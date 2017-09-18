--nextPart8610760.t7lxyNqVpp

Content-Transfer-Encoding: 7Bit

Content-Type: text/plain; charset="us-ascii"



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Gentoo Linux Security Advisory GLSA 201709-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

https://security.gentoo.org/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



Severity: Normal

Title: cURL: Multiple vulnerabilities

Date: September 17, 2017

Bugs: #615870, #615994, #626776

ID: 201709-14



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



Synopsis

========



Multiple vulnerabilities have been found in cURL, the worst of which

may allow attackers to bypass intended restrictions.



Background

==========



cURL is a tool and libcurl is a library for transferring data with URL

syntax.



Affected packages

=================



-------------------------------------------------------------------

Package / Vulnerable / Unaffected

-------------------------------------------------------------------

1 net-misc/curl < 7.55.1 >= 7.55.1



Description

===========



Multiple vulnerabilities have been discovered in cURL. Please review

the CVE identifiers referenced below for details.



Impact

======



Remote attackers could cause a Denial of Service condition, obtain

sensitive information, or bypass intended restrictions for TLS

sessions.



Workaround

==========



There is no known workaround at this time.



Resolution

==========



All cURL users should upgrade to the latest version:



# emerge --sync

# emerge --ask --oneshot --verbose ">=net-misc/curl-7.55.1"



References

==========



[ 1 ] CVE-2017-1000099

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000099

[ 2 ] CVE-2017-1000100

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000100

[ 3 ] CVE-2017-1000101

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000101

[ 4 ] CVE-2017-7407

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7407

[ 5 ] CVE-2017-7468

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7468



Availability

============



This GLSA and any updates to it are available for viewing at

the Gentoo Security Website:



https://security.gentoo.org/glsa/201709-14



Concerns?

=========



Security is a primary focus of Gentoo Linux and ensuring the

confidentiality and security of our users' machines is of utmost

importance to us. Any security concerns should be addressed to

security@gentoo.org or alternatively, you may file a bug at

https://bugs.gentoo.org.



License

=======



Copyright 2017 Gentoo Foundation, Inc; referenced text

belongs to its owner(s).



The contents of this document are licensed under the

Creative Commons - Attribution / Share Alike license.



http://creativecommons.org/licenses/by-sa/2.5

--nextPart8610760.t7lxyNqVpp

Content-Type: application/pgp-signature; name="signature.asc"

Content-Description: This is a digitally signed message part.

Content-Transfer-Encoding: 7Bit



-----BEGIN PGP SIGNATURE-----



iQEzBAABCAAdFiEEiDRK3jyVBE/RkymqpRQw84X1dt0FAlm+5qMACgkQpRQw84X1

dt0thQf9Fbrt8vBADpRhYSSBHe6gvfeg4Vh0MvaXvjt/2RTeWpZ9SLCVMatOY+au

VLehrBLIOZ+UtvfEUAtAkZcrPYtLyGAtkgx9HitkcZK1Vo+i1EpMgCXpG9FYIUy0

g82acQEuJfxX4aLkg8+Hd/smVcPCBNHid0lMVwJovDm1y3BQ8a1BazeZ/NeGNj7H

KKLQh772sw0hJFS260rVf39iYADR38ecz97It86BQBqZ9P7pavdB5txQIjihm0ug

+jN0hVC0Jy9xwn+unIeAycqKUN5HGbfwHCmKcwNKtlVLTePlJoy1/9jJIxvJ1iD9

33R01zM7ZmNsiFd3Ftmf7TxZRtKEsA==

=m7pr

-----END PGP SIGNATURE-----



--nextPart8610760.t7lxyNqVpp--

