Security update for curl SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:1624-1 Final 1 1 2018-06-09T07:40:09Z current 2018-06-09T07:40:09Z 2018-06-09T07:40:09Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for curl This update for curl to version 7.60.0 fixes the following issues: These security issues were fixed: - CVE-2018-1000300: Prevent heap-based buffer overflow when closing down an FTP connection with very long server command replies (bsc#1092094). - CVE-2018-1000301: Prevent buffer over-read that could have cause reading data beyond the end of a heap based buffer used to store downloaded RTSP content (bsc#1092098). These non-security issues were fixed: - Add CURLOPT_HAPROXYPROTOCOL, support for the HAProxy PROXY protocol - Add --haproxy-protocol for the command line tool - Add CURLOPT_DNS_SHUFFLE_ADDRESSES, shuffle returned IP addresses - FTP: fix typo in recursive callback detection for seeking - test1208: marked flaky - HTTP: make header-less responses still count correct body size - user-agent.d:: mention --proxy-header as well - http2: fixes typo - cleanup: misc typos in strings and comments - rate-limit: use three second window to better handle high speeds - examples/hiperfifo.c: improved - pause: when changing pause state, update socket state - curl_version_info.3: fix ssl_version description - add_handle/easy_perform: clear errorbuffer on start if set - cmake: add support for brotli - parsedate: support UT timezone - vauth/ntlm.h: fix the #ifdef header guard - lib/curl_path.h: added #ifdef header guard - vauth/cleartext: fix integer overflow check - CURLINFO_COOKIELIST.3: made the example not leak memory - cookie.d: mention that &quot;-&quot; as filename means stdin - CURLINFO_SSL_VERIFYRESULT.3: fixed the example - http2: read pending frames (including GOAWAY) in connection-check - timeval: remove compilation warning by casting - cmake: avoid warn-as-error during config checks - travis-ci: enable -Werror for CMake builds - openldap: fix for NULL return from ldap_get_attribute_ber() - threaded resolver: track resolver time and set suitable timeout values - cmake: Add advapi32 as explicit link library for win32 - docs: fix CURLINFO_*_T examples use of CURL_FORMAT_CURL_OFF_T - test1148: set a fixed locale for the test - cookies: when reading from a file, only remove_expired once - cookie: store cookies per top-level-domain-specific hash table - openssl: RESTORED verify locations when verifypeer==0 - file: restore old behavior for file:////foo/bar URLs - FTP: allow PASV on IPv6 connections when a proxy is being used - build-openssl.bat: allow custom paths for VS and perl - winbuild: make the clean target work without build-type - build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15 - curl: retry on FTP 4xx, ignore other protocols - configure: detect (and use) sa_family_t - examples/sftpuploadresume: Fix Windows large file seek - build: cleanup to fix clang warnings/errors - winbuild: updated the documentation - lib: silence null-dereference warnings - travis: bump to clang 6 and gcc 7 - travis: build libpsl and make builds use it - proxy: show getenv proxy use in verbose output - duphandle: make sure CURLOPT_RESOLVE is duplicated - all: Refactor malloc+memset to use calloc - checksrc: Fix typo - system.h: Add sparcv8plus to oracle/sunpro 32-bit detection - vauth: Fix typo - ssh: show libSSH2 error code when closing fails - test1148: tolerate progress updates better - urldata: make service names unconditional - configure: keep LD_LIBRARY_PATH changes local - ntlm_sspi: fix authentication using Credential Manager - schannel: add client certificate authentication - winbuild: Support custom devel paths for each dependency - schannel: add support for CURLOPT_CAINFO - http2: handle on_begin_headers() called more than once - openssl: support OpenSSL 1.1.1 verbose-mode trace messages - openssl: fix subjectAltName check on non-ASCII platforms - http2: avoid strstr() on data not zero terminated - http2: clear the &quot;drain counter&quot; when a stream is closed - http2: handle GOAWAY properly - tool_help: clarify --max-time unit of time is seconds - curl.1: clarify that options and URLs can be mixed - http2: convert an assert to run-time check - curl_global_sslset: always provide available backends - ftplistparser: keep state between invokes - Curl_memchr: zero length input can't match - examples/sftpuploadresume: typecast fseek argument to long - examples/http2-upload: expand buffer to avoid silly warning - ctype: restore character classification for non-ASCII platforms - mime: avoid NULL pointer dereference risk - cookies: ensure that we have cookies before writing jar - os400.c: fix checksrc warnings - configure: provide --with-wolfssl as an alias for --with-cyassl - cyassl: adapt to libraries without TLS 1.0 support built-in - http2: get rid of another strstr - checksrc: force indentation of lines after an else - cookies: remove unused macro - CURLINFO_PROTOCOL.3: mention the existing defined names - tests: provide 'manual' as a feature to optionally require - travis: enable libssh2 on both macos and Linux - CURLOPT_URL.3: added ENCODING section - wolfssl: Fix non-blocking connect - vtls: don't define MD5_DIGEST_LENGTH for wolfssl - docs: remove extraneous commas in man pages - URL: fix ASCII dependency in strcpy_url and strlen_url - ssh-libssh.c: fix left shift compiler warning - configure: only check for CA bundle for file-using SSL backends - travis: add an mbedtls build - http: don't set the &quot;rewind&quot; flag when not uploading anything - configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h - transfer: don't unset writesockfd on setup of multiplexed conns - vtls: use unified &quot;supports&quot; bitfield member in backends - URLs: fix one more http url - travis: add a build using WolfSSL - openssl: change FILE ops to BIO ops - travis: add build using NSS - smb: reject negative file sizes - cookies: accept parameter names as cookie name - http2: getsock fix for uploads - all over: fixed format specifiers - http2: use the correct function pointer typedef The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-06/msg00015.html E-Mail link for openSUSE-SU-2018:1624-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 15.0 curl-7.60.0-lp150.2.3.1 curl-mini-7.60.0-lp150.2.3.1 libcurl-devel-7.60.0-lp150.2.3.1 libcurl-devel-32bit-7.60.0-lp150.2.3.1 libcurl-mini-devel-7.60.0-lp150.2.3.1 libcurl4-7.60.0-lp150.2.3.1 libcurl4-32bit-7.60.0-lp150.2.3.1 libcurl4-mini-7.60.0-lp150.2.3.1 curl-7.60.0-lp150.2.3.1 as a component of openSUSE Leap 15.0 curl-mini-7.60.0-lp150.2.3.1 as a component of openSUSE Leap 15.0 libcurl-devel-7.60.0-lp150.2.3.1 as a component of openSUSE Leap 15.0 libcurl-devel-32bit-7.60.0-lp150.2.3.1 as a component of openSUSE Leap 15.0 libcurl-mini-devel-7.60.0-lp150.2.3.1 as a component of openSUSE Leap 15.0 libcurl4-7.60.0-lp150.2.3.1 as a component of openSUSE Leap 15.0 libcurl4-32bit-7.60.0-lp150.2.3.1 as a component of openSUSE Leap 15.0 libcurl4-mini-7.60.0-lp150.2.3.1 as a component of openSUSE Leap 15.0 curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow vulnerability in denial of service and more that can result in curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command replies.. This vulnerability appears to have been fixed in curl < 7.54.1 and curl >= 7.60.0. CVE-2018-1000300 openSUSE Leap 15.0:curl-7.60.0-lp150.2.3.1 openSUSE Leap 15.0:curl-mini-7.60.0-lp150.2.3.1 openSUSE Leap 15.0:libcurl-devel-32bit-7.60.0-lp150.2.3.1 openSUSE Leap 15.0:libcurl-devel-7.60.0-lp150.2.3.1 openSUSE Leap 15.0:libcurl-mini-devel-7.60.0-lp150.2.3.1 openSUSE Leap 15.0:libcurl4-32bit-7.60.0-lp150.2.3.1 openSUSE Leap 15.0:libcurl4-7.60.0-lp150.2.3.1 openSUSE Leap 15.0:libcurl4-mini-7.60.0-lp150.2.3.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-06/msg00015.html https://www.suse.com/security/cve/CVE-2018-1000300.html CVE-2018-1000300 https://bugzilla.suse.com/1092094 SUSE Bug 1092094 https://bugzilla.suse.com/1101651 SUSE Bug 1101651 https://bugzilla.suse.com/1101653 SUSE Bug 1101653 https://bugzilla.suse.com/1112147 SUSE Bug 1112147 https://bugzilla.suse.com/1112151 SUSE Bug 1112151 https://bugzilla.suse.com/1122292 SUSE Bug 1122292 curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0. CVE-2018-1000301 openSUSE Leap 15.0:curl-7.60.0-lp150.2.3.1 openSUSE Leap 15.0:curl-mini-7.60.0-lp150.2.3.1 openSUSE Leap 15.0:libcurl-devel-32bit-7.60.0-lp150.2.3.1 openSUSE Leap 15.0:libcurl-devel-7.60.0-lp150.2.3.1 openSUSE Leap 15.0:libcurl-mini-devel-7.60.0-lp150.2.3.1 openSUSE Leap 15.0:libcurl4-32bit-7.60.0-lp150.2.3.1 openSUSE Leap 15.0:libcurl4-7.60.0-lp150.2.3.1 openSUSE Leap 15.0:libcurl4-mini-7.60.0-lp150.2.3.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-06/msg00015.html https://www.suse.com/security/cve/CVE-2018-1000301.html CVE-2018-1000301 https://bugzilla.suse.com/1092098 SUSE Bug 1092098 https://bugzilla.suse.com/1101651 SUSE Bug 1101651 https://bugzilla.suse.com/1101653 SUSE Bug 1101653 https://bugzilla.suse.com/1112147 SUSE Bug 1112147 https://bugzilla.suse.com/1112151 SUSE Bug 1112151 https://bugzilla.suse.com/1122292 SUSE Bug 1122292