On 02/18/2015 09:47 AM, Paul Howarth wrote:
> On 18/02/15 16:07, Patrick Rael wrote:
>> Hi,
>> I need to confirm if the CVE-2014-0139 fix is in libcurl.
>> Normally we do this
>> by checking the rpm changelog for CVEs, it did find CVE-2014-0138, but I
>> can't get
>> confirmation for 0139. I see lots of comments about fixes that were
>> checked into
>> github and showing actual lines added, but nothing in the changelog so I
>> can't confirm it.
>>
>> # cat /etc/centos-release
>> CentOS release 6.6 (Final)
>>
>> # rpm -qa | grep curl
>> libcurl-7.19.7-40.el6_6.4.x86_64
>> python-pycurl-7.19.0-8.el6.x86_64
>> curl-7.19.7-40.el6_6.4.x86_64
>>
>> # rpm -q libcurl --changelog | egrep "CVE-2014-0138|CVE-2014-0139"
>> - fix connection re-use when using different log-in credentials
>> (CVE-2014-0138)
>>
>> # rpm -q curl --changelog | egrep "CVE-2014-0138|CVE-2014-0139"
>> - fix connection re-use when using different log-in credentials
>> (CVE-2014-0138)
>>
>>
>> Note: CentOS rpm versions don't match the redhat rpm versions, that's
>> why we use
>> the changelog to check for the fix.
>
> This is news to me. In what way are they different?
>
>> Thanks for any help!
>
> CVE-2014-0139 does not affect EL-6 because it uses the NSS backend:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1079149#c8

This is good info, I checked ldd of libcurl and see it is linked
against libssl, libcrypto (openssl),
and libnss3. I had missed the libnss3 earlier. Since it links against
that see we're not
vulnerable.

Thanks!

>
> Paul.
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html

-- 
Patrick Rael
Contractor, Lumeta Corporation
Network Situational Awareness
Phone: 703-298-3276
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html