curl-library
Re: is CVE-2014-0139 fixed in libcurl-7.19.7-40.el6_6.4.x86_64
Date: Wed, 18 Feb 2015 09:58:38 -0700
On 02/18/2015 09:47 AM, Paul Howarth wrote:
> On 18/02/15 16:07, Patrick Rael wrote:
>> Hi,
>> I need to confirm if the CVE-2014-0139 fix is in libcurl.
>> Normally we do this
>> by checking the rpm changelog for CVEs, it did find CVE-2014-0138, but I
>> can't get
>> confirmation for 0139. I see lots of comments about fixes that were
>> checked into
>> github and showing actual lines added, but nothing in the changelog so I
>> can't confirm it.
>>
>> # cat /etc/centos-release
>> CentOS release 6.6 (Final)
>>
>> # rpm -qa | grep curl
>> libcurl-7.19.7-40.el6_6.4.x86_64
>> python-pycurl-7.19.0-8.el6.x86_64
>> curl-7.19.7-40.el6_6.4.x86_64
>>
>> # rpm -q libcurl --changelog | egrep "CVE-2014-0138|CVE-2014-0139"
>> - fix connection re-use when using different log-in credentials
>> (CVE-2014-0138)
>>
>> # rpm -q curl --changelog | egrep "CVE-2014-0138|CVE-2014-0139"
>> - fix connection re-use when using different log-in credentials
>> (CVE-2014-0138)
>>
>>
>> Note: CentOS rpm versions don't match the redhat rpm versions, that's
>> why we use
>> the changelog to check for the fix.
>
> This is news to me. In what way are they different?
For almost all CVEs of various rpms that we see there are fixed rpms for
redhat,
the fix usually goes like this: update to this rpm name-ver-rel-arch or
this version.
But we find that in CentOS we can't find that ver-rel, but we find what
appears to be
an older ver-rel, and we check the changelog and there we find the fixed
CVEs.
From https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0139 we see this:
...
Versions 7.1 to and including 7.35.0 are affected. The flaw is fixed in
version 7.36.0
...
As I look at libcurl-7.19.7-40.el6_6.4.x86_64 , I see 7.19.7 version is
much less than 7.36.0.
Am I reading it right? We have learned to just ignore the RH
"fixed-in-version" and just
check the changelog of the latest CentOS rpm pkg.
Thanks for the quick reply!
>
>> Thanks for any help!
>
> CVE-2014-0139 does not affect EL-6 because it uses the NSS backend:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1079149#c8
>
> Paul.
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
-- Patrick Rael Contractor, Lumeta Corporation Network Situational Awareness Phone: 703-298-3276
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-02-18