LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 02-11-2014, 07:23 PM   #1
akschu
Member
 
Registered: Dec 2007
Posts: 80

Rep: Reputation: 32
Curl shipped with 14.1 has security issues and bugs!


I've been battling a curl issue all morning, and updating to 7.35.0 fixes it. I would much rather use a stock slackware package so that I don't have slackpkg warning me to downgrade to the broken version in the repository.

Can someone update this and roll a security patch? It's just a matter of changing the version number and rebuilding the package.

Thanks,
schu
 
Old 02-11-2014, 08:49 PM   #2
Richard Cranium
Senior Member
 
Registered: Apr 2009
Location: Carrollton, Texas
Distribution: Slackware64 14.2 and Slackware64 -current (AKA Slackware64 15)
Posts: 3,793

Rep: Reputation: 2143Reputation: 2143Reputation: 2143Reputation: 2143Reputation: 2143Reputation: 2143Reputation: 2143Reputation: 2143Reputation: 2143Reputation: 2143Reputation: 2143
Well, "someone" would be Pat so maybe you should provide some details on the bugs that you found.
 
Old 02-11-2014, 09:21 PM   #3
mancha
Member
 
Registered: Aug 2012
Posts: 484

Rep: Reputation: Disabled
See http://www.linuxquestions.org/questi...ml#post5108614

--mancha
 
Old 02-11-2014, 11:28 PM   #4
philanc
Member
 
Registered: Jan 2011
Posts: 287

Rep: Reputation: 251Reputation: 251Reputation: 251
Quote:
Originally Posted by akschu View Post
I've been battling a curl issue all morning, and updating to 7.35.0 fixes it. I would much rather use a stock slackware package so that I don't have slackpkg warning me to downgrade to the broken version in the repository.
If you have already updated curl to 7.35 and your immediate objective is to eliminate slackpkg warning or prompt about curl, you may just add 'curl' to /etc/slackpkg/blacklist for the time being.

Phil
 
Old 02-12-2014, 10:43 PM   #5
1337_powerslacker
Member
 
Registered: Nov 2009
Distribution: Slackware64-current,Ubuntu,openSuSE,Manjaro
Posts: 837
Blog Entries: 9

Rep: Reputation: 557Reputation: 557Reputation: 557Reputation: 557Reputation: 557Reputation: 557
Quote:
Originally Posted by akschu View Post
I've been battling a curl issue all morning, and updating to 7.35.0 fixes it. I would much rather use a stock slackware package so that I don't have slackpkg warning me to downgrade to the broken version in the repository.

Can someone update this and roll a security patch? It's just a matter of changing the version number and rebuilding the package.

Thanks,
schu
I used mancha's post as an opportunity to download the latest version of curl from its homepage, and compiled it myself. You can download the source here, and download the SlackBuild files that I have uploaded (gzipped tarball, just delete the '.txt' from the end of it).

Cheers,

Matt
 
Old 02-12-2014, 11:32 PM   #6
chessmaster15
LQ Newbie
 
Registered: Aug 2011
Location: Delaware
Distribution: FreeBSD,OpenBSD,Slackware
Posts: 21

Rep: Reputation: Disabled
Curl 7.35 is also in the PhantomX Git Slackbuilds.
 
Old 02-13-2014, 10:56 PM   #7
STDOUBT
Member
 
Registered: May 2010
Location: Stumptown
Distribution: Slackware -current 32bit!
Posts: 575

Rep: Reputation: 241Reputation: 241Reputation: 241
BAM. Check that changelog
 
Old 02-14-2014, 09:02 AM   #8
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541

Rep: Reputation: 1063Reputation: 1063Reputation: 1063Reputation: 1063Reputation: 1063Reputation: 1063Reputation: 1063Reputation: 1063
This morning's [slackware-security] curl (SSA:2014-044-01):
Quote:
Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/curl-7.35.0-i486-1_slack14.1.txz: Upgraded.
This update fixes a flaw where libcurl could, in some circumstances, reuse
the wrong connection when asked to do an NTLM-authenticated HTTP or HTTPS
request.
For more information, see:
http://curl.haxx.se/docs/adv_20140129.html
http://cve.mitre.org/cgi-bin/cvename...=CVE-2014-0015
(* Security fix *)
+--------------------------+
Hope this helps some.
 
Old 02-16-2014, 04:03 PM   #9
akschu
Member
 
Registered: Dec 2007
Posts: 80

Original Poster
Rep: Reputation: 32
Thanks,

This is exactly what I was wanting. Sure I could build my own and blacklist the package in slackpkg (and did), but then I would need to pay attention to any future updates instead of relying on the Slackware user collective. This update fixes that.

schu
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
CURL issues in bash iniuria Programming 1 03-08-2010 03:39 AM
LXer: Security update for cURL LXer Syndicated Linux News 0 03-05-2009 04:41 AM
LXer: When more bugs can mean tighter security LXer Syndicated Linux News 0 12-10-2007 07:20 AM
LXer: When more bugs can mean tighter security LXer Syndicated Linux News 0 12-09-2007 11:30 PM
Network security bugs - which distribution have the fastest reaction? immer Linux - Security 4 10-29-2004 05:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 09:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration