-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3069-1 security@xxxxxxxxxx http://www.debian.org/security/ Salvatore Bonaccorso November 07, 2014 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : curl CVE ID : CVE-2014-3707 Symeon Paraschoudis discovered that the curl_easy_duphandle() function in cURL, an URL transfer library, has a bug that can lead to libcurl eventually sending off sensitive data that was not intended for sending, while performing a HTTP POST operation. This bug requires CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle() to be used in that order, and then the duplicate handle must be used to perform the HTTP POST. The curl command line tool is not affected by this problem as it does not use this sequence. For the stable distribution (wheezy), this problem has been fixed in version 7.26.0-1+wheezy11. For the upcoming stable distribution (jessie), this problem will be fixed in version 7.38.0-3. For the unstable distribution (sid), this problem has been fixed in version 7.38.0-3. We recommend that you upgrade your curl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJUXOZkAAoJEAVMuPMTQ89EQvIP/jTcVO/fBOQVvWe8s3wu89g5 vsNsBRLeeSpWzNR57QOBqa7lnbpu4WKjhKjHjYGyOXIGB9YU+J+oRpBph8IIYG7W zA2QwcLSQhS5vuYiUGPkdwXcILC57jE+jUO0Ycw8cwQiIEc0Dc+mpvXlUDX6W6Aa 8KEe8NUkqrUWcNCsAx1XTQ0S/IbFCKfs0fNx0LwBaozN6+2NtiINu96G8lsob93u TmGGKCoyd0QQGdShfou5sIJjldOW7P7YkpdnS3GiJHcw0fNAm9FOOxEqAUSGvmlG jJFQCb4I/tK2Kmm14JAvW5upJhM99MFcY/OLAYghtcpchc8CQIX8BHuxwswl6gyc yppbKfzd2/6BvPgJuPsgEQbrs+LmvA71cjKvSiRAZjC73IZ5gdFpc50kDG5fCkqs qyTOmafKhDB+wktq5AJfPEks20/qVcFwBg6pUyyALUDdhheJ2jCPhcTLpjpSXUGq OlVfaRp2M+AzNGOHyhWtHflHWHvDWiQlxVgqgedEmejx/VVXJwZQYhnBalwkWnLi XXr1v1li+iuOeYqDH+fHhIN77V9knH0Z3+ezYHcWJtfg+oaLGDW6vFL6BHs0R7Hf 50ZjtwJ+wBq+RpRL+msSAW4Qn3CJu/BWhirmg+PomavAR94gzP3mQf5mV2kbqzbO b8edemI/kKuoGhSkhVz5 =4K+N -----END PGP SIGNATURE-----
