Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2525 curl security update 9 October 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: curl Publisher: Debian Operating System: Debian GNU/Linux 8 Debian GNU/Linux 9 Impact/Access: Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-1000254 CVE-2017-1000101 CVE-2017-1000100 Reference: ESB-2017.2343 Original Bulletin: http://www.debian.org/security/2017/dsa-3992 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3992-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 06, 2017 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : curl CVE ID : CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000254 Debian Bug : 871554 871555 877671 Several vulnerabilities have been discovered in cURL, an URL transfer library. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2017-1000100 Even Rouault reported that cURL does not properly handle long file names when doing an TFTP upload. A malicious HTTP(S) server can take advantage of this flaw by redirecting a client using the cURL library to a crafted TFTP URL and trick it to send private memory contents to a remote server over UDP. CVE-2017-1000101 Brian Carpenter and Yongji Ouyang reported that cURL contains a flaw in the globbing function that parses the numerical range, leading to an out-of-bounds read when parsing a specially crafted URL. CVE-2017-1000254 Max Dymond reported that cURL contains an out-of-bounds read flaw in the FTP PWD response parser. A malicious server can take advantage of this flaw to effectively prevent a client using the cURL library to work with it, causing a denial of service. For the oldstable distribution (jessie), these problems have been fixed in version 7.38.0-4+deb8u6. For the stable distribution (stretch), these problems have been fixed in version 7.52.1-5+deb9u1. We recommend that you upgrade your curl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlnX6SFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RbAQ/9Gft7QL7XZ1eqos8uYgcysihp44zzwjlbpRs3RXIH7Z++HiGvz79Zpipw fI48mLAeI9q3hLk/RuPFV4VDGwtbbMFF4+swlzQXCSg0aWKG4qdEaxP2cLMCJkb/ hv9d/jvcJIEwxiwcmkE8JQI1Fbwql7HoFzE86iWS5/2iU2KHtmhWMCa4V1cudu0o 4Sc7JfnD6wkyhb6KYqarHQXpp9qtfu84I5ununYKQ5WXHKWxYSRqAgIBPOui7kzk TdLFYp+ZQw2cdI5T400fCyPOtpO76ngL9BjztiCHsUDK6SFOR3x0J8FII/NAPn6z cct1k6iOaLTTCLp1FLqwml02SWSpyoytDRhBjyr4bQh/P2OYOoCsy2/Ns9vNnUFh p3babYWQu+Hn2YIa3zu/yBdBrAslUgT7gjPX0vfr9zrY3PJwIvy2L2oe8pUB4bfu ovqFIrgK18Vi9KRu51n/3CFnPNOtO6RAUG5hWxSMsUwv5g00rbRNJD7WhJx1v7Xy WzyqthBTDOzMNtzr9fGQjR8GSn/FZw1qvTbfQmfNOzXYMmY0gMY/RWk8PJouISWG DFERQD45+KQnir/eOjldQ0K+oVpb3poBsUXeEYkY76cRlD/XAAfGjJXrlYFi8uIS vmmqbdbU18yX5Dbx9kx3GgQdju6ueN7H4JxQrQk4kd+DP8AhraI= =MtOm - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWdrCeYx+lLeg9Ub1AQi6bw//VvOXfyEQY3UtKObSXvtl6GjrlfpWpFDf Vxfq1UOjjDuq2q0fxtTIvRG4fAFOQ05tY9RdNc4A78n2tv5qxpdaC32AeBSlnA2p s+K8py0QZ7pWPcuVZ9J9VIouQ2pbBul1KUvW/r7fnoIUSe2Q6dxrEtlDrv8g5rzL lgSguN2UEq7KYO4E0ofteq1VyY4Sa/SBl9kvO1l2rCzKNFqXxnZZ6cBoSJNJcl1l C8rV93AU7yHKuQtyg8klCnrg4glftabniBJR3YwyPb+m6VnZJzwpNz6FOqdf9gQl EQABxKk29WR8cA7D5T4DlEuMyhj+YtoFOF1rR61zqwhhrs3YIluBLjRkf/4k52fo FvRi1QQw4KcOXsmt4eUdKw9wRY8ZMlHwfZBS02lVcjaYxqCslVf7SaOBZSIE3ZHE Av5bASPG5FwDP1wZXJ4uHc3jI45j+PusLscN4sP33KLZ9vTMSGOT6b54NJPKGea5 oEN1UF/no6VX3ZwlXiAnVGnEwUP1qv/z8DGYxUnWzaizfyXU7YKkkNUzh0ulEX1R yH6ZSftQQJXKms5rPn8R2Gke6lselePEQiQWf01TJqWpuC9TSPItm4OIEUIZC8AF 29Hz8UPo4kqQT4Zbc0QbWKKypR/YC1gCf8xpzAGOl8ISlkYYIn2J10NbHSIF30Aa xrqgbTGblis= =GS70 -----END PGP SIGNATURE-----