-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0495
                           curl security update
                               14 April 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           curl
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Debian GNU/Linux 6
                   Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Reduced Security -- Unknown/Unspecified
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0139 CVE-2014-0138 

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-2902

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running curl check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2902-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
April 13, 2014                         http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : curl
CVE ID         : CVE-2014-0138 CVE-2014-0139
Debian Bug     : 742728

Two vulnerabilities have been discovered in cURL, an URL transfer
library. The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2014-0138

    Steve Holme discovered that libcurl can in some circumstances re-use
    the wrong connection when asked to do transfers using other
    protocols than HTTP and FTP.

CVE-2014-0139

    Richard Moore from Westpoint Ltd. reported that libcurl does not
    behave compliant to RFC 2828 under certain conditions and
    incorrectly validates wildcard SSL certificates containing literal
    IP addresses.

For the oldstable distribution (squeeze), these problems have been fixed in
version 7.21.0-2.1+squeeze8.

For the stable distribution (wheezy), these problems have been fixed in
version 7.26.0-1+wheezy9.

For the testing distribution (jessie), these problems have been fixed in
version 7.36.0-1.

For the unstable distribution (sid), these problems have been fixed in
version 7.36.0-1.

We recommend that you upgrade your curl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTSkcrAAoJEAVMuPMTQ89EJ/kQAI+bhYW6omGFeiXjY2dzZlJv
oNrtpIiF73jwmQ35dKRbfNhl4rM1FHDoFN5TPWVN5nGdH3nxMmccsAUNFCz2R3z8
4L8qWGtJrAvwkUCYq8eVTVVlrW8G1wZgc/Eyzv2agenRgCuUl5YqqUd841ee2nGd
BkDhnzASyk0iZL13FVWLj4jz7q/YUVh9+r1bS/gRKH2cGWjTgOthyUb2iPXUw37a
3/FMfTzj2n+1qbsTbTaP5HSIOX43is98PKbS0H+o11MOaeOxt2BAz1lM/Z/yGz+W
eNnimJyM4dN1eUkhz8qXLkFVicBYp0ttYcUBDyQgQpE2IF29ULL4g9ZxeV0fraai
EwbkoI5SYKeQFN3LQ8Q7iGqh+vyuUEkGXAGAnTrt/8xi0Gm42gMercYGHH6M/Qtq
pGsaqrbMn793N8oSimiuhdbU3KN3UQo6fUYXzAqcjhnw1bdozz69ZWnuRo06j+yZ
87E8NrF+z1DkLba/e9CINAdGhFisu5LK5hS0mLLRk3MqoLIRe0AbmxsGwQRB2N3Z
KGMphBKdcf/KiPRbqdTKzm7sDvjqiLuDfjxqu4BDIqZs5P/AHyETyeL6AgS2quws
0I1ufW452CdauJ00uHl7q0m2nd733bhuiHMCJ0boU+EQHJYLV0sj3U4vwGWRcIb6
8aoI57o9zT39JlGFWwbU
=hzeM
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU0s6SxLndAQH1ShLAQKnZA//U+DwYG36olU8hiU6fUBaAKNdJANCepC9
w5jUYXwckDzTMu41FA486tDfibkc4d9UvHxJZPftwISaK/0o/fRdW70QF99Ck8mh
zzSYI9d3b2g1z3amUeCRLPtGDIQAxYDuHalvCEUQfWKDmjiYxctynZ8lcMr0/VCq
UL86cxqjdzrR4t05fMpoYse72Ue266LmOzl5vevC06DnPtP5w7dl4o4xdAd2ZQlm
8POlKXddc0oyytv0BHyObsQ1BGVDkrbufQFQ7yUp5JavpwYXHSPIvPZCOnF1IF8O
Ds/+4ShJQHkRCCVWU7RHTVC6+/0CQe42h2iAcgMpXywD8f+bOF5oIFmB2sc7n9/G
K2tYJ05M7S1rK0//ahtK66AOXCr9NtAxsi89XOFIzmNE0OOJEiOgTr6TlB4tHlyA
PJXJksN1HKIlqK5IuC0ZCSDRqrXItlLDG4BJYasH02hDzFVG65JieT7+Q+NQS+4k
9E9QL7VGaXwvqDW2+eacJPIfvuIDu9QNRzsS+JmF/rsDJ0962bxcn6k0JOdAAa0b
jJZDjnZvxO3Z8hgOyUbs27F4+psJUHO44n7wp+kSiuAe3LAQ2T57kF/8So/uIOHv
ow+dzGcwFOECd2XkYuX4d7wIL3IFHaIOY9dNyO3QjA/SgjSm0KSjaX3YEZQcZ+HX
B01gJr602y8=
=Orjf
-----END PGP SIGNATURE-----