Package : curl
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2005-4077 CVE-2005-3185
BugTraq ID : 15756 15102 15647
Debian Bug : 342339 342696
Several problems were discovered in libcurl, a multi-protocol file
transfer library. The Common Vulnerabilities and Exposures project
identifies the following problems:
CVE-2005-3185
A vulnerability has been discovered a buffer overflow in libcurl
that could allow the execution of arbitrary code.
CVE-2005-4077
Stefan Esser discovered several off-by-one errors that allows
local users to trigger a buffer overflow and cause a denial of
service or bypass PHP security restrictions via certain URLs.
For the old stable distribution (woody) these problems have been fixed in
version 7.9.5-1woody1.
For the stable distribution (sarge) these problems have been fixed in
version 7.13.2-2sarge4. This update also includes a bugfix against
data corruption.
For the unstable distribution (sid) these problems have been fixed in
version 7.15.1-1.
We recommend that you upgrade your libcurl packages.
Hats off to the LibCurl programmers.
Isn't this old? Or is there a new one? I remember lynx and curl had a couple (really stupid) vulnerabilities a couple months ago. It's possible that it's taken Debian this long to patch it, though, I often see them re-post really old vulnerabilities when they update their distro :)
I wouldn't know if it was old, I just recently subscribed to bugtraq..
Yeah, I checked out CVE-2005-3185.
It's from October 12/05.
Debian is just slow. Stupid Debian, Slackware for life :)
Oh.. god that's lame.
Or was it December 10... it's 20051012, take that how you want :)