Sicherheit: Zwei Probleme in curl

Lesezeichen hinzufügen

openSUSE Security Update: Security update for curl
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:1624-1
Rating: moderate
References: #1092094 #1092098
Cross-References: CVE-2018-1000300 CVE-2018-1000301
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for curl to version 7.60.0 fixes the following issues:

These security issues were fixed:

- CVE-2018-1000300: Prevent heap-based buffer overflow when closing down
an FTP connection with very long server command replies (bsc#1092094).
- CVE-2018-1000301: Prevent buffer over-read that could have cause reading
data beyond the end of a heap based buffer used to store downloaded RTSP
content (bsc#1092098).

These non-security issues were fixed:

- Add CURLOPT_HAPROXYPROTOCOL, support for the HAProxy PROXY protocol
- Add --haproxy-protocol for the command line tool
- Add CURLOPT_DNS_SHUFFLE_ADDRESSES, shuffle returned IP addresses
- FTP: fix typo in recursive callback detection for seeking
- test1208: marked flaky
- HTTP: make header-less responses still count correct body size
- user-agent.d:: mention --proxy-header as well
- http2: fixes typo
- cleanup: misc typos in strings and comments
- rate-limit: use three second window to better handle high speeds
- examples/hiperfifo.c: improved
- pause: when changing pause state, update socket state
- curl_version_info.3: fix ssl_version description
- add_handle/easy_perform: clear errorbuffer on start if set
- cmake: add support for brotli
- parsedate: support UT timezone
- vauth/ntlm.h: fix the #ifdef header guard
- lib/curl_path.h: added #ifdef header guard
- vauth/cleartext: fix integer overflow check
- CURLINFO_COOKIELIST.3: made the example not leak memory
- cookie.d: mention that "-" as filename means stdin
- CURLINFO_SSL_VERIFYRESULT.3: fixed the example
- http2: read pending frames (including GOAWAY) in connection-check
- timeval: remove compilation warning by casting
- cmake: avoid warn-as-error during config checks
- travis-ci: enable -Werror for CMake builds
- openldap: fix for NULL return from ldap_get_attribute_ber()
- threaded resolver: track resolver time and set suitable timeout values
- cmake: Add advapi32 as explicit link library for win32
- docs: fix CURLINFO_*_T examples use of CURL_FORMAT_CURL_OFF_T
- test1148: set a fixed locale for the test
- cookies: when reading from a file, only remove_expired once
- cookie: store cookies per top-level-domain-specific hash table
- openssl: RESTORED verify locations when verifypeer==0
- file: restore old behavior for file:////foo/bar URLs
- FTP: allow PASV on IPv6 connections when a proxy is being used
- build-openssl.bat: allow custom paths for VS and perl
- winbuild: make the clean target work without build-type
- build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15
- curl: retry on FTP 4xx, ignore other protocols
- configure: detect (and use) sa_family_t
- examples/sftpuploadresume: Fix Windows large file seek
- build: cleanup to fix clang warnings/errors
- winbuild: updated the documentation
- lib: silence null-dereference warnings
- travis: bump to clang 6 and gcc 7
- travis: build libpsl and make builds use it
- proxy: show getenv proxy use in verbose output
- duphandle: make sure CURLOPT_RESOLVE is duplicated
- all: Refactor malloc+memset to use calloc
- checksrc: Fix typo
- system.h: Add sparcv8plus to oracle/sunpro 32-bit detection
- vauth: Fix typo
- ssh: show libSSH2 error code when closing fails
- test1148: tolerate progress updates better
- urldata: make service names unconditional
- configure: keep LD_LIBRARY_PATH changes local
- ntlm_sspi: fix authentication using Credential Manager
- schannel: add client certificate authentication
- winbuild: Support custom devel paths for each dependency
- schannel: add support for CURLOPT_CAINFO
- http2: handle on_begin_headers() called more than once
- openssl: support OpenSSL 1.1.1 verbose-mode trace messages
- openssl: fix subjectAltName check on non-ASCII platforms
- http2: avoid strstr() on data not zero terminated
- http2: clear the "drain counter" when a stream is closed
- http2: handle GOAWAY properly
- tool_help: clarify --max-time unit of time is seconds
- curl.1: clarify that options and URLs can be mixed
- http2: convert an assert to run-time check
- curl_global_sslset: always provide available backends
- ftplistparser: keep state between invokes
- Curl_memchr: zero length input can't match
- examples/sftpuploadresume: typecast fseek argument to long
- examples/http2-upload: expand buffer to avoid silly warning
- ctype: restore character classification for non-ASCII platforms
- mime: avoid NULL pointer dereference risk
- cookies: ensure that we have cookies before writing jar
- os400.c: fix checksrc warnings
- configure: provide --with-wolfssl as an alias for --with-cyassl
- cyassl: adapt to libraries without TLS 1.0 support built-in
- http2: get rid of another strstr
- checksrc: force indentation of lines after an else
- cookies: remove unused macro
- CURLINFO_PROTOCOL.3: mention the existing defined names
- tests: provide 'manual' as a feature to optionally require
- travis: enable libssh2 on both macos and Linux
- CURLOPT_URL.3: added ENCODING section
- wolfssl: Fix non-blocking connect
- vtls: don't define MD5_DIGEST_LENGTH for wolfssl
- docs: remove extraneous commas in man pages
- URL: fix ASCII dependency in strcpy_url and strlen_url
- ssh-libssh.c: fix left shift compiler warning
- configure: only check for CA bundle for file-using SSL backends
- travis: add an mbedtls build
- http: don't set the "rewind" flag when not uploading anything
- configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h
- transfer: don't unset writesockfd on setup of multiplexed conns
- vtls: use unified "supports" bitfield member in backends
- URLs: fix one more http url
- travis: add a build using WolfSSL
- openssl: change FILE ops to BIO ops
- travis: add build using NSS
- smb: reject negative file sizes
- cookies: accept parameter names as cookie name
- http2: getsock fix for uploads
- all over: fixed format specifiers
- http2: use the correct function pointer typedef

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended
installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-589=1

Package List:

- openSUSE Leap 15.0 (i586 x86_64):

curl-7.60.0-lp150.2.3.1
curl-debuginfo-7.60.0-lp150.2.3.1
curl-debugsource-7.60.0-lp150.2.3.1
curl-mini-7.60.0-lp150.2.3.1
curl-mini-debuginfo-7.60.0-lp150.2.3.1
curl-mini-debugsource-7.60.0-lp150.2.3.1
libcurl-devel-7.60.0-lp150.2.3.1
libcurl-mini-devel-7.60.0-lp150.2.3.1
libcurl4-7.60.0-lp150.2.3.1
libcurl4-debuginfo-7.60.0-lp150.2.3.1
libcurl4-mini-7.60.0-lp150.2.3.1
libcurl4-mini-debuginfo-7.60.0-lp150.2.3.1

- openSUSE Leap 15.0 (x86_64):

libcurl-devel-32bit-7.60.0-lp150.2.3.1
libcurl4-32bit-7.60.0-lp150.2.3.1
libcurl4-32bit-debuginfo-7.60.0-lp150.2.3.1

References:

https://www.suse.com/security/cve/CVE-2018-1000300.html
https://www.suse.com/security/cve/CVE-2018-1000301.html
https://bugzilla.suse.com/1092094
https://bugzilla.suse.com/1092098

--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org