On 02/18/2015 09:47 AM, Paul Howarth wrote:
On 18/02/15 16:07, Patrick Rael wrote:
Hi,
I need to confirm if the CVE-2014-0139 fix is in libcurl.
Normally we do this
by checking the rpm changelog for CVEs, it did find CVE-2014-0138, but I
can't get
confirmation for 0139. I see lots of comments about fixes that were
checked into
github and showing actual lines added, but nothing in the changelog so I
can't confirm it.
# cat /etc/centos-release
CentOS release 6.6 (Final)
# rpm -qa | grep curl
libcurl-7.19.7-40.el6_6.4.x86_64
python-pycurl-7.19.0-8.el6.x86_64
curl-7.19.7-40.el6_6.4.x86_64
# rpm -q libcurl --changelog | egrep "CVE-2014-0138|CVE-2014-0139"
- fix connection re-use when using different log-in credentials
(CVE-2014-0138)
# rpm -q curl --changelog | egrep "CVE-2014-0138|CVE-2014-0139"
- fix connection re-use when using different log-in credentials
(CVE-2014-0138)
Note: CentOS rpm versions don't match the redhat rpm versions, that's
why we use
the changelog to check for the fix.
This is news to me. In what way are they different?
Thanks for any help!
CVE-2014-0139 does not affect EL-6 because it uses the NSS backend:
https://bugzilla.redhat.com/show_bug.cgi?id=1079149#c8
This is good info, I checked ldd of libcurl and see it is linked
against libssl, libcrypto (openssl),
and libnss3. I had missed the libnss3 earlier. Since it links against
that see we're not
vulnerable.
Thanks!
Paul.
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
--
Patrick Rael
Contractor, Lumeta Corporation
Network Situational Awareness
Phone: 703-298-3276
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
