[SECURITY] [DLA 625-1] curl security update

2016-09-1718:28:27

lists.debian.org

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.015 Low

EPSS

Percentile

86.6%

JSON

Package : curl
Version : 7.26.0-1+wheezy16
CVE ID : CVE-2016-7167
Debian Bug : 837945

It was discovered that the four four libcurl functions curl_escape(),
curl_easy_escape(), curl_unescape and curl_easy_unescape accepted
negative sting length inputs.

For Debian 7 "Wheezy", these problems have been fixed in version
7.26.0-1+wheezy16.

We recommend that you upgrade your curl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Jonas Meurer

OSVersionArchitecturePackageVersionFilename
Debian7i386libcurl4-gnutls-dev< 7.26.0-1+wheezy16libcurl4-gnutls-dev_7.26.0-1+wheezy16_i386.deb
Debian8armhflibcurl3< 7.38.0-4+deb8u13libcurl3_7.38.0-4+deb8u13_armhf.deb
Debian7armellibcurl4-gnutls-dev< 7.26.0-1+wheezy16libcurl4-gnutls-dev_7.26.0-1+wheezy16_armel.deb
Debian8armelcurl< 7.38.0-4+deb8u13curl_7.38.0-4+deb8u13_armel.deb
Debian8amd64libcurl4-nss-dev< 7.38.0-4+deb8u13libcurl4-nss-dev_7.38.0-4+deb8u13_amd64.deb
Debian7armhfcurl< 7.26.0-1+wheezy16curl_7.26.0-1+wheezy16_armhf.deb
Debian7i386libcurl4-openssl-dev< 7.26.0-1+wheezy16libcurl4-openssl-dev_7.26.0-1+wheezy16_i386.deb
Debian7armhflibcurl3-nss< 7.26.0-1+wheezy16libcurl3-nss_7.26.0-1+wheezy16_armhf.deb
Debian8armellibcurl3< 7.38.0-4+deb8u13libcurl3_7.38.0-4+deb8u13_armel.deb
Debian8alllibcurl4-doc< 7.38.0-4+deb8u13libcurl4-doc_7.38.0-4+deb8u13_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	i386	libcurl4-gnutls-dev	< 7.26.0-1+wheezy16	libcurl4-gnutls-dev_7.26.0-1+wheezy16_i386.deb
Debian	8	armhf	libcurl3	< 7.38.0-4+deb8u13	libcurl3_7.38.0-4+deb8u13_armhf.deb
Debian	7	armel	libcurl4-gnutls-dev	< 7.26.0-1+wheezy16	libcurl4-gnutls-dev_7.26.0-1+wheezy16_armel.deb
Debian	8	armel	curl	< 7.38.0-4+deb8u13	curl_7.38.0-4+deb8u13_armel.deb
Debian	8	amd64	libcurl4-nss-dev	< 7.38.0-4+deb8u13	libcurl4-nss-dev_7.38.0-4+deb8u13_amd64.deb
Debian	7	armhf	curl	< 7.26.0-1+wheezy16	curl_7.26.0-1+wheezy16_armhf.deb
Debian	7	i386	libcurl4-openssl-dev	< 7.26.0-1+wheezy16	libcurl4-openssl-dev_7.26.0-1+wheezy16_i386.deb
Debian	7	armhf	libcurl3-nss	< 7.26.0-1+wheezy16	libcurl3-nss_7.26.0-1+wheezy16_armhf.deb
Debian	8	armel	libcurl3	< 7.38.0-4+deb8u13	libcurl3_7.38.0-4+deb8u13_armel.deb
Debian	8	all	libcurl4-doc	< 7.38.0-4+deb8u13	libcurl4-doc_7.38.0-4+deb8u13_all.deb