lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1Xmldv-00039O-5z@master.debian.org>
Date: Fri, 07 Nov 2014 15:40:07 +0000
From: Salvatore Bonaccorso <carnil@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 3069-1] curl security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3069-1                   security@...ian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
November 07, 2014                      http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : curl
CVE ID         : CVE-2014-3707

Symeon Paraschoudis discovered that the curl_easy_duphandle() function
in cURL, an URL transfer library, has a bug that can lead to libcurl
eventually sending off sensitive data that was not intended for sending,
while performing a HTTP POST operation.

This bug requires CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle() to be
used in that order, and then the duplicate handle must be used to
perform the HTTP POST. The curl command line tool is not affected by
this problem as it does not use this sequence.

For the stable distribution (wheezy), this problem has been fixed in
version 7.26.0-1+wheezy11.

For the upcoming stable distribution (jessie), this problem will be
fixed in version 7.38.0-3.

For the unstable distribution (sid), this problem has been fixed in
version 7.38.0-3.

We recommend that you upgrade your curl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@...ts.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUXOZkAAoJEAVMuPMTQ89EQvIP/jTcVO/fBOQVvWe8s3wu89g5
vsNsBRLeeSpWzNR57QOBqa7lnbpu4WKjhKjHjYGyOXIGB9YU+J+oRpBph8IIYG7W
zA2QwcLSQhS5vuYiUGPkdwXcILC57jE+jUO0Ycw8cwQiIEc0Dc+mpvXlUDX6W6Aa
8KEe8NUkqrUWcNCsAx1XTQ0S/IbFCKfs0fNx0LwBaozN6+2NtiINu96G8lsob93u
TmGGKCoyd0QQGdShfou5sIJjldOW7P7YkpdnS3GiJHcw0fNAm9FOOxEqAUSGvmlG
jJFQCb4I/tK2Kmm14JAvW5upJhM99MFcY/OLAYghtcpchc8CQIX8BHuxwswl6gyc
yppbKfzd2/6BvPgJuPsgEQbrs+LmvA71cjKvSiRAZjC73IZ5gdFpc50kDG5fCkqs
qyTOmafKhDB+wktq5AJfPEks20/qVcFwBg6pUyyALUDdhheJ2jCPhcTLpjpSXUGq
OlVfaRp2M+AzNGOHyhWtHflHWHvDWiQlxVgqgedEmejx/VVXJwZQYhnBalwkWnLi
XXr1v1li+iuOeYqDH+fHhIN77V9knH0Z3+ezYHcWJtfg+oaLGDW6vFL6BHs0R7Hf
50ZjtwJ+wBq+RpRL+msSAW4Qn3CJu/BWhirmg+PomavAR94gzP3mQf5mV2kbqzbO
b8edemI/kKuoGhSkhVz5
=4K+N
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