1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 4386-1] curl security update

    From Alessandro Ghedini@1:229/2 to All on Wed Feb 6 23:50:01 2019
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-4386-1 [email protected] https://www.debian.org/security/ Alessandro Ghedini February 06, 2019 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : curl
    CVE ID : CVE-2018-16890 CVE-2019-3822 CVE-2019-3823

    Multiple vulnerabilities were discovered in cURL, an URL transfer library.

    CVE-2018-16890

    Wenxiang Qian of Tencent Blade Team discovered that the function
    handling incoming NTLM type-2 messages does not validate incoming
    data correctly and is subject to an integer overflow vulnerability,
    which could lead to an out-of-bounds buffer read.

    CVE-2019-3822

    Wenxiang Qian of Tencent Blade Team discovered that the function
    creating an outgoing NTLM type-3 header is subject to an integer
    overflow vulnerability, which could lead to an out-of-bounds write.

    CVE-2019-3823

    Brian Carpenter of Geeknik Labs discovered that the code handling
    the end-of-response for SMTP is subject to an out-of-bounds heap
    read.

    For the stable distribution (stretch), these problems have been fixed in version 7.52.1-5+deb9u9.

    We recommend that you upgrade your curl packages.

    For the detailed security status of curl please refer to
    its security tracker page at:
    https://security-tracker.debian.org/tracker/curl

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEBsId305pBx+F583DbwzL4CFiRygFAlxbSaAACgkQbwzL4CFi RygmtA/9HlrFg7QuCYikB1GTMvAfWtmk8vV19wr+zXcG4zxjC5MSubJStmg6Fhn7 Hl4Ar+UpqF79IM02yw4drAhci7BksQtGw/akExCDtI/+jw+BeHyHSR0GApwNlrIp k1t0c/ExxLKAPQKB4hxuxs0FdZGiJxO02Ld39O4PVf9c7IkBu0bRcbVbEajvIggh RFZN8HmUaqcN57MXu1Jrb9J0XWCyiGHjqEwBY0Q7/SI7cDuV5o8LiRFBeF/J2ByZ cSW7C980qQ9t1pru3BCAoAJxX7hl+fJPxub7oeZ1FehuQKMhxS/x2vQVgG6ni02z dccgYs+JVAaLhfqMUVNdieMwvyUuVbGsLVJ15HFRs8WGMlq9qRuHVfKBteZGPkHm zXbMaQ8lndNUN/El9JmaL4EEz4yIF/ZyQaniXGLu7iUPHtlJsFSl6Rjjc6q1Fg1u rAH4xNX2G4XV6MLH0LaQmaNgSLXSQn/er7QaUFEjCkzlRGob3DXWqexB2RhyNmp2 Hg5CrMT1d9VWFXS40CdiccPK+Bu0sEwuyzHWJMAQ2gRZ8Wv5MbqqOH8T9yLwXEgB u3MnQsWHs8nNKGs/ca6y6sRFMNhjVTA1Xwe12ZrO5UqZmpZJHgmSYEslboaLffGa zi3ucm1DATRJcTbMYvpZhS60QjkYr2nXgBwYYABTb2ZvDOTE6j4=
    =cCLC
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)