Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.2094
curl security update
10 November 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: curl
Publisher: Debian
Operating System: Debian GNU/Linux 7
Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2014-3707
Original Bulletin:
http://www.debian.org/security/2014/dsa-3069
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running curl check for an updated version of the software for their
operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3069-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
November 07, 2014 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : curl
CVE ID : CVE-2014-3707
Symeon Paraschoudis discovered that the curl_easy_duphandle() function
in cURL, an URL transfer library, has a bug that can lead to libcurl
eventually sending off sensitive data that was not intended for sending,
while performing a HTTP POST operation.
This bug requires CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle() to be
used in that order, and then the duplicate handle must be used to
perform the HTTP POST. The curl command line tool is not affected by
this problem as it does not use this sequence.
For the stable distribution (wheezy), this problem has been fixed in
version 7.26.0-1+wheezy11.
For the upcoming stable distribution (jessie), this problem will be
fixed in version 7.38.0-3.
For the unstable distribution (sid), this problem has been fixed in
version 7.38.0-3.
We recommend that you upgrade your curl packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUXOZkAAoJEAVMuPMTQ89EQvIP/jTcVO/fBOQVvWe8s3wu89g5
vsNsBRLeeSpWzNR57QOBqa7lnbpu4WKjhKjHjYGyOXIGB9YU+J+oRpBph8IIYG7W
zA2QwcLSQhS5vuYiUGPkdwXcILC57jE+jUO0Ycw8cwQiIEc0Dc+mpvXlUDX6W6Aa
8KEe8NUkqrUWcNCsAx1XTQ0S/IbFCKfs0fNx0LwBaozN6+2NtiINu96G8lsob93u
TmGGKCoyd0QQGdShfou5sIJjldOW7P7YkpdnS3GiJHcw0fNAm9FOOxEqAUSGvmlG
jJFQCb4I/tK2Kmm14JAvW5upJhM99MFcY/OLAYghtcpchc8CQIX8BHuxwswl6gyc
yppbKfzd2/6BvPgJuPsgEQbrs+LmvA71cjKvSiRAZjC73IZ5gdFpc50kDG5fCkqs
qyTOmafKhDB+wktq5AJfPEks20/qVcFwBg6pUyyALUDdhheJ2jCPhcTLpjpSXUGq
OlVfaRp2M+AzNGOHyhWtHflHWHvDWiQlxVgqgedEmejx/VVXJwZQYhnBalwkWnLi
XXr1v1li+iuOeYqDH+fHhIN77V9knH0Z3+ezYHcWJtfg+oaLGDW6vFL6BHs0R7Hf
50ZjtwJ+wBq+RpRL+msSAW4Qn3CJu/BWhirmg+PomavAR94gzP3mQf5mV2kbqzbO
b8edemI/kKuoGhSkhVz5
=4K+N
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVGABwRLndAQH1ShLAQKqkA/8Cavuxq5CPx69fUJDqfHE803vFtAHtBSi
17CaR4wTxHjkFXXfCGiTbKoqdqlbimUPP4bDSO+xzhay/j1/R7wTEnz950+OU2EF
XGJSrcPKj2dXByvfxwO/sDlkWEdBeFfQasHOzU2ABVcVClSEDIAxC0VjCatUCZ5e
kYoxADU2twbw8eXrg4jN0hwpUadH8EuTY0UcynxUez12QeIqQIDgZgqKCAtZymxK
mE7os7nAlqWR66ty3pR+4fUoDCJi54UTI7FrIADsS/aXK/zfJrpHVXzbub/GF4+j
NvcNZ37H0Zn6S0Rf8a4sBPmJ6wQeqndzUvS726088cq/Yyy1b9c+KHFMH5I8o7C6
tKVvtTIEoCfRQhGkx73QYDRNYznoEIGFxwOKVCy8hTYaPWisYFYjjDEm43nmBwUM
zISzRAa8hFoLDnDNM130dl3OYf8VGWXmKWwbkQjnb/22Ai9UK3bIrzw9/43KiQGz
8KZ9hx90RpO3rj7ZrtyE2hygGu9AQk0wXAuQdRd6aK4+VeXksg/5ki0u0w+zo/dN
xSFC61mN47gpTE1Inho0bHMBpAxTCCGPQ0rNVQSyKkjV3suRGUBa/EoEJfzyyUNo
aVvQlE+C1ZvFjpmSCsMLQP+xyaEU/7+WgP4rkoqOjEyWqxUsaIoc2lhdOKN+Ou7k
J/DmvJ+DxsU=
=LjgF
-----END PGP SIGNATURE-----