Bugzilla – Bug 868627
VUL-0: CVE-2014-0138: curl: wrong re-use of connections
Last modified: 2018-10-19 18:21:55 UTC
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (868627) was mentioned in https://build.opensuse.org/request/show/227556 13.1+12.3 / curl
This is an autogenerated message for OBS integration: This bug (868627) was mentioned in https://build.opensuse.org/request/show/227560 13.1+12.3 / curl
http://curl.haxx.se/docs/adv_20140326A.html libcurl wrong re-use of connections =================================== Project cURL Security Advisory, March 26th 2014 http://curl.haxx.se/docs/security.html 1. VULNERABILITY libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP. libcurl features a pool of recent connections so that subsequent requests can re-use an existing connection to avoid overhead. When re-using a connection a range of criterion must first be met. Due to an error in the code, a transfer that was initiated by an application could wrongfully re-use an existing connection to the same server that was authenticated using different credentials. The existing logic basically only worked well enough for HTTP and FTP, while all other network protocols were silently, but erroneously, assumed to work like HTTP. Basically, protocols that use connection oriented authentication need a new connection when new credentials are used. Affected protocols include: SCP, SFTP, POP3(S), IMAP(S), SMTP(S) and LDAP(S). Applications can disable libcurl's re-use of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or aren't re-used: CURLOPT_FRESH_CONNECT, CURLOPT_MAXCONNECTS and CURLMOPT_MAX_HOST_CONNECTIONS (if using curl_multi API). (This problem is very similar to a problem previously reported to NTLM HTTP connections, named CVE-2014-0015) The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2014-0138 to this issue. 2. AFFECTED VERSIONS This flaw has existed ever since libcurl started to support these other protocols, although the code has been restructured a few times over the years so the mistake has altered shape. Affected versions: from libcurl 7.10.6 to and including 7.35.0 Not affected versions: libcurl before 7.10.6 and >= 7.36.0 libcurl is used by many applications, but not always advertised as such! 3. THE SOLUTION libcurl 7.36.0 makes sure that connections are re-used more strictly. A patch for this problem is available at: http://curl.haxx.se/libcurl-bad-reuse.patch 4. RECOMMENDATIONS We suggest you take one of the following actions immediately, in order of preference: A - Upgrade to curl and libcurl 7.36.0 B - Apply the patch and rebuild libcurl 5. TIME LINE It was reported to the curl project on February 15th 2014. We contacted distros@openwall on March 16 2014. libcurl 7.36.0 was released on March 26th 2014, coordinated with the publication of this advisory. 6. CREDITS Bug reported and patch written by Steve Holme. Thanks a lot!
This is an autogenerated message for OBS integration: This bug (868627) was mentioned in https://build.opensuse.org/request/show/229615 13.1+12.3 / curl
openSUSE-RU-2014:0514-1: An update that fixes two vulnerabilities is now available. Category: recommended (moderate) Bug References: 868627,868629 CVE References: CVE-2014-0138,CVE-2014-0139 Sources used: openSUSE 13.1 (src): curl-7.32.0-2.16.1 openSUSE 12.3 (src): curl-7.28.1-4.33.1
The SWAMPID for this issue is 57016. This issue was rated as moderate. Please submit fixed packages until 2014-04-28. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
openSUSE-SU-2014:0530-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 868627,868629 CVE References: CVE-2014-0138,CVE-2014-0139,CVE-2014-138,CVE-2014-139 Sources used: openSUSE 11.4 (src): curl-7.21.2-45.1
SUSE-OU-2014:0571-1: An update that solves two vulnerabilities and has 5 fixes is now available. Category: optional (low) Bug References: 843697,861014,862623,864912,868627,868629,870444 CVE References: CVE-2014-0138,CVE-2014-0139 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): openldap2-2.4.26-0.28.5, openldap2-client-2.4.26-0.28.5 SUSE Linux Enterprise Server 11 SP3 for VMware (src): openldap2-2.4.26-0.28.5, openldap2-client-2.4.26-0.28.5 SUSE Linux Enterprise Server 11 SP3 (src): openldap2-2.4.26-0.28.5, openldap2-client-2.4.26-0.28.5 SUSE Linux Enterprise Security Module 11 SP3 (src): curl-openssl1-7.19.7-0.38.1, cyrus-sasl-openssl1-2.1.22-0.27.6, openldap2-client-openssl1-2.4.26-0.28.8 SUSE Linux Enterprise Desktop 11 SP3 (src): openldap2-client-2.4.26-0.28.5
openSUSE-SU-2014:0598-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 868627,868629 CVE References: CVE-2014-0138,CVE-2014-0139 Sources used: openSUSE 13.1 (src): curl-7.32.0-2.23.1 openSUSE 12.3 (src): curl-7.28.1-4.39.1
released
Update released for: curl, curl-debuginfo, curl-debugsource, libcurl-devel, libcurl4 Products: SLE-DEBUGINFO 11-SP1-TERADATA (x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: curl, curl-devel Products: SUSE-CORE 9-SP3-TERADATA (x86_64)
Update released for: compat-curl2, compat-curl2-debuginfo Products: SLE-DEBUGINFO 10-SP3-TERADATA (x86_64) SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: curl, curl-debuginfo, curl-devel Products: SLE-DEBUGINFO 10-SP3-TERADATA (x86_64) SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: curl, curl-debuginfo, curl-debugsource, libcurl-devel, libcurl4, libcurl4-32bit, libcurl4-64bit, libcurl4-x86 Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
SUSE-SU-2014:0691-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 868627,868629,870444 CVE References: CVE-2014-0138,CVE-2014-0139 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): curl-7.19.7-1.38.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): curl-7.19.7-1.38.1 SUSE Linux Enterprise Server 11 SP3 (src): curl-7.19.7-1.38.1 SUSE Linux Enterprise Desktop 11 SP3 (src): curl-7.19.7-1.38.1