Debian Security Advisory

DSA-4098-1 curl -- security update

Date Reported:
26 Jan 2018
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2018-1000005, CVE-2018-1000007.
More information:

Two vulnerabilities were discovered in cURL, an URL transfer library.

  • CVE-2018-1000005

    Zhouyihai Ding discovered an out-of-bounds read in the code handling HTTP/2 trailers. This issue doesn't affect the oldstable distribution (jessie).

  • CVE-2018-1000007

    Craig de Stigter discovered that authentication data might be leaked to third parties when following HTTP redirects.

For the oldstable distribution (jessie), these problems have been fixed in version 7.38.0-4+deb8u9.

For the stable distribution (stretch), these problems have been fixed in version 7.52.1-5+deb9u4.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to its security tracker page at: