Debian Security Advisory
DSA-3638-1 curl -- security update
- Date Reported:
- 03 Aug 2016
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2016-5419, CVE-2016-5420, CVE-2016-5421.
- More information:
Several vulnerabilities were discovered in cURL, an URL transfer library:
Bru Rom discovered that libcurl would attempt to resume a TLS session even if the client certificate had changed.
It was discovered that libcurl did not consider client certificates when reusing TLS connections.
Marcelo Echeverria and Fernando Muñoz discovered that libcurl was vulnerable to a use-after-free flaw.
For the stable distribution (jessie), these problems have been fixed in version 7.38.0-4+deb8u4.
For the unstable distribution (sid), these problems have been fixed in version 7.50.1-1.
We recommend that you upgrade your curl packages.