Updated curl packages fix security vulnerability

It was reported that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. When accessed, the data is read out of bounds and causes either a crash or that the too large data gets passed to the libcurl callback. This might lead to a...

SUSE SLES12 Security Update : Recommended update for apache2 (SUSE-SU-2018:0261-1)

This update for apache2 fixes several issues. These security issues were fixed : - CVE-2017-9789: When under stress closing many connections the HTTP/2 handling code would sometimes access memory after it has been freed, resulting in potentially erratic behaviour bsc1048575. - CVE-2017-7659: A...

[ASA-201801-22] lib32-curl: multiple issues

Arch Linux Security Advisory ASA-201801-22 ========================================== Severity: Medium Date : 2018-01-29 CVE-ID : CVE-2018-1000005 CVE-2018-1000007 Package : lib32-curl Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-594 Summary ======= The package...

[ASA-201801-26] lib32-libcurl-compat: multiple issues

Arch Linux Security Advisory ASA-201801-26 ========================================== Severity: Medium Date : 2018-01-29 CVE-ID : CVE-2018-1000005 CVE-2018-1000007 Package : lib32-libcurl-compat Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-598 Summary ======= The...

[ASA-201801-25] lib32-libcurl-gnutls: multiple issues

Arch Linux Security Advisory ASA-201801-25 ========================================== Severity: Medium Date : 2018-01-29 CVE-ID : CVE-2018-1000005 CVE-2018-1000007 Package : lib32-libcurl-gnutls Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-597 Summary ======= The...

[ASA-201801-20] curl: multiple issues

Arch Linux Security Advisory ASA-201801-20 ========================================== Severity: Medium Date : 2018-01-28 CVE-ID : CVE-2018-1000005 CVE-2018-1000007 Package : curl Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-593 Summary ======= The package curl...

[SECURITY] [DSA 4098-1] curl security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4098-1 [email protected] https://www.debian.org/security/ Alessandro Ghedini January 26, 2018 https://www.debian.org/security/faq -...

[slackware-security] curl

New curl packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: patches/packages/curl-7.58.0-i586-1slack14.2.txz: Upgraded. This update fixes security issues: HTTP authentication leak in redirects HTTP/2...

CVE-2018-1000005

libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported https://github.com/curl/curl/pull/2231 that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the...

Out-of-bounds

libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported https://github.com/curl/curl/pull/2231 that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the...

CVE-2018-1000005

libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported https://github.com/curl/curl/pull/2231 that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the...

CVE-2018-1000005

CVE-2018-1000005 affects libcurl 7.49.0 through 7.57.0, due to an out-of-bounds read when handling HTTP/2 trailers. Reading a trailer could corrupt future trailers, leading to a crash or potential information disclosure; the issue arises from mis-updated math after changing the header creation to...

CVE-2018-1000005

libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported https://github.com/curl/curl/pull/2231 that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the...

CVE-2018-1000005

libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported https://github.com/curl/curl/pull/2231 that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the...

CVE-2018-1000005

libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported https://github.com/curl/curl/pull/2231 that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the...

Security fix for the ALT Linux 8 package curl version 7.58.0-alt1

Jan. 24, 2018 Anton Farygin 7.58.0-alt1 - new version - fixes: CVE-2018-1000005 HTTP/2 trailer out-of-bounds read CVE-2018-1000007 HTTP authentication leak in redirects...

CVE-2018-1000005

libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported https://github.com/curl/curl/pull/2231 that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the...

Apache Httpd < 2.4.33 : Possible write of after free on HTTP/2 stream shutdown

When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.33 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerabilty hard to trigger in usual configurations, the reporter...

Merlin - A cross-platform post-exploitation HTTP/2 Command & Control server and agent

Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. An introductory blog post can be found here: https://medium.com/@Ne0nd0g/introducing-merlin-645da3c635a Getting Started The quickest and easiest way to start using Merlin is download the...

CVE-2017-10908

H2O version 2.2.3 and earlier allows remote attackers to cause a denial of service in the server via specially crafted HTTP/2 header...