JFYI.
PS: What a nice bug id. Any awards for me? ;-)
-------- Original-Nachricht --------
Betreff: [Bug 1234] New: Security flaws in cURL 7.13.0
Datum: Thu, 24 Feb 2005 00:23:16 -0700 (MST)
Von: [EMAIL PROTECTED]
Antwort an: BLFS Book Maintenance List <[email protected]>
An: [email protected]
http://blfs-bugs.linuxfromscratch.org/show_bug.cgi?id=1234
Summary: Security flaws in cURL 7.13.0
Product: Beyond LinuxFromScratch
Version: SVN
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P1
Component: BOOK
AssignedTo: [email protected]
ReportedBy: [EMAIL PROTECTED]
QAContact: [email protected]
There are two security leaks in the current version of cURL.
http://www.idefense.com/application/poi/display?id=202&type=vulnerabilities&flashstatus=false
http://www.idefense.com/application/poi/display?id=203&type=vulnerabilities
iDefense only verified verison 7.12.1 but the cURL news page doesn't state
explicitely that 7.13.0 is clean.
http://curl.haxx.se/news.html
Unfortunately there seems to be only one official patch for the first issue
(NTLM authentication).
http://cool.haxx.se/cvs.cgi/curl/lib/http_ntlm.c.diff?r1=1.36&r2=1.37
The date of revision 1.36 confirms the suspicion that even the current version
is affected.
The second issue (kerberos authentication) seems to be still unpatched. At least
there is a suggestion on the website from iDefense. (see upper links)
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are the QA contact for the bug, or are watching the QA contact.
--
http://linuxfromscratch.org/mailman/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
signature.asc
Description: OpenPGP digital signature
--
http://linuxfromscratch.org/mailman/listinfo/lfs-security
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
