copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2007.0538 -- [UNIX/Linux][Debian] -- New curl and libcurl packages fix certificate handling

Date: 19 July 2007

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                   ESB-2007.0538 -- [UNIX/Linux][Debian]
          New curl and libcurl packages fix certificate handling
                               19 July 2007

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              curl 7.16.3 and prior
                      libcurl 7.16.3 and prior
Publisher:            Debian
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact:               Reduced Security
Access:               Remote/Unauthenticated
CVE Names:            CVE-2007-3564

Original Bulletin:    http://www.debian.org/security/2007/dsa-1333

Comment: This advisory references vulnerabilities in products which run on
         platforms other than Debian. It is recommended that administrators
         running libcurl or curl check for an updated version of the software
         for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1333                    security@debian.org
http://www.debian.org/security/                               Steve Kemp
July 18th, 2007
- - ------------------------------------------------------------------------

Package        : libcurl3-gnutls
Vulnerability  : input validation
Problem type   : local and remote
Debian-specific: no
CVE Id(s)      : CVE-2007-3564

It has been discovered that the GnuTLS certificate verification methods
implemented in libcurl-gnutls, a solid, usable, and portable multi-protocol
file transfer library, did not check for expired or invalid dates.

For the stable distribution (etch), this problem has been fixed in
version 7.15.5-1etch1.

We recommend that you upgrade your libcurl3-gnutls package.


Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- - --------------------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1.dsc
    Size/MD5 checksum:      948 1eacdb0c127ad12b860033f743563df8
  http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5.orig.tar.gz
    Size/MD5 checksum:  1897973 61997c0d852d38c3a85b445f4fc02892
  http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1.diff.gz
    Size/MD5 checksum:    19029 cbd30d40f3026e020182e665a7f5d5be

Architecture independent packages:

  http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.15.5-1etch1_all.deb
    Size/MD5 checksum:    22198 b6b9a429b9ae513c5e0c8472c6509907

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch1_alpha.deb
    Size/MD5 checksum:   811542 dbc6cd819cff1b717c46e11caa1dd331
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch1_alpha.deb
    Size/MD5 checksum:   815608 03e1eb1961a7e58e82e4ac2380aa8c8a
  http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch1_alpha.deb
    Size/MD5 checksum:   181660 30c703c8b17a42b63d2fbe575bafe562
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch1_alpha.deb
    Size/MD5 checksum:   823850 23eb2600b1da596a04bfd5043effc13d
  http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1_alpha.deb
    Size/MD5 checksum:   166814 7a9f90444bd58d38c9452a44ff71ea98
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch1_alpha.deb
    Size/MD5 checksum:   175316 0167fc5805b8f8c363165dff64dafe98

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch1_amd64.deb
    Size/MD5 checksum:   772978 675235b32ac91f3b91f86ee28e70d1e2
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch1_amd64.deb
    Size/MD5 checksum:   824246 a0547976a45ee4d4be2c43b179459404
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch1_amd64.deb
    Size/MD5 checksum:   767648 4852d415582c564eb50cb9f8cbc677f7
  http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch1_amd64.deb
    Size/MD5 checksum:   170008 ff8b0b14022f291265324243579abf2d
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch1_amd64.deb
    Size/MD5 checksum:   164638 ae44174a768af4786637cb6292800b21
  http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1_amd64.deb
    Size/MD5 checksum:   163440 c7410d7b8efc16abf1e138c1bb7a5712

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1_arm.deb
    Size/MD5 checksum:   162094 001980ca743312ca37513877ad7d19f6
  http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch1_arm.deb
    Size/MD5 checksum:   164634 436490a717543532135cfaafb4fb4a99
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch1_arm.deb
    Size/MD5 checksum:   757356 3a74f9c27504a758b95dfb6ba5fb96a3
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch1_arm.deb
    Size/MD5 checksum:   782328 40e1890d559f3efb927af1d0bc0c8c6e
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch1_arm.deb
    Size/MD5 checksum:   750218 82456f7c8a985993fd50eb482f715a70
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch1_arm.deb
    Size/MD5 checksum:   159216 183adf1413dc30aab0e80c96e8b07d69

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1_hppa.deb
    Size/MD5 checksum:   164460 cb4b604568f5f67d219f42423a3871e5
  http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch1_hppa.deb
    Size/MD5 checksum:   183728 04b0a53a277f70ca365662ea80956012
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch1_hppa.deb
    Size/MD5 checksum:   177964 4e5610dee599cff8118ee190db9a632d
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch1_hppa.deb
    Size/MD5 checksum:   792842 1bdbcbc1a90f533c7a4937c61eb07097
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch1_hppa.deb
    Size/MD5 checksum:   811428 5028f1eb54b2eae003f97f38b06ee31e
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch1_hppa.deb
    Size/MD5 checksum:   786392 41a0d16e111efa9b7693b2ff4b49aae2

