[SECURITY] [DLA 1143-1] curl security update

2017-10-2420:38:14

lists.debian.org

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

0.022 Low

EPSS

Percentile

89.3%

JSON

Package : curl
Version : 7.26.0-1+wheezy22
CVE ID : CVE-2017-1000257

Brian Carpenter, Geeknik Labs, 0xd34db347, and independently reported by
the OSS-Fuzz project, detected a out of bounds read during IMAP FETCH
response.

For Debian 7 "Wheezy", this problem has been fixed in version
7.26.0-1+wheezy22.

We recommend that you upgrade your curl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8kfreebsd-i386libcurl3-gnutls< 7.38.0-4+deb8u7libcurl3-gnutls_7.38.0-4+deb8u7_kfreebsd-i386.deb
Debian9s390xcurl< 7.52.1-5+deb9u2curl_7.52.1-5+deb9u2_s390x.deb
Debian8kfreebsd-i386libcurl4-gnutls-dev< 7.38.0-4+deb8u7libcurl4-gnutls-dev_7.38.0-4+deb8u7_kfreebsd-i386.deb
Debian8i386libcurl3-gnutls< 7.38.0-4+deb8u7libcurl3-gnutls_7.38.0-4+deb8u7_i386.deb
Debian9armhfcurl-dbgsym< 7.52.1-5+deb9u2curl-dbgsym_7.52.1-5+deb9u2_armhf.deb
Debian7amd64libcurl4-openssl-dev< 7.26.0-1+wheezy22libcurl4-openssl-dev_7.26.0-1+wheezy22_amd64.deb
Debian8s390xlibcurl3-gnutls< 7.38.0-4+deb8u7libcurl3-gnutls_7.38.0-4+deb8u7_s390x.deb
Debian8ppc64ellibcurl4-nss-dev< 7.38.0-4+deb8u7libcurl4-nss-dev_7.38.0-4+deb8u7_ppc64el.deb
Debian8s390xlibcurl4-openssl-dev< 7.38.0-4+deb8u7libcurl4-openssl-dev_7.38.0-4+deb8u7_s390x.deb
Debian9armhflibcurl3-gnutls< 7.52.1-5+deb9u2libcurl3-gnutls_7.52.1-5+deb9u2_armhf.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	kfreebsd-i386	libcurl3-gnutls	< 7.38.0-4+deb8u7	libcurl3-gnutls_7.38.0-4+deb8u7_kfreebsd-i386.deb
Debian	9	s390x	curl	< 7.52.1-5+deb9u2	curl_7.52.1-5+deb9u2_s390x.deb
Debian	8	kfreebsd-i386	libcurl4-gnutls-dev	< 7.38.0-4+deb8u7	libcurl4-gnutls-dev_7.38.0-4+deb8u7_kfreebsd-i386.deb
Debian	8	i386	libcurl3-gnutls	< 7.38.0-4+deb8u7	libcurl3-gnutls_7.38.0-4+deb8u7_i386.deb
Debian	9	armhf	curl-dbgsym	< 7.52.1-5+deb9u2	curl-dbgsym_7.52.1-5+deb9u2_armhf.deb
Debian	7	amd64	libcurl4-openssl-dev	< 7.26.0-1+wheezy22	libcurl4-openssl-dev_7.26.0-1+wheezy22_amd64.deb
Debian	8	s390x	libcurl3-gnutls	< 7.38.0-4+deb8u7	libcurl3-gnutls_7.38.0-4+deb8u7_s390x.deb
Debian	8	ppc64el	libcurl4-nss-dev	< 7.38.0-4+deb8u7	libcurl4-nss-dev_7.38.0-4+deb8u7_ppc64el.deb
Debian	8	s390x	libcurl4-openssl-dev	< 7.38.0-4+deb8u7	libcurl4-openssl-dev_7.38.0-4+deb8u7_s390x.deb
Debian	9	armhf	libcurl3-gnutls	< 7.52.1-5+deb9u2	libcurl3-gnutls_7.52.1-5+deb9u2_armhf.deb