cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: is CVE-2014-0139 fixed in libcurl-7.19.7-40.el6_6.4.x86_64

From: Paul Howarth <paul_at_city-fan.org>
Date: Wed, 18 Feb 2015 18:06:01 +0000

On Wed, 18 Feb 2015 10:07:59 -0700
Patrick Rael <prael_at_lumeta.com> wrote:

> On 02/18/2015 09:47 AM, Paul Howarth wrote:
> > On 18/02/15 16:07, Patrick Rael wrote:
> >> Hi,
> >> I need to confirm if the CVE-2014-0139 fix is in libcurl.
> >> Normally we do this
> >> by checking the rpm changelog for CVEs, it did find CVE-2014-0138,
> >> but I can't get
> >> confirmation for 0139. I see lots of comments about fixes that
> >> were checked into
> >> github and showing actual lines added, but nothing in the
> >> changelog so I can't confirm it.
> >>
> >> # cat /etc/centos-release
> >> CentOS release 6.6 (Final)
> >>
> >> # rpm -qa | grep curl
> >> libcurl-7.19.7-40.el6_6.4.x86_64
> >> python-pycurl-7.19.0-8.el6.x86_64
> >> curl-7.19.7-40.el6_6.4.x86_64
> >>
> >> # rpm -q libcurl --changelog | egrep "CVE-2014-0138|CVE-2014-0139"
> >> - fix connection re-use when using different log-in credentials
> >> (CVE-2014-0138)
> >>
> >> # rpm -q curl --changelog | egrep "CVE-2014-0138|CVE-2014-0139"
> >> - fix connection re-use when using different log-in credentials
> >> (CVE-2014-0138)
> >>
> >>
> >> Note: CentOS rpm versions don't match the redhat rpm versions,
> >> that's why we use
> >> the changelog to check for the fix.
> >
> > This is news to me. In what way are they different?
> >
> >> Thanks for any help!
> >
> > CVE-2014-0139 does not affect EL-6 because it uses the NSS backend:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1079149#c8
>
> This is good info, I checked ldd of libcurl and see it is linked
> against libssl, libcrypto (openssl),
> and libnss3. I had missed the libnss3 earlier. Since it links
> against that see we're not
> vulnerable.

Well it's linking against both openssl and NSS. My understanding is
that libcurl's SSL functionality (in RHEL) comes from NSS (hence not
being affected) and that openssl is pulled in for the ssh support (via
libssh2). I might be wrong there though.

Paul.
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-02-18