Welcome to Centmin Mod Community
Register Now

How to upgrade libcurl package in centos 6

Discussion in 'CentOS, Redhat & Oracle Linux News' started by Lundz, Sep 25, 2014.

  1. Lundz

    Lundz Member

    42
    6
    8
    May 28, 2014
    Ratings:
    +7
    Local Time:
    6:35 AM
    Hello :)

    By default centos 6 uses libcurl 7.19 i would like to upgrade that to the newest possible but how would be the best way?
     
  2. eva2000

    eva2000 Administrator Staff Member

    29,016
    6,585
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,775
    Local Time:
    2:35 PM
    Nginx 1.13.x
    MariaDB 5.5
    Unfortuntaely curl and libcurl are deeply embedded into the system with some other software depending on those version numbers. So it's more difficult to replace the version of curl/libcurl provided by Redhat or CentOS (not impossible as I have a few systems using curl and libcurl 7.38). But it's best to wait for upstream released packages for curl and libcurl. FYI, Redhat and CentOS backport patch updates from newer 7.38 into 7.19 via incrementing number at end of 7.19.*.

    You can check the change logs

    Code:
    rpm -qa --changelog libcurl | head -n10
    * Mon May 19 2014 Kamil Dudka <kdudka@redhat.com> 7.19.7-37.el6_5.3
    - fix re-use of wrong HTTP NTLM connection (CVE-2014-0015)
    - fix connection re-use when using different log-in credentials (CVE-2014-0138)
    
    * Mon May 12 2014 Kamil Dudka <kdudka@redhat.com> 7.19.7-37.el6_5.2
    - fix authentication failure when server offers multiple auth options (#1096797)
    
    * Fri Apr 25 2014 Kamil Dudka <kdudka@redhat.com> 7.19.7-37.el6_5.1
    - refresh expired cookie in test172 from upstream test-suite (#1092486)
    - fix a memory leak caused by write after close (#1092479)
    Code:
    rpm -qa --changelog curl | head -n10
    * Mon May 19 2014 Kamil Dudka <kdudka@redhat.com> 7.19.7-37.el6_5.3
    - fix re-use of wrong HTTP NTLM connection (CVE-2014-0015)
    - fix connection re-use when using different log-in credentials (CVE-2014-0138)
    
    * Mon May 12 2014 Kamil Dudka <kdudka@redhat.com> 7.19.7-37.el6_5.2
    - fix authentication failure when server offers multiple auth options (#1096797)
    
    * Fri Apr 25 2014 Kamil Dudka <kdudka@redhat.com> 7.19.7-37.el6_5.1
    - refresh expired cookie in test172 from upstream test-suite (#1092486)
    - fix a memory leak caused by write after close (#1092479)
    
    If you are referring to the curl vulnerabilities CVE-2014-3613 and CVE-2014-3620, just be aware the later is not affected in Redhat or CentOS versions 5, 6 and 7 and you need to wait for an update to be available for Redhat or CentOS for CVE-2014-3613 which is related to libcurl cookie leak with IP address as domain. Bug report for CVE-2014-3613 is located here.

    CVE-2014-3613
    libcurl cookie leak with IP address as domain
     
  3. eva2000

    eva2000 Administrator Staff Member

    29,016
    6,585
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,775
    Local Time:
    2:35 PM
    Nginx 1.13.x
    MariaDB 5.5
    More plain English explanation of CVE-2014-3613
     
    Last edited: Sep 25, 2014