On 18/02/15 16:07, Patrick Rael wrote:
Hi, I need to confirm if the CVE-2014-0139 fix is in libcurl. Normally we do this by checking the rpm changelog for CVEs, it did find CVE-2014-0138, but I can't get confirmation for 0139. I see lots of comments about fixes that were checked into github and showing actual lines added, but nothing in the changelog so I can't confirm it.# cat /etc/centos-release CentOS release 6.6 (Final) # rpm -qa | grep curl libcurl-7.19.7-40.el6_6.4.x86_64 python-pycurl-7.19.0-8.el6.x86_64 curl-7.19.7-40.el6_6.4.x86_64 # rpm -q libcurl --changelog | egrep "CVE-2014-0138|CVE-2014-0139" - fix connection re-use when using different log-in credentials (CVE-2014-0138) # rpm -q curl --changelog | egrep "CVE-2014-0138|CVE-2014-0139" - fix connection re-use when using different log-in credentials (CVE-2014-0138) Note: CentOS rpm versions don't match the redhat rpm versions, that's why we use the changelog to check for the fix.
This is news to me. In what way are they different?
Thanks for any help!
CVE-2014-0139 does not affect EL-6 because it uses the NSS backend: https://bugzilla.redhat.com/show_bug.cgi?id=1079149#c8 Paul. ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
