Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [SECURITY] [DSA 3069-1] curl security update

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [SECURITY] [DSA 3069-1] curl security update


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: Salvatore Bonaccorso <carnil AT debian.org>
  • To: debian-security-announce AT lists.debian.org
  • Subject: [IT-SecNots] [SECURITY] [DSA 3069-1] curl security update
  • Date: Fri, 07 Nov 2014 15:40:07 +0000
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
  • Old-return-path: <carnil AT master.debian.org>
  • Priority: urgent
  • Resent-date: Fri, 7 Nov 2014 15:40:24 +0000 (UTC)
  • Resent-from: debian-security-announce AT lists.debian.org
  • Resent-message-id: <x8SOETvtzRG.A.GcG.ofOXUB@bendel>
  • Resent-sender: debian-security-announce-request AT lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3069-1 security AT debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
November 07, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : curl
CVE ID : CVE-2014-3707

Symeon Paraschoudis discovered that the curl_easy_duphandle() function
in cURL, an URL transfer library, has a bug that can lead to libcurl
eventually sending off sensitive data that was not intended for sending,
while performing a HTTP POST operation.

This bug requires CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle() to be
used in that order, and then the duplicate handle must be used to
perform the HTTP POST. The curl command line tool is not affected by
this problem as it does not use this sequence.

For the stable distribution (wheezy), this problem has been fixed in
version 7.26.0-1+wheezy11.

For the upcoming stable distribution (jessie), this problem will be
fixed in version 7.38.0-3.

For the unstable distribution (sid), this problem has been fixed in
version 7.38.0-3.

We recommend that you upgrade your curl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce AT lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUXOZkAAoJEAVMuPMTQ89EQvIP/jTcVO/fBOQVvWe8s3wu89g5
vsNsBRLeeSpWzNR57QOBqa7lnbpu4WKjhKjHjYGyOXIGB9YU+J+oRpBph8IIYG7W
zA2QwcLSQhS5vuYiUGPkdwXcILC57jE+jUO0Ycw8cwQiIEc0Dc+mpvXlUDX6W6Aa
8KEe8NUkqrUWcNCsAx1XTQ0S/IbFCKfs0fNx0LwBaozN6+2NtiINu96G8lsob93u
TmGGKCoyd0QQGdShfou5sIJjldOW7P7YkpdnS3GiJHcw0fNAm9FOOxEqAUSGvmlG
jJFQCb4I/tK2Kmm14JAvW5upJhM99MFcY/OLAYghtcpchc8CQIX8BHuxwswl6gyc
yppbKfzd2/6BvPgJuPsgEQbrs+LmvA71cjKvSiRAZjC73IZ5gdFpc50kDG5fCkqs
qyTOmafKhDB+wktq5AJfPEks20/qVcFwBg6pUyyALUDdhheJ2jCPhcTLpjpSXUGq
OlVfaRp2M+AzNGOHyhWtHflHWHvDWiQlxVgqgedEmejx/VVXJwZQYhnBalwkWnLi
XXr1v1li+iuOeYqDH+fHhIN77V9knH0Z3+ezYHcWJtfg+oaLGDW6vFL6BHs0R7Hf
50ZjtwJ+wBq+RpRL+msSAW4Qn3CJu/BWhirmg+PomavAR94gzP3mQf5mV2kbqzbO
b8edemI/kKuoGhSkhVz5
=4K+N
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST AT lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster AT lists.debian.org
Archive: E1Xmldv-00039O-5z AT master.debian.org">https://lists.debian.org/E1Xmldv-00039O-5z AT master.debian.org



  • [IT-SecNots] [SECURITY] [DSA 3069-1] curl security update, Salvatore Bonaccorso, 07.11.2014

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang