curl and CVE-2013-2174
Ryan Steinmetz
zi at FreeBSD.org
Wed Jul 3 11:19:42 UTC 2013
On (07/03/13 00:55), Robert Simmons wrote:
>Is there a way to do something similar with portmaster? I don't have
>portaudit installed b/c pkgng provides the same functionality. I'm
>getting the following error:
>
pkg audit -F
>===> curl-7.24.0_4 has known vulnerabilities:
>curl-7.24.0_4 is vulnerable:
>cURL library -- heap corruption in curl_easy_unescape
>
>WWW: http://portaudit.FreeBSD.org/01cf67b3-dc3b-11e2-a6cd-c48508086173.html
>=> Please update your ports tree and try again.
>*** [check-vulnerable] Error code 1
>
>
>On Tue, Jul 2, 2013 at 11:37 PM, <krichy at tvnetwork.hu> wrote:
>>
>> Thanks, I should have tried that.
>>
>>
>>
>> Kojedzinszky Richard
>> Euronet Magyarorszag Informatikai Zrt.
>>
>> On Tue, 2 Jul 2013, Ryan Steinmetz wrote:
>>
>>> Date: Tue, 2 Jul 2013 23:19:11 -0400
>>> From: Ryan Steinmetz <zi at FreeBSD.org>
>>> To: krichy at tvnetwork.hu
>>> Cc: FreeBSD-Security at freebsd.org
>>> Subject: Re: curl and CVE-2013-2174
>>>
>>>
>>>
>>> On (07/03/13 05:01), krichy at tvnetwork.hu wrote:
>>>>
>>>> Dear members,
>>>>
>>>> It may sound a silly question. I have curl installed:
>>>> # pkg_info |grep curl
>>>> curl-7.24.0_3 Non-interactive tool to get files from FTP, GOPHER,
>>>> HTTP(S)
>>>>
>>>> Today portsnap updated the ftp/curl port, and patch-CVE-2013-2174
>>>> appeared
>>>> in files/, but the port version remained such that portaudit, and
>>>> portupgrade still complain about curl's version. What is the recommended
>>>> way to upgrade the package?
>>>
>>>
>>> Run:
>>>
>>> portaudit -Fda
>>>
>>> Then try your upgrade again.
>>>
>>> -r
>>>
>>>
>>>>
>>>> # portupgrade curl-7.24.0_3
>>>> ---> Upgrading 'curl-7.24.0_3' to 'curl-7.24.0_4' (ftp/curl)
>>>> ---> Building '/usr/ports/ftp/curl'
>>>> ===> Cleaning for curl-7.24.0_4
>>>> ===> curl-7.24.0_4 has known vulnerabilities:
>>>> Affected package: curl-7.24.0_4
>>>> Type of problem: cURL library -- heap corruption in curl_easy_unescape.
>>>> Reference:
>>>> http://portaudit.FreeBSD.org/01cf67b3-dc3b-11e2-a6cd-c48508086173.html
>>>> => Please update your ports tree and try again.
>>>> *** [check-vulnerable] Error code 1
>>>>
>>>> Stop in /usr/ports/ftp/curl.
>>>> *** [build] Error code 1
>>>>
>>>> Stop in /usr/ports/ftp/curl.
>>>> ** Command failed [exit code 1]: /usr/bin/script -qa
>>>> /tmp/portupgrade20130702-47232-1m2otkk env UPGRADE_TOOL=portupgrade
>>>> UPGRADE_PORT=curl-7.24.0_3 UPGRADE_PORT_VER=7.24.0_3 make
>>>> ** Fix the problem and try again.
>>>> ** Listing the failed packages (-:ignored / *:skipped / !:failed)
>>>> ! ftp/curl (curl-7.24.0_3) (unknown build error)
>>>>
>>>> Thanks in advance,
>>>>
>>>>
>>>> Kojedzinszky Richard
>>>> Euronet Magyarorszag Informatikai Zrt.
>>>> _______________________________________________
>>>> freebsd-security at freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>>>> To unsubscribe, send any mail to
>>>> "freebsd-security-unsubscribe at freebsd.org"
>>>
>>>
>>> --
>>> Ryan Steinmetz
>>> PGP: EF36 D45A 5CA9 28B1 A550 18CD A43C D111 7AD7 FAF2
>>> _______________________________________________
>>> freebsd-security at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>>> To unsubscribe, send any mail to
>>> "freebsd-security-unsubscribe at freebsd.org"
>>>
>> _______________________________________________
>> freebsd-security at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>_______________________________________________
>freebsd-security at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
--
Ryan Steinmetz
PGP: EF36 D45A 5CA9 28B1 A550 18CD A43C D111 7AD7 FAF2
More information about the freebsd-security
mailing list