Debian Long Term Support / LTS Security Information / 2019 / Security Information -- DLA-1672-1 curl

Debian Security Advisory

DLA-1672-1 curl -- LTS security update

Date Reported:

11 Feb 2019

Affected Packages:

curl

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2018-16890, CVE-2019-3822, CVE-2019-3823.

More information:

It was discovered that there were three vulnerabilities in the curl command-line HTTP (etc.) client:

• CVE-2018-16890

  A heap buffer out-of-bounds read vulnerability in the handling of NTLM type-2 messages.

• CVE-2019-3822

  Stack-based buffer overflow in the handling of outgoing NTLM type-3 headers.

• CVE-2019-3823

  Heap out-of-bounds read in code handling the end of a response in the SMTP protocol.

For Debian 8 Jessie, this issue has been fixed in curl version 7.38.0-4+deb8u14.

We recommend that you upgrade your curl packages.