Date: Wed, 3 Jul 2013 05:01:16 +0200 (CEST) From: krichy@tvnetwork.hu To: FreeBSD-Security@freebsd.org Subject: curl and CVE-2013-2174 Message-ID: <alpine.DEB.2.10.1307030459590.26535@krichy.tvnetwork.hu>
next in thread | raw e-mail | index | archive | help
Dear members, It may sound a silly question. I have curl installed: # pkg_info |grep curl curl-7.24.0_3 Non-interactive tool to get files from FTP, GOPHER, HTTP(S) Today portsnap updated the ftp/curl port, and patch-CVE-2013-2174 appeared in files/, but the port version remained such that portaudit, and portupgrade still complain about curl's version. What is the recommended way to upgrade the package? # portupgrade curl-7.24.0_3 ---> Upgrading 'curl-7.24.0_3' to 'curl-7.24.0_4' (ftp/curl) ---> Building '/usr/ports/ftp/curl' ===> Cleaning for curl-7.24.0_4 ===> curl-7.24.0_4 has known vulnerabilities: Affected package: curl-7.24.0_4 Type of problem: cURL library -- heap corruption in curl_easy_unescape. Reference: http://portaudit.FreeBSD.org/01cf67b3-dc3b-11e2-a6cd-c48508086173.html => Please update your ports tree and try again. *** [check-vulnerable] Error code 1 Stop in /usr/ports/ftp/curl. *** [build] Error code 1 Stop in /usr/ports/ftp/curl. ** Command failed [exit code 1]: /usr/bin/script -qa /tmp/portupgrade20130702-47232-1m2otkk env UPGRADE_TOOL=portupgrade UPGRADE_PORT=curl-7.24.0_3 UPGRADE_PORT_VER=7.24.0_3 make ** Fix the problem and try again. ** Listing the failed packages (-:ignored / *:skipped / !:failed) ! ftp/curl (curl-7.24.0_3) (unknown build error) Thanks in advance, Kojedzinszky Richard Euronet Magyarorszag Informatikai Zrt.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.DEB.2.10.1307030459590.26535>