openSUSE Security Update: Security update for curl
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2018:1624-1
Rating:             moderate
References:         #1092094 #1092098 
Cross-References:   CVE-2018-1000300 CVE-2018-1000301
Affected Products:
                    openSUSE Leap 15.0
______________________________________________________________________________

   An update that fixes two vulnerabilities is now available.

Description:

   This update for curl to version 7.60.0 fixes the following issues:

   These security issues were fixed:

   - CVE-2018-1000300: Prevent heap-based buffer overflow when closing down
     an FTP connection with very long server command replies (bsc#1092094).
   - CVE-2018-1000301: Prevent buffer over-read that could have cause reading
     data beyond the end of a heap based buffer used to store downloaded RTSP
     content (bsc#1092098).

   These non-security issues were fixed:

   - Add CURLOPT_HAPROXYPROTOCOL, support for the HAProxy PROXY protocol
   - Add --haproxy-protocol for the command line tool
   - Add CURLOPT_DNS_SHUFFLE_ADDRESSES, shuffle returned IP addresses
   - FTP: fix typo in recursive callback detection for seeking
   - test1208: marked flaky
   - HTTP: make header-less responses still count correct body size
   - user-agent.d:: mention --proxy-header as well
   - http2: fixes typo
   - cleanup: misc typos in strings and comments
   - rate-limit: use three second window to better handle high speeds
   - examples/hiperfifo.c: improved
   - pause: when changing pause state, update socket state
   - curl_version_info.3: fix ssl_version description
   - add_handle/easy_perform: clear errorbuffer on start if set
   - cmake: add support for brotli
   - parsedate: support UT timezone
   - vauth/ntlm.h: fix the #ifdef header guard
   - lib/curl_path.h: added #ifdef header guard
   - vauth/cleartext: fix integer overflow check
   - CURLINFO_COOKIELIST.3: made the example not leak memory
   - cookie.d: mention that "-" as filename means stdin
   - CURLINFO_SSL_VERIFYRESULT.3: fixed the example
   - http2: read pending frames (including GOAWAY) in connection-check
   - timeval: remove compilation warning by casting
   - cmake: avoid warn-as-error during config checks
   - travis-ci: enable -Werror for CMake builds
   - openldap: fix for NULL return from ldap_get_attribute_ber()
   - threaded resolver: track resolver time and set suitable timeout values
   - cmake: Add advapi32 as explicit link library for win32
   - docs: fix CURLINFO_*_T examples use of CURL_FORMAT_CURL_OFF_T
   - test1148: set a fixed locale for the test
   - cookies: when reading from a file, only remove_expired once
   - cookie: store cookies per top-level-domain-specific hash table
   - openssl: RESTORED verify locations when verifypeer==0
   - file: restore old behavior for file:////foo/bar URLs
   - FTP: allow PASV on IPv6 connections when a proxy is being used
   - build-openssl.bat: allow custom paths for VS and perl
   - winbuild: make the clean target work without build-type
   - build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15
   - curl: retry on FTP 4xx, ignore other protocols
   - configure: detect (and use) sa_family_t
   - examples/sftpuploadresume: Fix Windows large file seek
   - build: cleanup to fix clang warnings/errors   - winbuild: updated the documentation
   - lib: silence null-dereference warnings
   - travis: bump to clang 6 and gcc 7
   - travis: build libpsl and make builds use it
   - proxy: show getenv proxy use in verbose output
   - duphandle: make sure CURLOPT_RESOLVE is duplicated
   - all: Refactor malloc+memset to use calloc
   - checksrc: Fix typo
   - system.h: Add sparcv8plus to oracle/sunpro 32-bit detection
   - vauth: Fix typo
   - ssh: show libSSH2 error code when closing fails
   - test1148: tolerate progress updates better
   - urldata: make service names unconditional
   - configure: keep LD_LIBRARY_PATH changes local
   - ntlm_sspi: fix authentication using Credential Manager
   - schannel: add client certificate authentication
   - winbuild: Support custom devel paths for each dependency
   - schannel: add support for CURLOPT_CAINFO
   - http2: handle on_begin_headers() called more than once
   - openssl: support OpenSSL 1.1.1 verbose-mode trace messages
   - openssl: fix subjectAltName check on non-ASCII platforms
   - http2: avoid strstr() on data not zero terminated
   - http2: clear the "drain counter" when a stream is closed
   - http2: handle GOAWAY properly
   - tool_help: clarify --max-time unit of time is seconds
   - curl.1: clarify that options and URLs can be mixed
   - http2: convert an assert to run-time check
   - curl_global_sslset: always provide available backends
   - ftplistparser: keep state between invokes
   - Curl_memchr: zero length input can't match
   - examples/sftpuploadresume: typecast fseek argument to long
   - examples/http2-upload: expand buffer to avoid silly warning
   - ctype: restore character classification for non-ASCII platforms
   - mime: avoid NULL pointer dereference risk
   - cookies: ensure that we have cookies before writing jar
   - os400.c: fix checksrc warnings
   - configure: provide --with-wolfssl as an alias for --with-cyassl
   - cyassl: adapt to libraries without TLS 1.0 support built-in
   - http2: get rid of another strstr
   - checksrc: force indentation of lines after an else
   - cookies: remove unused macro
   - CURLINFO_PROTOCOL.3: mention the existing defined names
   - tests: provide 'manual' as a feature to optionally require
   - travis: enable libssh2 on both macos and Linux
   - CURLOPT_URL.3: added ENCODING section
   - wolfssl: Fix non-blocking connect
   - vtls: don't define MD5_DIGEST_LENGTH for wolfssl
   - docs: remove extraneous commas in man pages
   - URL: fix ASCII dependency in strcpy_url and strlen_url
   - ssh-libssh.c: fix left shift compiler warning
   - configure: only check for CA bundle for file-using SSL backends
   - travis: add an mbedtls build
   - http: don't set the "rewind" flag when not uploading anything
   - configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h
   - transfer: don't unset writesockfd on setup of multiplexed conns
   - vtls: use unified "supports" bitfield member in backends
   - URLs: fix one more http url
   - travis: add a build using WolfSSL
   - openssl: change FILE ops to BIO ops
   - travis: add build using NSS
   - smb: reject negative file sizes
   - cookies: accept parameter names as cookie name
   - http2: getsock fix for uploads
   - all over: fixed format specifiers   - http2: use the correct function pointer typedef


