cURL: Multiple vulnerabilities — GLSA 201406-21

Multiple vulnerabilities have been discovered in cURL, the worst of which could lead to man-in-the-middle attacks.

Affected packages

net-misc/curl on all architectures
Affected versions < 7.36.0
Unaffected versions >= 7.36.0

Background

cURL is a command line tool for transferring files with URL syntax, supporting numerous protocols.

Description

Multiple vulnerabilities have been discovered in cURL. Please review the CVE identifiers referenced below for details.

Impact

A remote attacker could cause a man-in-the-middle attack via a crafted certificate issued by a legitimate certification authority. Furthermore, a context-dependent attacker may be able to bypass security restrictions by connecting as other users.

Workaround

There is no known workaround at this time.

Resolution

All cURL users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-misc/curl-7.36.0"
 

References

Release date
June 22, 2014

Latest revision
June 22, 2014: 1

Severity
normal

Exploitable
local, remote

Bugzilla entries