Lucene search

K
osvGoogleOSV:DSA-3122-1
HistoryJan 08, 2015 - 12:00 a.m.

curl - security update

2015-01-0800:00:00
Google
osv.dev
20

EPSS

0.006

Percentile

78.0%

Andrey Labunets of Facebook discovered that cURL, an URL transfer
library, fails to properly handle URLs with embedded end-of-line
characters. An attacker able to make an application using libcurl to
access a specially crafted URL via an HTTP proxy could use this flaw to
do additional requests in a way that was not intended, or insert
additional request headers into the request.

For the stable distribution (wheezy), this problem has been fixed in
version 7.26.0-1+wheezy12.

For the upcoming stable distribution (jessie), this problem will be
fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 7.38.0-4.

We recommend that you upgrade your curl packages.