Debian Security Advisory DSA 3992-1 (curl - security update)

Several vulnerabilities have been discovered in cURL, an URL transfer library. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2017-1000100 Even Rouault reported that cURL does not properly handle long file names when doing an TFTP upload. A malicious HTTP(S) server can take advantage of this flaw by redirecting a client using the cURL library to a crafted TFTP URL and trick it to send private memory contents to a remote server over UDP. CVE-2017-1000101 Brian Carpenter and Yongji Ouyang reported that cURL contains a flaw in the globbing function that parses the numerical range, leading to an out-of-bounds read when parsing a specially crafted URL. CVE-2017-1000254 Max Dymond reported that cURL contains an out-of-bounds read flaw in the FTP PWD response parser. A malicious server can take advantage of this flaw to effectively prevent a client using the cURL library to work with it, causing a denial of service.

curl on Debian Linux

This check tests the installed software version using the apt package manager.

For the oldstable distribution (jessie), these problems have been fixed in version 7.38.0-4+deb8u6. For the stable distribution (stretch), these problems have been fixed in version 7.52.1-5+deb9u1. We recommend that you upgrade your curl packages.