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch1_i386.deb
    Size/MD5 checksum:   759318 e028af09b03561cf80fba28e667619cc
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch1_i386.deb
    Size/MD5 checksum:   797370 61890674b4ca3d63025aec44330d018a
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch1_i386.deb
    Size/MD5 checksum:   163196 c4826f28c035963ba7c78bbf02e598fc
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch1_i386.deb
    Size/MD5 checksum:   765284 dbb49ba6646ccf3b0545246d221727f6
  http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1_i386.deb
    Size/MD5 checksum:   162952 13ee79189c41390d6123d9f2eceb43d6
  http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch1_i386.deb
    Size/MD5 checksum:   168268 abfd5346cf785ff3c3575e0ff5f45fd3

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch1_ia64.deb
    Size/MD5 checksum:   217322 60b9e2ed439e2d25efd0a938fed85631
  http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1_ia64.deb
    Size/MD5 checksum:   174406 3b2820551a8f73b6d0d2fd618611aa8d
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch1_ia64.deb
    Size/MD5 checksum:   847688 3067d35de833b8fc16bcbac066105fab
  http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch1_ia64.deb
    Size/MD5 checksum:   225286 33446e0073372cbf66d2478d931b4c20
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch1_ia64.deb
    Size/MD5 checksum:   811428 29c7c73f506b810299b99ec4aa546d23
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch1_ia64.deb
    Size/MD5 checksum:   837622 0539dc6328d28d866c60aabcc9a54c77

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch1_mipsel.deb
    Size/MD5 checksum:   809808 74fb469f9dede8bc34e48a4a539e4358
  http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1_mipsel.deb
    Size/MD5 checksum:   163986 df1acd593c0eeed9a18c3ed8a8a0549e
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch1_mipsel.deb
    Size/MD5 checksum:   791042 3608d4164968ecf0eb5761ccfa981efb
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch1_mipsel.deb
    Size/MD5 checksum:   783344 5f6956f17a95ffa849c83847ca68125a
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch1_mipsel.deb
    Size/MD5 checksum:   165370 2ff41d7e7856497bb33aaf1c42d0cc20
  http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch1_mipsel.deb
    Size/MD5 checksum:   170278 8d0e09a0bdaf30cd225e59d381c6966a

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1_powerpc.deb
    Size/MD5 checksum:   165070 a2a95f8b931dd24659e6c17ae6de57e0
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch1_powerpc.deb
    Size/MD5 checksum:   840286 670575e9107d1665d0123d5b034b09c3
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch1_powerpc.deb
    Size/MD5 checksum:   780710 f63c169d7ac0a594415ce06fc554d03a
  http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch1_powerpc.deb
    Size/MD5 checksum:   173628 2ef64672347d6ec0f710bfc3c68fb188
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch1_powerpc.deb
    Size/MD5 checksum:   168912 2b05b6937b6c6bb567e9d77dc1d13ea2
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch1_powerpc.deb
    Size/MD5 checksum:   773612 4292b8d1c968c17817ccd36149ddbc20

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch1_s390.deb
    Size/MD5 checksum:   835496 199f0660bb88bf2b5f8572209c4bbcaa
  http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1_s390.deb
    Size/MD5 checksum:   163122 4c84c66f773accf9da6e6585edcedcc7
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch1_s390.deb
    Size/MD5 checksum:   773100 10a17910d3a30b7de38a138fd6c3e299
  http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch1_s390.deb
    Size/MD5 checksum:   179504 e83ac479b8e9c5011e28db1f4d58fa14
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch1_s390.deb
    Size/MD5 checksum:   768068 67cbdd360ed1dbb80824bb6738787c95
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch1_s390.deb
    Size/MD5 checksum:   172214 c187f5108f5a977f08abf0b4e37471e0

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch1_sparc.deb
    Size/MD5 checksum:   165032 18e35286ceb1129fbbe7fa1be094c59d
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch1_sparc.deb
    Size/MD5 checksum:   758474 e5f75c8f4491dd628fa9005e4dfc5cbb
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch1_sparc.deb
    Size/MD5 checksum:   159890 69c90d7c3aaa79021cfa2ee5ca0c8ca7
  http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1_sparc.deb
    Size/MD5 checksum:   162360 de5df99405d29124dcd4b70e3aa60bf7
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch1_sparc.deb
    Size/MD5 checksum:   765156 963dd337e581b69c4663ade85a44755d
  http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch1_sparc.deb
    Size/MD5 checksum:   787450 2ed6fb01f7babf43d9bf04aac8ed79d5


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGnnLYwM/Gs81MDZ0RAqEMAJ9SVwtkRq4InvjE1WxoZhNuNuBBMwCfTYFF
UsgKwdu++50iJM4A+60bNxs=
=ncFi
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRp7M6Ch9+71yA2DNAQKhmQP/RvaYVNlO8oEzhFdRqnMCwmVMMVjVrrt3
7F0q0sZ+DDSW1Sid59cq70EZ6QCKfCBwzvutZMOxsvTmoODh2uja5oTFCVvNSRdN
X2wydwBt0JkIBhOBwyIoRkBWtb6ac3HG8clFgVKnWVDKT7Vo9kGGnlQUJD55hwfK
qUoaJ7L8Ds0=
=1SOh
-----END PGP SIGNATURE-----