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.0:

      zypper in -t patch openSUSE-2018-589=1



Package List:

   - openSUSE Leap 15.0 (i586 x86_64):

      curl-7.60.0-lp150.2.3.1
      curl-debuginfo-7.60.0-lp150.2.3.1
      curl-debugsource-7.60.0-lp150.2.3.1
      curl-mini-7.60.0-lp150.2.3.1
      curl-mini-debuginfo-7.60.0-lp150.2.3.1
      curl-mini-debugsource-7.60.0-lp150.2.3.1
      libcurl-devel-7.60.0-lp150.2.3.1
      libcurl-mini-devel-7.60.0-lp150.2.3.1
      libcurl4-7.60.0-lp150.2.3.1
      libcurl4-debuginfo-7.60.0-lp150.2.3.1
      libcurl4-mini-7.60.0-lp150.2.3.1
      libcurl4-mini-debuginfo-7.60.0-lp150.2.3.1

   - openSUSE Leap 15.0 (x86_64):

      libcurl-devel-32bit-7.60.0-lp150.2.3.1
      libcurl4-32bit-7.60.0-lp150.2.3.1
      libcurl4-32bit-debuginfo-7.60.0-lp150.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2018-1000300.html
   https://www.suse.com/security/cve/CVE-2018-1000301.html
   https://bugzilla.suse.com/1092094
   https://bugzilla.suse.com/1092098

--

openSUSE: 2018:1624-1: moderate: curl

June 9, 2018
An update that fixes two vulnerabilities is now available.

