8c0Do2aa8SPhA30gAb2qHj8US5usinhsj efMX3zNV3FHMGX4dJ4im =l7fZ -----END PGP SIGNATURE-----
--- End Message ---
