Bug 814655 (CVE-2013-1944) - VUL-0: CVE-2013-1944: curl: cookie domain tailmatch
Summary: VUL-0: CVE-2013-1944: curl: cookie domain tailmatch
Status: RESOLVED FIXED
Alias: CVE-2013-1944
Product: SUSE Security Incidents
Classification: Novell Products
Component: General (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Critical
Target Milestone: ---
Deadline: 2013-10-29
Assignee: Vítězslav Čížek
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp1:52130 maint:...
Keywords: DSLA_REQUIRED, DSLA_SOLUTION_PROVIDED
Depends on:
Blocks:
 
Reported: 2013-04-10 13:25 UTC by Thomas Biege
Modified: 2018-10-19 18:09 UTC (History)
9 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
adv_20130412.txt (2.08 KB, text/plain)
2013-04-10 13:27 UTC, Thomas Biege 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Swamp Workflow Management 2013-04-10 22:00:18 UTC 
bugbot adjusting priority
Comment 5 Thomas Biege 2013-04-11 07:57:06 UTC 
CVE-2013-1944
Comment 6 Vítězslav Čížek 2013-04-12 10:46:06 UTC 
Curl 7.30.0 is out.
The issue is now public.
Comment 7 Thomas Biege 2013-04-12 15:49:09 UTC 
ok!
Comment 8 Thomas Biege 2013-04-12 15:53:12 UTC 
Vita,
what packages are affected?
Comment 9 Vítězslav Čížek 2013-04-12 16:09:12 UTC 
(In reply to comment #8)
> Vita,
> what packages are affected?

Every single one.

Affected versions: all versions to and including 7.29.0
Not affected versions: curl >= 7.30.0
Comment 10 Bernhard Wiedemann 2013-04-13 16:00:15 UTC 
This is an autogenerated message for OBS integration:
This bug (814655) was mentioned in
https://build.opensuse.org/request/show/163893 Factory / curl
Comment 14 Vítězslav Čížek 2013-04-15 15:29:04 UTC 
Curl packages submitted.

In case you wondered why I omitted test1216:
There are two tests for this vulnerability in the upstream git, namely
https://github.com/bagder/curl/blob/master/tests/data/test1216
and
https://github.com/bagder/curl/blob/master/tests/data/test1218

I had to disable test 1216 because it fails due to different cookie sorting in older curl releases.
We're missing this commit (and older distributions some more):
https://github.com/bagder/curl/commit/762961fe352dbb8bc08f58b26ca8a18e7dd1999d
Comment 16 Bernhard Wiedemann 2013-04-16 04:00:06 UTC 
This is an autogenerated message for OBS integration:
This bug (814655) was mentioned in
https://build.opensuse.org/request/show/170864 Maintenance / 
https://build.opensuse.org/request/show/170865 Maintenance /
Comment 22 Bernhard Wiedemann 2013-04-23 17:00:44 UTC 
This is an autogenerated message for OBS integration:
This bug (814655) was mentioned in
https://build.opensuse.org/request/show/173085 Evergreen:11.2 / curl
Comment 29 Swamp Workflow Management 2013-04-30 15:04:45 UTC 
openSUSE-SU-2013:0726-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 814655
CVE References: CVE-2013-1944
Sources used:
openSUSE 12.2 (src):    curl-7.25.0-2.4.1
openSUSE 12.1 (src):    curl-7.22.0-2.6.1
Comment 34 Marcus Meissner 2013-05-08 14:21:30 UTC 
released
Comment 37 Swamp Workflow Management 2013-05-08 17:17:42 UTC 
Update released for: compat-curl2, compat-curl2-32bit, compat-curl2-64bit, compat-curl2-debuginfo, compat-curl2-x86
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 38 Swamp Workflow Management 2013-05-08 17:35:33 UTC 
Update released for: curl, curl-debuginfo, curl-debugsource, libcurl-devel, libcurl4, libcurl4-32bit, libcurl4-x86
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 41 Swamp Workflow Management 2013-05-08 18:58:26 UTC 
Update released for: curl, curl-32bit, curl-64bit, curl-debuginfo, curl-devel, curl-x86
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 44 Bernhard Wiedemann 2013-05-17 14:00:33 UTC 
This is an autogenerated message for OBS integration:
This bug (814655) was mentioned in
https://build.opensuse.org/request/show/175979 Evergreen:11.2 / curl
Comment 45 Swamp Workflow Management 2013-06-10 09:06:20 UTC 
openSUSE-SU-2013:0876-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 814655
CVE References: CVE-2013-1944
Sources used:
openSUSE 12.3 (src):    curl-7.28.1-4.13.1
Comment 46 Swamp Workflow Management 2013-06-10 09:08:38 UTC 
openSUSE-SU-2013:0879-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 814655
CVE References: CVE-2013-1944
Sources used:
openSUSE 11.4 (src):    curl-7.21.2-29.1
Comment 48 Swamp Workflow Management 2013-06-13 10:37:33 UTC 
The SWAMPID for this issue is 52939.
This issue was rated as moderate.
Please submit fixed packages until 2013-06-27.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 49 Swamp Workflow Management 2013-07-09 14:55:44 UTC 
Update released for: libcurl4, libcurl4-32bit, libcurl4-debuginfo
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
Comment 52 Swamp Workflow Management 2013-10-15 08:09:38 UTC 
The SWAMPID for this issue is 54707.
This issue was rated as moderate.
Please submit fixed packages until 2013-10-29.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 57 Swamp Workflow Management 2013-11-20 10:46:33 UTC 
Update released for: curl, curl-debuginfo, curl-debugsource, libcurl-devel, libcurl4, libcurl4-32bit
Products:
SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
SLES4VMWARE 11-SP1-LTSS (i386, x86_64)