logo
DATABASE RESOURCES PRICING ABOUT US

curl - security update

Description

Several vulnerabilities have been discovered in cURL, an URL transfer library. The Common Vulnerabilities and Exposures project identifies the following problems: * [CVE-2017-1000100](https://security-tracker.debian.org/tracker/CVE-2017-1000100) Even Rouault reported that cURL does not properly handle long file names when doing an TFTP upload. A malicious HTTP(S) server can take advantage of this flaw by redirecting a client using the cURL library to a crafted TFTP URL and trick it to send private memory contents to a remote server over UDP. * [CVE-2017-1000101](https://security-tracker.debian.org/tracker/CVE-2017-1000101) Brian Carpenter and Yongji Ouyang reported that cURL contains a flaw in the globbing function that parses the numerical range, leading to an out-of-bounds read when parsing a specially crafted URL. * [CVE-2017-1000254](https://security-tracker.debian.org/tracker/CVE-2017-1000254) Max Dymond reported that cURL contains an out-of-bounds read flaw in the FTP PWD response parser. A malicious server can take advantage of this flaw to effectively prevent a client using the cURL library to work with it, causing a denial of service. For the oldstable distribution (jessie), these problems have been fixed in version 7.38.0-4+deb8u6. For the stable distribution (stretch), these problems have been fixed in version 7.52.1-5+deb9u1. We recommend that you upgrade your curl packages.


Affected Software


CPE Name Name Version
curl 7.52.1-5

Related