Bug 895991 - (CVE-2014-3620) VUL-0: CVE-2014-3620: curl: cookies accepted for TLDs
VUL-0: CVE-2014-3620: curl: cookies accepted for TLDs
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other openSUSE 13.1
: P3 - Medium : Major
: ---
Assigned To: Vítězslav Čížek
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2014-09-10 10:38 UTC by Marcus Meissner
Modified: 2014-09-24 18:28 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

CVE-2014-3620.patch (2.00 KB, patch)
2014-09-10 10:38 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-09-10 10:38:15 UTC
via libcurl announcement


Affected versions: from libcurl 7.31 to and including 7.37.1
Not affected versions	libcurl < 7.31 and libcurl >= 7.38.0

libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain.
Comment 1 Marcus Meissner 2014-09-10 10:38:53 UTC
Created attachment 605739 [details]

curl patch
Comment 2 Marcus Meissner 2014-09-10 10:43:31 UTC
affected: openSUSE Factory and SLE-12
Comment 3 Vítězslav Čížek 2014-09-10 11:39:22 UTC
(In reply to comment #2)
> affected: openSUSE Factory and SLE-12

Also openSUSE 13.1.
Comment 5 Bernhard Wiedemann 2014-09-10 15:00:32 UTC
This is an autogenerated message for OBS integration:
This bug (895991) was mentioned in
https://build.opensuse.org/request/show/248371 13.1+12.3 / curl
Comment 7 Swamp Workflow Management 2014-09-10 22:00:19 UTC
bugbot adjusting priority
Comment 8 Swamp Workflow Management 2014-09-17 21:04:36 UTC
openSUSE-SU-2014:1139-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 894575,895991
CVE References: CVE-2014-3613,CVE-2014-3620
Sources used:
openSUSE 13.1 (src):    curl-7.32.0-2.27.1
openSUSE 12.3 (src):    curl-7.28.1-4.43.1
Comment 9 Marcus Meissner 2014-09-18 05:27:15 UTC