Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
Debian Security Advisory DSA 1738-1 (curl)
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
The remote host is missing an update to curl announced via advisory DSA 1738-1.
Insight
Insight
David Kierznowski discovered that libcurl, a multi-protocol file transfer library, when configured to follow URL redirects automatically, does not question the new target location. As libcurl also supports file:// and scp:// URLs - depending on the setup - an untrusted server could use that to expose local files, overwrite local files or even execute arbitrary code via a malicious URL redirect. This update introduces a new option called CURLOPT_REDIR_PROTOCOLS which by default does not include the scp and file protocol handlers. For the oldstable distribution (etch) this problem has been fixed in version 7.15.5-1etch2. For the stable distribution (lenny) this problem has been fixed in version 7.18.2-8lenny2. For the unstable distribution (sid) this problem has been fixed in version 7.18.2-8.1. We recommend that you upgrade your curl packages.
Solution
Solution
https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201738-1