Debian Security Advisory

DLA-1672-1 curl -- LTS security update

Date Reported:
11 Feb 2019
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2018-16890, CVE-2019-3822, CVE-2019-3823.
More information:

It was discovered that there were three vulnerabilities in the curl command-line HTTP (etc.) client:

  • CVE-2018-16890

    A heap buffer out-of-bounds read vulnerability in the handling of NTLM type-2 messages.

  • CVE-2019-3822

    Stack-based buffer overflow in the handling of outgoing NTLM type-3 headers.

  • CVE-2019-3823

    Heap out-of-bounds read in code handling the end of a response in the SMTP protocol.

For Debian 8 Jessie, this issue has been fixed in curl version 7.38.0-4+deb8u14.

We recommend that you upgrade your curl packages.