openSUSE Security Update : curl (openSUSE-2018-589)

High Nessus Plugin ID 110434

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for curl to version 7.60.0 fixes the following issues :

These security issues were fixed :

- CVE-2018-1000300: Prevent heap-based buffer overflow when closing down an FTP connection with very long server command replies (bsc#1092094).

- CVE-2018-1000301: Prevent buffer over-read that could have cause reading data beyond the end of a heap based buffer used to store downloaded RTSP content (bsc#1092098).

These non-security issues were fixed :

- Add CURLOPT_HAPROXYPROTOCOL, support for the HAProxy PROXY protocol

- Add --haproxy-protocol for the command line tool

- Add CURLOPT_DNS_SHUFFLE_ADDRESSES, shuffle returned IP addresses

- FTP: fix typo in recursive callback detection for seeking

- test1208: marked flaky

- HTTP: make header-less responses still count correct body size

- user-agent.d:: mention --proxy-header as well

- http2: fixes typo

- cleanup: misc typos in strings and comments

- rate-limit: use three second window to better handle high speeds

- examples/hiperfifo.c: improved

- pause: when changing pause state, update socket state

- curl_version_info.3: fix ssl_version description

- add_handle/easy_perform: clear errorbuffer on start if set

- cmake: add support for brotli

- parsedate: support UT timezone

- vauth/ntlm.h: fix the #ifdef header guard

- lib/curl_path.h: added #ifdef header guard

- vauth/cleartext: fix integer overflow check

- CURLINFO_COOKIELIST.3: made the example not leak memory

- cookie.d: mention that '-' as filename means stdin

- CURLINFO_SSL_VERIFYRESULT.3: fixed the example

- http2: read pending frames (including GOAWAY) in connection-check

- timeval: remove compilation warning by casting

- cmake: avoid warn-as-error during config checks

- travis-ci: enable -Werror for CMake builds

- openldap: fix for NULL return from ldap_get_attribute_ber()

- threaded resolver: track resolver time and set suitable timeout values

- cmake: Add advapi32 as explicit link library for win32

- docs: fix CURLINFO_*_T examples use of CURL_FORMAT_CURL_OFF_T

- test1148: set a fixed locale for the test

- cookies: when reading from a file, only remove_expired once

- cookie: store cookies per top-level-domain-specific hash table

- openssl: RESTORED verify locations when verifypeer==0

- file: restore old behavior for file:////foo/bar URLs

- FTP: allow PASV on IPv6 connections when a proxy is being used

- build-openssl.bat: allow custom paths for VS and perl

- winbuild: make the clean target work without build-type

- build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15

- curl: retry on FTP 4xx, ignore other protocols

- configure: detect (and use) sa_family_t

- examples/sftpuploadresume: Fix Windows large file seek

- build: cleanup to fix clang warnings/errors

- winbuild: updated the documentation

- lib: silence null-dereference warnings

- travis: bump to clang 6 and gcc 7

- travis: build libpsl and make builds use it

- proxy: show getenv proxy use in verbose output

- duphandle: make sure CURLOPT_RESOLVE is duplicated

- all: Refactor malloc+memset to use calloc

- checksrc: Fix typo

- system.h: Add sparcv8plus to oracle/sunpro 32-bit detection

- vauth: Fix typo

- ssh: show libSSH2 error code when closing fails

- test1148: tolerate progress updates better

- urldata: make service names unconditional

- configure: keep LD_LIBRARY_PATH changes local

- ntlm_sspi: fix authentication using Credential Manager

- schannel: add client certificate authentication

- winbuild: Support custom devel paths for each dependency

- schannel: add support for CURLOPT_CAINFO

- http2: handle on_begin_headers() called more than once

- openssl: support OpenSSL 1.1.1 verbose-mode trace messages

- openssl: fix subjectAltName check on non-ASCII platforms

- http2: avoid strstr() on data not zero terminated

- http2: clear the 'drain counter' when a stream is closed

- http2: handle GOAWAY properly

- tool_help: clarify --max-time unit of time is seconds

- curl.1: clarify that options and URLs can be mixed

- http2: convert an assert to run-time check

- curl_global_sslset: always provide available backends

- ftplistparser: keep state between invokes

- Curl_memchr: zero length input can't match

- examples/sftpuploadresume: typecast fseek argument to long

- examples/http2-upload: expand buffer to avoid silly warning

- ctype: restore character classification for non-ASCII platforms

- mime: avoid NULL pointer dereference risk

- cookies: ensure that we have cookies before writing jar

- os400.c: fix checksrc warnings

- configure: provide --with-wolfssl as an alias for
--with-cyassl

- cyassl: adapt to libraries without TLS 1.0 support built-in

- http2: get rid of another strstr

- checksrc: force indentation of lines after an else

- cookies: remove unused macro

- CURLINFO_PROTOCOL.3: mention the existing defined names

- tests: provide 'manual' as a feature to optionally require

- travis: enable libssh2 on both macos and Linux

- CURLOPT_URL.3: added ENCODING section

- wolfssl: Fix non-blocking connect

- vtls: don't define MD5_DIGEST_LENGTH for wolfssl

- docs: remove extraneous commas in man pages

- URL: fix ASCII dependency in strcpy_url and strlen_url

- ssh-libssh.c: fix left shift compiler warning

- configure: only check for CA bundle for file-using SSL backends

- travis: add an mbedtls build

- http: don't set the 'rewind' flag when not uploading anything

- configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h

- transfer: don't unset writesockfd on setup of multiplexed conns

- vtls: use unified 'supports' bitfield member in backends

- URLs: fix one more http url

- travis: add a build using WolfSSL

- openssl: change FILE ops to BIO ops

- travis: add build using NSS

- smb: reject negative file sizes

- cookies: accept parameter names as cookie name

- http2: getsock fix for uploads

- all over: fixed format specifiers

- http2: use the correct function pointer typedef

Solution

Update the affected curl packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1092094

https://bugzilla.opensuse.org/show_bug.cgi?id=1092098

Plugin Details

Severity: High

ID: 110434

File Name: openSUSE-2018-589.nasl

Version: 1.3

Type: local

Agent: unix

Published: 2018/06/11

Updated: 2018/09/04

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:curl, p-cpe:/a:novell:opensuse:curl-debuginfo, p-cpe:/a:novell:opensuse:curl-debugsource, p-cpe:/a:novell:opensuse:curl-mini, p-cpe:/a:novell:opensuse:curl-mini-debuginfo, p-cpe:/a:novell:opensuse:curl-mini-debugsource, p-cpe:/a:novell:opensuse:libcurl-devel, p-cpe:/a:novell:opensuse:libcurl-devel-32bit, p-cpe:/a:novell:opensuse:libcurl-mini-devel, p-cpe:/a:novell:opensuse:libcurl4, p-cpe:/a:novell:opensuse:libcurl4-32bit, p-cpe:/a:novell:opensuse:libcurl4-32bit-debuginfo, p-cpe:/a:novell:opensuse:libcurl4-debuginfo, p-cpe:/a:novell:opensuse:libcurl4-mini, p-cpe:/a:novell:opensuse:libcurl4-mini-debuginfo, cpe:/o:novell:opensuse:15.0

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 2018/06/09

Reference Information

CVE: CVE-2018-1000300, CVE-2018-1000301