Description

This update for curl to version 7.60.0 fixes the following issues: These security issues were fixed: - CVE-2018-1000300: Prevent heap-based buffer overflow when closing down an FTP connection with very long server command replies (bsc#1092094). - CVE-2018-1000301: Prevent buffer over-read that could have cause reading data beyond the end of a heap based buffer used to store downloaded RTSP content (bsc#1092098). These non-security issues were fixed: - Add CURLOPT_HAPROXYPROTOCOL, support for the HAProxy PROXY protocol - Add --haproxy-protocol for the command line tool - Add CURLOPT_DNS_SHUFFLE_ADDRESSES, shuffle returned IP addresses - FTP: fix typo in recursive callback detection for seeking - test1208: marked flaky - HTTP: make header-less responses still count correct body size - user-agent.d:: mention --proxy-header as well - http2: fixes typo - cleanup: misc typos in strings and comments - rate-limit: use three second window to better handle high speeds - examples/hiperfifo.c: improved - pause: when changing pause state, update socket state - curl_version_info.3: fix ssl_version description - add_handle/easy_perform: clear errorbuffer on start if set - cmake: add support for brotli - parsedate: support UT timezone - vauth/ntlm.h: fix the #ifdef header guard - lib/curl_path.h: added #ifdef header guard - vauth/cleartext: fix integer overflow check - CURLINFO_COOKIELIST.3: made the example not leak memory - cookie.d: mention that "-" as filename means stdin - CURLINFO_SSL_VERIFYRESULT.3: fixed the example - http2: read pending frames (including GOAWAY) in connection-check - timeval: remove compilation warning by casting - cmake: avoid warn-as-error during config checks - travis-ci: enable -Werror for CMake builds - openldap: fix for NULL return from ldap_get_attribute_ber() - threaded resolver: track resolver time and set suitable timeout values - cmake: Add advapi32 as explicit link library for win32 - docs: fix CURLINFO_*_T examples use of CURL_FORMAT_CURL_OFF_T - test1148: set a fixed locale for the test - cookies: when reading from a file, only remove_expired once - cookie: store cookies per top-level-domain-specific hash table - openssl: RESTORED verify locations when verifypeer==0 - file: restore old behavior for file:////foo/bar URLs - FTP: allow PASV on IPv6 connections when a proxy is being used - build-openssl.bat: allow custom paths for VS and perl - winbuild: make the clean target work without build-type - build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15 - curl: retry on FTP 4xx, ignore other protocols - configure: detect (and use) sa_family_t - examples/sftpuploadresume: Fix Windows large file seek - build: cleanup to fix clang warnings/errors - winbuild: updated the documentation - lib: silence null-dereference warnings - travis: bump to clang 6 and gcc 7 - travis: build libpsl and make builds use it - proxy: show getenv proxy use in verbose output - duphandle: make sure CURLOPT_RESOLVE is duplicated - all: Refactor malloc+memset to use calloc - checksrc: Fix typo - system.h: Add sparcv8plus to oracle/sunpro 32-bit detection - vauth: Fix typo - ssh: show libSSH2 error code when closing fails - test1148: tolerate progress updates better - urldata: make service names unconditional - configure: keep LD_LIBRARY_PATH changes local - ntlm_sspi: fix authentication using Credential Manager - schannel: add client certificate authentication - winbuild: Support custom devel paths for each dependency - schannel: add support for CURLOPT_CAINFO - http2: handle on_begin_headers() called more than once - openssl: support OpenSSL 1.1.1 verbose-mode trace messages - openssl: fix subjectAltName check on non-ASCII platforms - http2: avoid strstr() on data not zero terminated - http2: clear the "drain counter" when a stream is closed - http2: handle GOAWAY properly - tool_help: clarify --max-time unit of time is seconds - curl.1: clarify that options and URLs can be mixed - http2: convert an assert to run-time check - curl_global_sslset: always provide available backends - ftplistparser: keep state between invokes - Curl_memchr: zero length input can't match - examples/sftpuploadresume: typecast fseek argument to long - examples/http2-upload: expand buffer to avoid silly warning - ctype: restore character classification for non-ASCII platforms - mime: avoid NULL pointer dereference risk - cookies: ensure that we have cookies before writing jar - os400.c: fix checksrc warnings - configure: provide --with-wolfssl as an alias for --with-cyassl - cyassl: adapt to libraries without TLS 1.0 support built-in - http2: get rid of another strstr - checksrc: force indentation of lines after an else - cookies: remove unused macro - CURLINFO_PROTOCOL.3: mention the existing defined names - tests: provide 'manual' as a feature to optionally require - travis: enable libssh2 on both macos and Linux - CURLOPT_URL.3: added ENCODING section - wolfssl: Fix non-blocking connect - vtls: don't define MD5_DIGEST_LENGTH for wolfssl - docs: remove extraneous commas in man pages - URL: fix ASCII dependency in strcpy_url and strlen_url - ssh-libssh.c: fix left shift compiler warning - configure: only check for CA bundle for file-using SSL backends - travis: add an mbedtls build - http: don't set the "rewind" flag when not uploading anything - configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h - transfer: don't unset writesockfd on setup of multiplexed conns - vtls: use unified "supports" bitfield member in backends - URLs: fix one more http url - travis: add a build using WolfSSL - openssl: change FILE ops to BIO ops - travis: add build using NSS - smb: reject negative file sizes - cookies: accept parameter names as cookie name - http2: getsock fix for uploads - all over: fixed format specifiers - http2: use the correct function pointer typedef

