Bulletin d'alerte Debian

DSA-1869-1 curl -- Validation des entrées insuffisante

Date du rapport :
19 août 2009
Paquets concernés :
curl
Vulnérabilité :
Oui
Références dans la base de données de sécurité :
Dans le système de suivi des bogues Debian : Bogue 541991.
Dans le dictionnaire CVE du Mitre : CVE-2009-2417.
Plus de précisions :

cURL, un client et une bibliothèque pour obtenir des fichiers depuis un serveur HTTP, HTTPS ou FTP, est vulnérable aux attaques de préfixe NULL sur les certificats SSL et TLS (Null Prefix Attacks Against SSL/TLS Certificates) publiées récemment lors de la conférence Blackhat. Cela permet à un attaquant de réaliser des attaques non détectées en homme au milieu à l'aide d'un certificat X.509 ITU-T contrefait contenant un octet NULL injecté dans le champ Common Name.

Pour la distribution oldstable (Etch), ce problème a été corrigé dans la version 7.15.5-1etch3.

Pour la distribution stable (Lenny), ce problème a été corrigé dans la version 7.18.2-8lenny3.

Pour les distributions testing (Squeeze) et unstable (Sid), ce problème sera corrigé prochainement.

Nous vous recommandons de mettre à jour vos paquets curl.

Corrigé dans :

Debian GNU/Linux 4.0 (etch)

Source :
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch3.diff.gz
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5.orig.tar.gz
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch3.dsc
Composant indépendant de l'architecture :
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.15.5-1etch3_all.deb
Alpha:
http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch3_alpha.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch3_alpha.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch3_alpha.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch3_alpha.deb
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch3_alpha.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch3_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch3_amd64.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch3_amd64.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch3_amd64.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch3_amd64.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch3_amd64.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch3_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch3_arm.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch3_arm.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch3_arm.deb
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch3_arm.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch3_arm.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch3_arm.deb
HP Precision:
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch3_hppa.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch3_hppa.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch3_hppa.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch3_hppa.deb
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch3_hppa.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch3_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch3_i386.deb
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch3_i386.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch3_i386.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch3_i386.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch3_i386.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch3_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch3_ia64.deb
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch3_ia64.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch3_ia64.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch3_ia64.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch3_ia64.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch3_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch3_mips.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch3_mips.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch3_mips.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch3_mips.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch3_mips.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch3_mips.deb
PowerPC:
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch3_powerpc.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch3_powerpc.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch3_powerpc.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch3_powerpc.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch3_powerpc.deb
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch3_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch3_s390.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch3_s390.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch3_s390.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch3_s390.deb
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch3_s390.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch3_s390.deb

Debian GNU/Linux 5.0 (lenny)

Source :
http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny3.dsc
http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny3.diff.gz
http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny3_alpha.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny3_alpha.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny3_alpha.deb
http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny3_alpha.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny3_alpha.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny3_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny3_amd64.deb
http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny3_amd64.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny3_amd64.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny3_amd64.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny3_amd64.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny3_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny3_arm.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny3_arm.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny3_arm.deb
http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny3_arm.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny3_arm.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny3_arm.deb
ARM EABI:
http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny3_armel.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny3_armel.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny3_armel.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny3_armel.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny3_armel.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny3_armel.deb
HP Precision:
http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny3_hppa.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny3_hppa.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny3_hppa.deb
http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny3_hppa.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny3_hppa.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny3_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny3_i386.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny3_i386.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny3_i386.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny3_i386.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny3_i386.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny3_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny3_ia64.deb
http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny3_ia64.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny3_ia64.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny3_ia64.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny3_ia64.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny3_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny3_mips.deb
http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny3_mips.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny3_mips.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny3_mips.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny3_mips.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny3_mips.deb
PowerPC:
http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny3_powerpc.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny3_powerpc.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny3_powerpc.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny3_powerpc.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny3_powerpc.deb
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny3_powerpc.deb

Les sommes MD5 des fichiers indiqués sont disponibles sur la page originale de l'alerte de sécurité.