[slackware-security] curl (SSA:2013-038-01)
New curl packages are available for Slackware 14.0, and -current to
fix a security issue.
Here are the details from the Slackware 14.0 ChangeLog:
+--------------------------+
patches/packages/curl-7.29.0-i486-1_slack14.0.txz: Upgraded.
When negotiating SASL DIGEST-MD5 authentication, the function
Curl_sasl_create_digest_md5_message() uses the data provided from the
server without doing the proper length checks and that data is then
appended to a local fixed-size buffer on the stack. This vulnerability
can be exploited by someone who is in control of a server that a libcurl
based program is accessing with POP3, SMTP or IMAP. For applications
that accept user provided URLs, it is also thinkable that a malicious
user would feed an application with a URL to a server hosting code
targeting this flaw.
Affected versions: curl 7.26.0 to and including 7.28.1
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0249
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/curl-7.29.0-i48
6-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/curl-7.29.0-x
86_64-1_slack14.0.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/curl-7.29.0-i486-
1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/curl-7.29.0-x
86_64-1.txz
MD5 signatures:
+-------------+
Slackware 14.0 package:
f235fe8f505ce0f3436fdea3625c3bdf curl-7.29.0-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
f7359f77338c2475e654ff2c0204210e curl-7.29.0-x86_64-1_slack14.0.txz
Slackware -current package:
eff523206400dde2b50bd4b20fbf0e64 n/curl-7.29.0-i486-1.txz
Slackware x86_64 -current package:
8dccef537d72d7297e4907db7cd160ef n/curl-7.29.0-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg curl-7.29.0-i486-1_slack14.0.txz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
Spotlight
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Is Microsoft is reading your Skype communications?
Posted on 15 May 2013. | The question of whether Skype allows U.S. intelligence and law enforcement agencies to access the communications exchanged by its users has still not been adequately answered by Microsoft.
Internet Explorer best at blocking malware
Posted on 14 May 2013. | While Chrome’s malware download protection improved significantly, Internet Explorer 10 continues to outperform the other browsers with a block rate of 99.96%.
Researcher refuses to help Saudi telco to spy on people
Posted on 14 May 2013. | You would think that a Saudi Arabian telecom firm interested in monitoring its users' mobile communications would not be asking a well-known pro-privacy researcher for help, but you would be wrong.
Malicious browser extensions are hijacking Facebook accounts
Posted on 13 May 2013. | Facebook users - especially those in Brazil - are being targeted with malicious browser extensions trying to hijack Facebook profiles, warns Microsoft.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
