You are here
Home > Preporuke > Sigurnosni propust programskog paketa curl

Sigurnosni propust programskog paketa curl

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

– ————————————————————————-
Debian Security Advisory DSA-3069-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
November 07, 2014 http://www.debian.org/security/faq
– ————————————————————————-

Package : curl
CVE ID : CVE-2014-3707

Symeon Paraschoudis discovered that the curl_easy_duphandle() function
in cURL, an URL transfer library, has a bug that can lead to libcurl
eventually sending off sensitive data that was not intended for sending,
while performing a HTTP POST operation.

This bug requires CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle() to be
used in that order, and then the duplicate handle must be used to
perform the HTTP POST. The curl command line tool is not affected by
this problem as it does not use this sequence.

For the stable distribution (wheezy), this problem has been fixed in
version 7.26.0-1+wheezy11.

For the upcoming stable distribution (jessie), this problem will be
fixed in version 7.38.0-3.

For the unstable distribution (sid), this problem has been fixed in
version 7.38.0-3.

We recommend that you upgrade your curl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIcBAEBCgAGBQJUXOZkAAoJEAVMuPMTQ89EQvIP/jTcVO/fBOQVvWe8s3wu89g5
vsNsBRLeeSpWzNR57QOBqa7lnbpu4WKjhKjHjYGyOXIGB9YU+J+oRpBph8IIYG7W
zA2QwcLSQhS5vuYiUGPkdwXcILC57jE+jUO0Ycw8cwQiIEc0Dc+mpvXlUDX6W6Aa
8KEe8NUkqrUWcNCsAx1XTQ0S/IbFCKfs0fNx0LwBaozN6+2NtiINu96G8lsob93u
TmGGKCoyd0QQGdShfou5sIJjldOW7P7YkpdnS3GiJHcw0fNAm9FOOxEqAUSGvmlG
jJFQCb4I/tK2Kmm14JAvW5upJhM99MFcY/OLAYghtcpchc8CQIX8BHuxwswl6gyc
yppbKfzd2/6BvPgJuPsgEQbrs+LmvA71cjKvSiRAZjC73IZ5gdFpc50kDG5fCkqs
qyTOmafKhDB+wktq5AJfPEks20/qVcFwBg6pUyyALUDdhheJ2jCPhcTLpjpSXUGq
OlVfaRp2M+AzNGOHyhWtHflHWHvDWiQlxVgqgedEmejx/VVXJwZQYhnBalwkWnLi
XXr1v1li+iuOeYqDH+fHhIN77V9knH0Z3+ezYHcWJtfg+oaLGDW6vFL6BHs0R7Hf
50ZjtwJ+wBq+RpRL+msSAW4Qn3CJu/BWhirmg+PomavAR94gzP3mQf5mV2kbqzbO
b8edemI/kKuoGhSkhVz5
=4K+N
—–END PGP SIGNATURE—–


To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of “unsubscribe”. Trouble? Contact listmaster@lists.debian.org
Archive: https://lists.debian.org/E1Xmldv-00039O-5z@master.debian.org

Top
More in Preporuke
Ranjivost programskog paketa konversation

Otkrivena je ranjivost u IRC klijentu za KDE - Konversation na operacijskom sutavu Debian. Ranjivost može biti iskorištena za rušenje...

Close