curl and CVE-2013-2174
krichy at tvnetwork.hu
krichy at tvnetwork.hu
Wed Jul 3 03:01:18 UTC 2013
Dear members,
It may sound a silly question. I have curl installed:
# pkg_info |grep curl
curl-7.24.0_3 Non-interactive tool to get files from FTP, GOPHER, HTTP(S)
Today portsnap updated the ftp/curl port, and patch-CVE-2013-2174 appeared
in files/, but the port version remained such that portaudit, and
portupgrade still complain about curl's version. What is the recommended
way to upgrade the package?
# portupgrade curl-7.24.0_3
---> Upgrading 'curl-7.24.0_3' to 'curl-7.24.0_4' (ftp/curl)
---> Building '/usr/ports/ftp/curl'
===> Cleaning for curl-7.24.0_4
===> curl-7.24.0_4 has known vulnerabilities:
Affected package: curl-7.24.0_4
Type of problem: cURL library -- heap corruption in curl_easy_unescape.
Reference:
http://portaudit.FreeBSD.org/01cf67b3-dc3b-11e2-a6cd-c48508086173.html
=> Please update your ports tree and try again.
*** [check-vulnerable] Error code 1
Stop in /usr/ports/ftp/curl.
*** [build] Error code 1
Stop in /usr/ports/ftp/curl.
** Command failed [exit code 1]: /usr/bin/script -qa
/tmp/portupgrade20130702-47232-1m2otkk env UPGRADE_TOOL=portupgrade
UPGRADE_PORT=curl-7.24.0_3 UPGRADE_PORT_VER=7.24.0_3 make
** Fix the problem and try again.
** Listing the failed packages (-:ignored / *:skipped / !:failed)
! ftp/curl (curl-7.24.0_3) (unknown build error)
Thanks in advance,
Kojedzinszky Richard
Euronet Magyarorszag Informatikai Zrt.
More information about the freebsd-security
mailing list