From owner-freebsd-security@FreeBSD.ORG Wed Jul 3 04:55:21 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 948EBFA1 for ; Wed, 3 Jul 2013 04:55:21 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-ee0-x22f.google.com (mail-ee0-x22f.google.com [IPv6:2a00:1450:4013:c00::22f]) by mx1.freebsd.org (Postfix) with ESMTP id 30B581BA8 for ; Wed, 3 Jul 2013 04:55:21 +0000 (UTC) Received: by mail-ee0-f47.google.com with SMTP id e49so3094141eek.20 for ; Tue, 02 Jul 2013 21:55:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=pA4qlFYDAnAGSv+qP7A1W77MgeQkK60mggc1X89uDpY=; b=QamVGmEfYxy8ncknBUp2hK3P1EWawGBfF1RPP7ihy/9AUkv6ow+Bp/B8283s82ReKY mNpIfsSr1eyg2BwZYVjPOrLMhbSYs2RhGVou1nfVA9VGeCmjm7nln+2ZUZXsnS6oHAG3 hMS0CUiBb1at7V4oJMuFQcxB5hOCntD7o7JqlI4HvTrBZiv7VgRmJ4CAaEVZJHtlxO85 BEHI0SSPfE0u59EZ8A9NaYGdkji79Hcn3x9rvvLJOxo26sg/QwK1PmqLhFTwH6GoqI5g sN+iaWfouQekOLqQlPW90wka0wKGU4/vxNP/ae0Yxqi4xFs7W9AzBSW08qIfqOohRPzM WIag== MIME-Version: 1.0 X-Received: by 10.14.182.132 with SMTP id o4mr28886030eem.94.1372827320218; Tue, 02 Jul 2013 21:55:20 -0700 (PDT) Received: by 10.15.24.203 with HTTP; Tue, 2 Jul 2013 21:55:20 -0700 (PDT) In-Reply-To: References: <20130703031910.GA61102@exodus.zi0r.com> Date: Wed, 3 Jul 2013 00:55:20 -0400 Message-ID: Subject: Re: curl and CVE-2013-2174 From: Robert Simmons To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jul 2013 04:55:21 -0000 Is there a way to do something similar with portmaster? I don't have portaudit installed b/c pkgng provides the same functionality. I'm getting the following error: ===> curl-7.24.0_4 has known vulnerabilities: curl-7.24.0_4 is vulnerable: cURL library -- heap corruption in curl_easy_unescape WWW: http://portaudit.FreeBSD.org/01cf67b3-dc3b-11e2-a6cd-c48508086173.html => Please update your ports tree and try again. *** [check-vulnerable] Error code 1 On Tue, Jul 2, 2013 at 11:37 PM, wrote: > > Thanks, I should have tried that. > > > > Kojedzinszky Richard > Euronet Magyarorszag Informatikai Zrt. > > On Tue, 2 Jul 2013, Ryan Steinmetz wrote: > >> Date: Tue, 2 Jul 2013 23:19:11 -0400 >> From: Ryan Steinmetz >> To: krichy@tvnetwork.hu >> Cc: FreeBSD-Security@freebsd.org >> Subject: Re: curl and CVE-2013-2174 >> >> >> >> On (07/03/13 05:01), krichy@tvnetwork.hu wrote: >>> >>> Dear members, >>> >>> It may sound a silly question. I have curl installed: >>> # pkg_info |grep curl >>> curl-7.24.0_3 Non-interactive tool to get files from FTP, GOPHER, >>> HTTP(S) >>> >>> Today portsnap updated the ftp/curl port, and patch-CVE-2013-2174 >>> appeared >>> in files/, but the port version remained such that portaudit, and >>> portupgrade still complain about curl's version. What is the recommended >>> way to upgrade the package? >> >> >> Run: >> >> portaudit -Fda >> >> Then try your upgrade again. >> >> -r >> >> >>> >>> # portupgrade curl-7.24.0_3 >>> ---> Upgrading 'curl-7.24.0_3' to 'curl-7.24.0_4' (ftp/curl) >>> ---> Building '/usr/ports/ftp/curl' >>> ===> Cleaning for curl-7.24.0_4 >>> ===> curl-7.24.0_4 has known vulnerabilities: >>> Affected package: curl-7.24.0_4 >>> Type of problem: cURL library -- heap corruption in curl_easy_unescape. >>> Reference: >>> http://portaudit.FreeBSD.org/01cf67b3-dc3b-11e2-a6cd-c48508086173.html >>> => Please update your ports tree and try again. >>> *** [check-vulnerable] Error code 1 >>> >>> Stop in /usr/ports/ftp/curl. >>> *** [build] Error code 1 >>> >>> Stop in /usr/ports/ftp/curl. >>> ** Command failed [exit code 1]: /usr/bin/script -qa >>> /tmp/portupgrade20130702-47232-1m2otkk env UPGRADE_TOOL=portupgrade >>> UPGRADE_PORT=curl-7.24.0_3 UPGRADE_PORT_VER=7.24.0_3 make >>> ** Fix the problem and try again. >>> ** Listing the failed packages (-:ignored / *:skipped / !:failed) >>> ! ftp/curl (curl-7.24.0_3) (unknown build error) >>> >>> Thanks in advance, >>> >>> >>> Kojedzinszky Richard >>> Euronet Magyarorszag Informatikai Zrt. >>> _______________________________________________ >>> freebsd-security@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security >>> To unsubscribe, send any mail to >>> "freebsd-security-unsubscribe@freebsd.org" >> >> >> -- >> Ryan Steinmetz >> PGP: EF36 D45A 5CA9 28B1 A550 18CD A43C D111 7AD7 FAF2 >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" >> > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"