[SECURITY] [DLA 84-1] curl security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 84-1] curl security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Sun, 9 Nov 2014 17:18:30 +0100 (CET)
Message-id: <[🔎] alpine.DEB.2.02.1411091657570.9700@jupiter.server.alteholz.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : curl
Version        : 7.21.0-2.1+squeeze10
CVE ID         : CVE-2014-3707

Symeon Paraschoudis discovered that the curl_easy_duphandle() function
in cURL, an URL transfer library, has a bug that can lead to libcurl
eventually sending off sensitive data that was not intended for sending,
while performing a HTTP POST operation.

This bug requires CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle() to be
used in that order, and then the duplicate handle must be used to
perform the HTTP POST. The curl command line tool is not affected by
this problem as it does not use this sequence.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJUX5PWXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHnfIP/1A7q1svERijCcwuWeapONE3
gvIjGqcc9zAqPSWZQkSdIcYMf1bE/5tgTuGSnOc90ReESMuVc1eUlJx/VkcHCPjX
bFjDdrHxY9w4Ud6WqBXyD6F2hlijpJGPrMW3c+tWifZmSNqVBWtZ5NR7bqf2bQaR
M7LCmD+2MHbx0x4xRpw6am1CriFKFz2iELmun1j7Qee3zltVj/KYiEZ1u2kSC/B3
pJcNyK2T8nxIU2QmNFrfa/lNressO5I+bZ+h7cwT2k8QV61HCU+weC1QF3TweFU2
/t0SWbd2hbP2Xy30RbMPg5Jje8QYWhCGbSZgwUw7RFc+FEtDnXFsf/0/DRzWlhDQ
baTZ4UdvV/actU2sP6uYECcwzmaMpVRyvRpnKEsWzN7TE51GzgdiZNtksZmtL1Sw
Xn7V0YjigoEVBvA/t9yOFF0XfTTk82tOHkyqjZOb3ekuC3H1gLOLsx/q9/ZLzf2S
BMpIxgXmQBji+IDFyBZk92uxPc7n9FHnezpVlaYoxbkcWSQzduuYyqe7wrCxQY9J
7dkCp3hBfFxBaBpc+pCxrJZEcFgn6YJq5f4rv/I0v5YCCcvnomUlceZ97FXbZzjw
XqXOiO88UxgeXrn+/fW2tLPxXJQytPp4uDYHTabO0ONGfzv4pAkXNPEokc+C9sZw
fnFyIdSDFAEuC1OSQDgF
=amYX
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 83-1] ffmpeg update
Next by Date: [SECURITY] [DLA 85-1] libxml-security-java security update
Previous by thread: [SECURITY] [DLA 83-1] ffmpeg update
Next by thread: [SECURITY] [DLA 85-1] libxml-security-java security update
Index(es):
- Date
- Thread