Debian Security Advisory
DSA-4098-1 curl -- security update
- Date Reported:
- 26 Jan 2018
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2018-1000005, CVE-2018-1000007.
- More information:
Two vulnerabilities were discovered in cURL, an URL transfer library.
Zhouyihai Ding discovered an out-of-bounds read in the code handling HTTP/2 trailers. This issue doesn't affect the oldstable distribution (jessie).
Craig de Stigter discovered that authentication data might be leaked to third parties when following HTTP redirects.
For the oldstable distribution (jessie), these problems have been fixed in version 7.38.0-4+deb8u9.
For the stable distribution (stretch), these problems have been fixed in version 7.52.1-5+deb9u4.
We recommend that you upgrade your curl packages.
For the detailed security status of curl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl