DSA-3992-1 curl -- curlID: oval:org.secpod.oval:def:603123 | Date: (C)2021-01-06 (M)2023-12-20 |
Class: PATCH | Family: unix |
Several vulnerabilities have been discovered in cURL, an URL transfer library. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2017-1000100 Even Rouault reported that cURL does not properly handle long file names when doing an TFTP upload. A malicious HTTP server can take advantage of this flaw by redirecting a client using the cURL library to a crafted TFTP URL and trick it to send private memory contents to a remote server over UDP. CVE-2017-1000101 Brian Carpenter and Yongji Ouyang reported that cURL contains a flaw in the globbing function that parses the numerical range, leading to an out-of-bounds read when parsing a specially crafted URL. CVE-2017-1000254 Max Dymond reported that cURL contains an out-of-bounds read flaw in the FTP PWD response parser. A malicious server can take advantage of this flaw to effectively prevent a client using the cURL library to work with it, causing a denial of service.
Platform: |
Debian 8.x |
Debian 9.x |
Product: |
curl |
libcurl4-gnutls-dev |
libcurl4-doc |
libcurl4-openssl-dev |
libcurl3 |
libcurl4-nss-dev |