Bug 895991 – VUL-0: CVE-2014-3620: curl: cookies accepted for TLDs

Bug 895991 - (CVE-2014-3620) VUL-0: CVE-2014-3620: curl: cookies accepted for TLDs

(CVE-2014-3620)
Summary:	VUL-0: CVE-2014-3620: curl: cookies accepted for TLDs

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other openSUSE 13.1

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Vítězslav Čížek
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/106018/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2014-09-10 10:38 UTC by Marcus Meissner
Modified:	2014-09-24 18:28 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
CVE-2014-3620.patch (2.00 KB, patch) 2014-09-10 10:38 UTC, Marcus Meissner	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2014-09-10 10:38:15 UTC

via libcurl announcement

http://curl.haxx.se/docs/security.html#20140910B

Affected versions: from libcurl 7.31 to and including 7.37.1
Not affected versions	libcurl < 7.31 and libcurl >= 7.38.0

libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain.

Comment 1 Marcus Meissner 2014-09-10 10:38:53 UTC

Created attachment 605739 [details]
CVE-2014-3620.patch

curl patch

Comment 2 Marcus Meissner 2014-09-10 10:43:31 UTC

affected: openSUSE Factory and SLE-12

Comment 3 Vítězslav Čížek 2014-09-10 11:39:22 UTC

(In reply to comment #2)
> affected: openSUSE Factory and SLE-12

Also openSUSE 13.1.

Comment 5 Bernhard Wiedemann 2014-09-10 15:00:32 UTC

This is an autogenerated message for OBS integration:
This bug (895991) was mentioned in
https://build.opensuse.org/request/show/248371 13.1+12.3 / curl

Comment 7 Swamp Workflow Management 2014-09-10 22:00:19 UTC

bugbot adjusting priority

Comment 8 Swamp Workflow Management 2014-09-17 21:04:36 UTC

openSUSE-SU-2014:1139-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 894575,895991
CVE References: CVE-2014-3613,CVE-2014-3620
Sources used:
openSUSE 13.1 (src):    curl-7.32.0-2.27.1
openSUSE 12.3 (src):    curl-7.28.1-4.43.1

Comment 9 Marcus Meissner 2014-09-18 05:27:15 UTC

released