Forum: >>> Magnum BBS <<<

[SECURITY] [DSA 1869-1] New curl packages fix SSL certificate verificat

From Nico Golde@1:229/2 to All on Wed Aug 19 23:30:12 2009

From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------- Debian Security Advisory DSA-1869-1 [email protected] http://www.debian.org/security/ Nico Golde August 19th, 2009 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : curl
Vulnerability : insufficient input validation
Problem type : remote
Debian-specific: no
Debian bug : 541991
CVE ID : CVE-2009-2417

It was discovered that curl, a client and library to get files from servers using HTTP, HTTPS or FTP, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" recently published at the Blackhat conference. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the Common
Name field.

For the oldstable distribution (etch), this problem has been fixed in
version 7.15.5-1etch3.

For the stable distribution (lenny), this problem has been fixed in
version 7.18.2-8lenny3.

For the testing (squeeze) and unstable (sid) distribution, this problem
will be fixed soon.

We recommend that you upgrade your curl packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch3.diff.gz
Size/MD5 checksum: 20848 22dce2fb112906acd2e76df82944f142
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5.orig.tar.gz
Size/MD5 checksum: 1897973 61997c0d852d38c3a85b445f4fc02892
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch3.dsc
Size/MD5 checksum: 956 4f03313c10cd1ec65210f1100a131e9f

Architecture independent packages:

http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.15.5-1etch3_all.deb
Size/MD5 checksum: 22324 7619264c8f7e53dc59a7e69230c676b5

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch3_alpha.deb
Size/MD5 checksum: 823424 d3d084cf7ccddfebd627de8609850096
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch3_alpha.deb
Size/MD5 checksum: 816330 6fb28fafc75898049bd7226e60a28c7e
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch3_alpha.deb
Size/MD5 checksum: 182050 936d5870de61974aef21011a2da57747
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch3_alpha.deb
Size/MD5 checksum: 811900 daa9077f99711ca6d575e90fe004d632
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch3_alpha.deb
Size/MD5 checksum: 166818 6ba797a423a742377851db81da0489cb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch3_alpha.deb
Size/MD5 checksum: 175416 bd25fa6d94404424ae1357cf48041707

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch3_amd64.deb
Size/MD5 checksum: 163976 1c79712071486c997e73fd35a4eb0336
http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch3_amd64.deb
Size/MD5 checksum: 778648 e153b2bd7dce8074f567ed33e1ef216c
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch3_amd64.deb
Size/MD5 checksum: 824510 3492a7bd3567e3e67aff98be386f3a7a
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch3_amd64.deb
Size/MD5 checksum: 771278 09f1f1c8c5bf1131f283489eb19bea86
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch3_amd64.deb
Size/MD5 checksum: 171372 eadeb465edb9926433190a908690b826
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch3_amd64.deb
Size/MD5 checksum: 165714 13e4041382c7e0020ce5b8899aea849e

arm architecture (ARM)

http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch3_arm.deb
Size/MD5 checksum: 783540 57a19c0995e99f1e3772c6580666e6b4
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch3_arm.deb
Size/MD5 checksum: 757016 f79f0930f7d10e6e4c3429be15985bb6
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch3_arm.deb
Size/MD5 checksum: 160382 b3564444217dac4e915942b31d9b350b
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch3_arm.deb
Size/MD5 checksum: 162466 efde9a4c89e98d95caf65f5c022565f8
http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch3_arm.deb
Size/MD5 checksum: 761008 999d5239e559ac6eaab2d57f4f775564
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch3_arm.deb
Size/MD5 checksum: 166120 4e49cb3a1fb7fe0ffb76cd229b2540fb

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch3_hppa.deb
Size/MD5 checksum: 179010 7cc2d6c3a74e16c5ca43255a6da8eb15
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch3_hppa.deb
Size/MD5 checksum: 791294 a85d121cb7b254bd56a2c327eb17ea8a
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch3_hppa.deb
Size/MD5 checksum: 815272 279b123045458876f7ed6d195dd58086

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

Who's Online
Recent Visitors
- Centurion
  Sun Jun 7 16:59:51 2026
  from Berea, Ohio via Telnet
- Furryboy
  Sun Jun 7 13:40:29 2026
  from Romania, Galati via SSH
- Krenn
  Sun Jun 7 10:02:33 2026
  from Sydney, Nsw via Telnet
- Spearb0y
  Sun Jun 7 07:41:05 2026
  from Massachusetts via SSH
- Krenn
  Sun Jun 7 03:07:26 2026
  from Sydney, Nsw via Telnet
- Krenn
  Sun Jun 7 01:30:12 2026
  from Sydney, Nsw via Telnet
- Centurion
  Sat Jun 6 23:27:30 2026
  from Berea, Ohio via Telnet
- Ab Cadd
  Sat Jun 6 15:42:53 2026
  from Sheboygan, Wi via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	02:10:44
Calls:	12,098
Calls today:	6
Files:	15,003
Messages:	6,517,869

[SECURITY] [DSA 1869-1] New curl packages fix SSL certificate verificat

Who's Online

Recent Visitors

System Info