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.0: zypper in -t patch openSUSE-2018-589=1


Package List

- openSUSE Leap 15.0 (i586 x86_64): curl-7.60.0-lp150.2.3.1 curl-debuginfo-7.60.0-lp150.2.3.1 curl-debugsource-7.60.0-lp150.2.3.1 curl-mini-7.60.0-lp150.2.3.1 curl-mini-debuginfo-7.60.0-lp150.2.3.1 curl-mini-debugsource-7.60.0-lp150.2.3.1 libcurl-devel-7.60.0-lp150.2.3.1 libcurl-mini-devel-7.60.0-lp150.2.3.1 libcurl4-7.60.0-lp150.2.3.1 libcurl4-debuginfo-7.60.0-lp150.2.3.1 libcurl4-mini-7.60.0-lp150.2.3.1 libcurl4-mini-debuginfo-7.60.0-lp150.2.3.1 - openSUSE Leap 15.0 (x86_64): libcurl-devel-32bit-7.60.0-lp150.2.3.1 libcurl4-32bit-7.60.0-lp150.2.3.1 libcurl4-32bit-debuginfo-7.60.0-lp150.2.3.1


References

https://www.suse.com/security/cve/CVE-2018-1000300.html https://www.suse.com/security/cve/CVE-2018-1000301.html https://bugzilla.suse.com/1092094 https://bugzilla.suse.com/1092098--


Severity
Announcement ID: openSUSE-SU-2018:1624-1
Rating: moderate
Affected Products: openSUSE Leap 15.0

Related News

Linux Mint 22: Elevating Security and Usability for Admins
3 - 5 min read
Linux Mint has has long been recognized as a versatile and user-friendly distribution and has earned great popularity among administrators and
Exim 4.98 Addresses Critical Vulnerabilities, Bolsters Email Server Security
2 - 4 min read
Exim is one of Unix-like systems' most widely used mail transfer agents. It's essential for email delivery and handling and is a significant part of
Recent OpenSSH RCE Bug Explained: Impact & Mitigations
2 - 4 min read
In an era where cybersecurity threats loom larger than ever, the discovery of a Remote Code Execution (RCE) vulnerability in OpenSSH by Qualys’
CVE-2024-4577: A Swiftly Weaponized Vulnerability for Ransomware Distribution
2 - 4 min read
Security researchers recently issued an update detailing how attackers are exploiting a PHP code execution vulnerability to spread TellYouThePass
Play Ransomware Group Unleashes New Threat on ESXi Environments: Analysis & Mitigation Strategies
3 - 5 min read
The Play ransomware group, well-known for its double-extortion tactics, recently unveiled a Linux variant targeting ESXi environments. This
Critical Linux Kernel Vulnerabilities Patched in Ubuntu Azure Systems
2 - 4 min read
Canonical has fixed several recently identified critical Linux kernel vulnerabilities in July 2024. These vulnerabilities primarily affect Microsoft
The Urgent Need for Secure Software Development: New Report Serves as a Wake-Up Call for the Industry
3 - 5 min read
The Linux Foundation and Open Source Security Foundation recently published a report entitled "Secure Software Development Education 2024
Severe Linux Kernel Privilege Escalation Bugs Could Compromise Entire Systems
2 - 4 min read
The Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Linux kernel privilege escalation bug ( CVE-2024-1086 ) to its

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved