curl-7.19.7-46.AXS4

エラータID: AXSA:2015-432:02

Release date: 
Tuesday, August 18, 2015 - 13:33
Subject: 
curl-7.19.7-46.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
Moderate
Description: 

cURL is a tool for getting files from HTTP, FTP, FILE, LDAP, LDAPS,
DICT, TELNET and TFTP servers, using any of the supported protocols.
cURL is designed to work without user interaction or any kind of
interactivity. cURL offers many useful capabilities, like proxy support,
user authentication, FTP upload, HTTP post, and file transfer resume.

Security issues fixed with this release:

CVE-2014-3613
CVE-2014-3707
CVE-2014-8150
CVE-2015-3143
CVE-2015-3148

Fixed bugs:

* An out-of-protocol fallback to SSL version 3.0 (SSLv3.0) was available with
libcurl. Attackers could abuse the fallback to force downgrade of the SSL
version. To fix this bug, the fallback has been removed from libcurl.
* A single upload transfer through the FILE protocol opened the destination file
twice. If the inotify kernel subsystem monitored the file, two events were
produced unnecessarily.
* Utilities using libcurl for SCP/SFTP transfers could terminate unexpectedly
when the system was running in FIPS mode.
* Using the "--retry" option with the curl utility could cause curl to terminate
unexpectedly with a segmentation fault. Now, adding "--retry" no longer causes
curl to crash.
* The "curl --trace-time" command did not use the correct local time when
printing timestamps. With this update, fixed it.
* The valgrind utility could report dynamically allocated memory leaks on curl
exit. With this update, the bug has been fixed.
* Previously, libcurl returned an incorrect value of the CURLINFO_HEADER_SIZE
field when a proxy server appended its own headers to the HTTP response. The problem
has been fixed with this update.

Enhancements:

* The "--tlsv1.0", "--tlsv1.1", and "--tlsv1.2" options are available for
specifying the minor version of the TLS protocol to be negotiated by NSS. The
"--tlsv1" option now negotiates the highest version of the TLS protocol
supported by both the client and the server.
* It is now possible to explicitly enable or disable the ECC and the new AES
cipher suites to be used for TLS.

Solution: 

Update packages.

CVEs: 
CVE-2014-3613
cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.
CVE-2014-3707
The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information.
CVE-2014-8150
CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.
CVE-2015-3143
cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015.
CVE-2015-3148
cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.
Additional Info: 

N/A

Download: 

SRPMS
  1. curl-7.19.7-46.AXS4.src.rpm
    MD5: da2915956f4e9b20fc28d036d1ead9d7
    SHA-256: 7eb638c4fede9468034034727098f790ed10d782924e07ea9afaa61c7d6b46cb
    Size: 2.06 MB

Asianux Server 4 for x86
  1. curl-7.19.7-46.AXS4.i686.rpm
    MD5: e319d3c9317a4704926634f22d2f87ef
    SHA-256: 6f1e3b75f5c5000fcc106bebf7bd4c7f583ad196fb7d2e8874669eeb19b2ef4c
    Size: 195.49 kB
  2. libcurl-7.19.7-46.AXS4.i686.rpm
    MD5: 93d51d00bb638d1f7cb13dd1bf8ca29d
    SHA-256: 9813c56f03e693e59d3ecedcc59cefe52b012c57a364b81183d154b66bff540d
    Size: 174.75 kB
  3. libcurl-devel-7.19.7-46.AXS4.i686.rpm
    MD5: 65d24d4f13f6b311f72da8e1faf4b136
    SHA-256: bb252be00e54b7d49d5f2aafb13a976d0ee72090c1f84e5fcc9597732f19c89e
    Size: 245.83 kB

Asianux Server 4 for x86_64
  1. curl-7.19.7-46.AXS4.x86_64.rpm
    MD5: f735a51395e7c5b2e5c1ef88fdc680d1
    SHA-256: 5d51118bc88e75a6a75570e94b5ff6a3e6b1a9906def5e4efd4f18d8c76a377b
    Size: 195.08 kB
  2. libcurl-7.19.7-46.AXS4.x86_64.rpm
    MD5: 38f67ff5aa0bf7c759f8f1e704ca0988
    SHA-256: f8d4f74fe81f2a754df2ffc3cfba856ebecc82c2f8bc41bbb7b13c945159edec
    Size: 167.52 kB
  3. libcurl-devel-7.19.7-46.AXS4.x86_64.rpm
    MD5: 7c45fc438cfb031a3070c0c81df607be
    SHA-256: 3e51a343e41490664ce17e4edbd516a68fe61189cf6572d3a5b8f25bc624b40c
    Size: 245.39 kB
  4. libcurl-7.19.7-46.AXS4.i686.rpm
    MD5: 93d51d00bb638d1f7cb13dd1bf8ca29d
    SHA-256: 9813c56f03e693e59d3ecedcc59cefe52b012c57a364b81183d154b66bff540d
    Size: 174.75 kB
  5. libcurl-devel-7.19.7-46.AXS4.i686.rpm
    MD5: 65d24d4f13f6b311f72da8e1faf4b136
    SHA-256: bb252be00e54b7d49d5f2aafb13a976d0ee72090c1f84e5fcc9597732f19c89e
    Size: 245.83 kB