[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1672-1] curl security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : curl
Version        : 7.38.0-4+deb8u14
CVE IDs        : CVE-2018-16890 CVE-2019-3822 CVE-2019-3823

It was discovered that there were three vulnerabilities in the curl
command-line HTTP (etc.) client:

 * CVE-2018-16890: A heap buffer out-of-bounds read vulnerability in
   the handling of NTLM type-2 messages.

 * CVE-2019-3822: Stack-based buffer overflow in the handling of
   outgoing NTLM type-3 headers.

 * CVE-2019-3823: Heap out-of-bounds read in code handling
   the end of a response in the SMTP protocol.

For Debian 8 "Jessie", this issue has been fixed in curl version
7.38.0-4+deb8u14.

We recommend that you upgrade your curl packages.


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlxhl/UACgkQHpU+J9Qx
Hljp2Q/9HzuJ9vRQuvKV7QoFUhIjUDEnOinI7oXnekFWJXhbB4fIS0icCIS9YHQZ
C3dLsyUPudsxz7DhIGc/SXOEU+Acbbp6FK4LpM+YT/q5gkpWgAw1aHazQgABgGO5
We1t6CDRwHAmQmZDQZyVJ4wbPw1VCu66RMnkWEaYq50owwi0/7BpnW7w0g9y83tw
DnlAJ3int8TNwVaGKD5LVke4iPPB3rex3RjglzA3leB/p/11Ei2EeL5D7q3tsRVt
kTygM7HwnHkGvVFBCQGZoNhmSPkFBRIGO9WZ4u9M27taatvVbI2T4qCjOqXvdhba
RpjEWhGgTUfoL8i3c4CR5vQHCQ7dCVtkDcuH8LTSSyZigAWx9SGeapVQt60l/LRo
mJSLgfFLySOcB3AxQOjdDhFJqgVPvk7/5uiahg1IUzGNcRdX2ws3xLjegpc2HdwT
jRdRYKFEva8OXyYG/rDQw/0vfVJsjSpRKt2uNbhgpRZkDd70MUJjehBXohNCpzYr
ck+TKnHx64gi2o1/4RvyrrDHX1J8s5F8wIrnMQix4HPodv3wSg7PljsG3931YHGX
F0OrNi64ODYQJYcP612lKif2YQAzb4pofhljP4DDCP5FlUAWLb+++U5hI5trm6eb
2Qn7pPc7NzoROnZD2LLm6FVP9BsJPeXhoGfA+iskQ4WnHio9Faw=
=R862
-----END PGP SIGNATURE-----


Reply to: