ESB-2018.0266 - [Win][UNIX/Linux][Debian] curl: Multiple vulnerabilities 2018-01-29

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0266
                           curl security update
                              29 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           curl
Publisher:         Debian
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Debian GNU/Linux 9
                   Debian GNU/Linux 8
                   Windows
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000007 CVE-2018-1000005 

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4098

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running curl check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4098-1                   security@debian.org
https://www.debian.org/security/                       Alessandro Ghedini
January 26, 2018                      https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : curl
CVE ID         : CVE-2018-1000005 CVE-2018-1000007

Two vulnerabilities were discovered in cURL, an URL transfer library.

CVE-2018-1000005

    Zhouyihai Ding discovered an out-of-bounds read in the code
    handling HTTP/2 trailers. This issue doesn't affect the oldstable
    distribution (jessie).

CVE-2018-1000007

    Craig de Stigter discovered that authentication data might be leaked
    to third parties when following HTTP redirects.

For the oldstable distribution (jessie), these problems have been fixed
in version 7.38.0-4+deb8u9.

For the stable distribution (stretch), these problems have been fixed in
version 7.52.1-5+deb9u4.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEBsId305pBx+F583DbwzL4CFiRygFAlpq+YMACgkQbwzL4CFi
RygoCRAArQKcYRR1ay6Qbj4HHMINwJAcPo7PgtRREFjzkffKOd98SbJU+QN8MNT9
USe/OEnjRM5d7iTk5pqZBCH9wjm0KSCtq4nko1lSxnFUtjJfi1CNz2chFYKnR9/w
OTG6SNzQXoxO56q2e6vYbh5CFbXbpJfuc6xUdSSjgkXWnFFXBYwB83YpouF7pTWK
DFVW6ZTxt7xig8RrO7Q6+7+m2qxEW+raaDBUwgczxMTZc50uqzN+MH61QH99Jljn
tRhT7/weEZV4Uiu3Q8aY8ERJsOClE8tdlT5MDp5IxQYAm8A9I4GgB+mRkh0+Z29Y
J8QKg4jI7MaEGWN342HTwyiFvGjHsFqa4wQzEyMKM6PJo5Herti5xOQbPVGWnMQX
dVzO+wU9lu3zitWPSdNXFV9jKHF0nrHIrTEWcTVk0L30oVe3xN3GmW/PCxKWO1JD
hzNwwReQ/CUi7+4Ww9qmpcQGSvTk5uO+PdywoPs0cqP4qsPln3ENDf/4UXQdQ2pZ
7jh9rT+WJ0m/3RAX6yBQoZfSbhSJD+ZsPTrdV0fWIW9PW9c8fjXnkzIOZNeYFKxH
XLyiDRtJszZ5DvSpMKZaFghaICHRlbe4sdGj7gyQ4f00ypPtEXz+LDDVD/mAK3ou
d4/x0/0W6T5h4nWdMqE9k1aInKJJcVE1lJvAFqM8QqEZw5I5Vbg=
=68U/
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWm5mt4x+lLeg9Ub1AQj8UxAAl2LNIFIGeZNsju3OVii81Ko8aF93cI5p
IcqvpoMtS6FZlrz8uBMIWS/1ScmOGv4RlA23Y4Pbm8gD3jvQYjSUFZAIYiYW/Ck0
pyN5PTHUMHsvTGOVI60eNwrzJ5Ty2f7SI+oLxuSk2tmdQUdw/dHCM6iOy8NpkrZT
4hF5y7njS6+vO8dge8qu6PE3qRWssCXQk6qYY883XfQ7sDhSGUoLb+9dpRKnnQ0f
f5BlUSG835dWaFUkxW0q7iCYR82salSunuAlYmI4wy+1pAYU41V4jUrsYtX6F6+P
sHWDlgO0kzGQxIlVhlbRoiGv0MOUSUM+bqrzpHc5cxIn0mE8q3songpFJpL7BndJ
xo8rV4MPLeMmig1VsKzOOvrJpx/y0GKTroVhdS86YfJAxFJdvBeHmuARvp3HMyNu
AXgD2vPdFygMcAJ6VZ+z8/kqXSqouJ5oZF0vClqI4IlqfVjO9ATDpMg0Xh6QJeyy
98hh0FBhhtEqGxJvc62KhLuau1gT6eKf/lBSD5T+DjuUneFW0LPvV9Ao8IjMhluh
1qrFcGNQavtFWubIsG/g8UZk4iYXtuqFhYZ6t6Rjcjd+gZb+fbPyfdZwvWwg4IA5
bfRn6vGL/h7VbJM2FfpMUzqfLJdDj1Grq0QPqTyflvWDPgMGWGgmTb3oaHY5QQE4
0Gycp5sVHHw=
=j9bl
-----END PGP SIGNATURE-----

« Back to bulletins