From owner-freebsd-security@FreeBSD.ORG Wed Jul 3 03:37:02 2013 Return-Path: Delivered-To: FreeBSD-Security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 9CBE5B24; Wed, 3 Jul 2013 03:37:02 +0000 (UTC) (envelope-from krichy@tvnetwork.hu) Received: from krichy.tvnetwork.hu (unknown [IPv6:2a01:be00:0:2::10]) by mx1.freebsd.org (Postfix) with ESMTP id 5E23F192E; Wed, 3 Jul 2013 03:37:02 +0000 (UTC) Received: by krichy.tvnetwork.hu (Postfix, from userid 1000) id 4394271CD; Wed, 3 Jul 2013 05:37:01 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by krichy.tvnetwork.hu (Postfix) with ESMTP id 42E1D71CC; Wed, 3 Jul 2013 05:37:01 +0200 (CEST) Date: Wed, 3 Jul 2013 05:37:01 +0200 (CEST) From: krichy@tvnetwork.hu To: Ryan Steinmetz Subject: Re: curl and CVE-2013-2174 In-Reply-To: <20130703031910.GA61102@exodus.zi0r.com> Message-ID: References: <20130703031910.GA61102@exodus.zi0r.com> User-Agent: Alpine 2.10 (DEB 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: FreeBSD-Security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jul 2013 03:37:02 -0000 Thanks, I should have tried that. Kojedzinszky Richard Euronet Magyarorszag Informatikai Zrt. On Tue, 2 Jul 2013, Ryan Steinmetz wrote: > Date: Tue, 2 Jul 2013 23:19:11 -0400 > From: Ryan Steinmetz > To: krichy@tvnetwork.hu > Cc: FreeBSD-Security@freebsd.org > Subject: Re: curl and CVE-2013-2174 > > > On (07/03/13 05:01), krichy@tvnetwork.hu wrote: >> Dear members, >> >> It may sound a silly question. I have curl installed: >> # pkg_info |grep curl >> curl-7.24.0_3 Non-interactive tool to get files from FTP, GOPHER, >> HTTP(S) >> >> Today portsnap updated the ftp/curl port, and patch-CVE-2013-2174 appeared >> in files/, but the port version remained such that portaudit, and >> portupgrade still complain about curl's version. What is the recommended >> way to upgrade the package? > > Run: > > portaudit -Fda > > Then try your upgrade again. > > -r > > >> >> # portupgrade curl-7.24.0_3 >> ---> Upgrading 'curl-7.24.0_3' to 'curl-7.24.0_4' (ftp/curl) >> ---> Building '/usr/ports/ftp/curl' >> ===> Cleaning for curl-7.24.0_4 >> ===> curl-7.24.0_4 has known vulnerabilities: >> Affected package: curl-7.24.0_4 >> Type of problem: cURL library -- heap corruption in curl_easy_unescape. >> Reference: >> http://portaudit.FreeBSD.org/01cf67b3-dc3b-11e2-a6cd-c48508086173.html >> => Please update your ports tree and try again. >> *** [check-vulnerable] Error code 1 >> >> Stop in /usr/ports/ftp/curl. >> *** [build] Error code 1 >> >> Stop in /usr/ports/ftp/curl. >> ** Command failed [exit code 1]: /usr/bin/script -qa >> /tmp/portupgrade20130702-47232-1m2otkk env UPGRADE_TOOL=portupgrade >> UPGRADE_PORT=curl-7.24.0_3 UPGRADE_PORT_VER=7.24.0_3 make >> ** Fix the problem and try again. >> ** Listing the failed packages (-:ignored / *:skipped / !:failed) >> ! ftp/curl (curl-7.24.0_3) (unknown build error) >> >> Thanks in advance, >> >> >> Kojedzinszky Richard >> Euronet Magyarorszag Informatikai Zrt. >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > -- > Ryan Steinmetz > PGP: EF36 D45A 5CA9 28B1 A550 18CD A43C D111 7AD7 FAF2 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >