Debian: DSA-2660-1: curl security update
Debian: DSA-2660-1: curl security update
Yamada Yasuharu discovered that cURL, an URL transfer library, is vulnerable to expose potentially sensitive information when doing requests across domains with matching tails. Due to a bug in the tailmatch function when matching domain names, it was possible that
- ------------------------------------------------------------------------- Debian Security Advisory DSA-2660-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/security/ Salvatore Bonaccorso April 20, 2013 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : curl Vulnerability : exposure of sensitive information Problem type : remote Debian-specific: no CVE ID : CVE-2013-1944 Debian Bug : 705274 Yamada Yasuharu discovered that cURL, an URL transfer library, is vulnerable to expose potentially sensitive information when doing requests across domains with matching tails. Due to a bug in the tailmatch function when matching domain names, it was possible that cookies set for a domain 'ample.com' could accidentally also be sent by libcurl when communicating with 'example.com'. Both curl the command line tool and applications using the libcurl library are vulnerable. For the stable distribution (squeeze), this problem has been fixed in version 7.21.0-2.1+squeeze3. For the testing distribution (wheezy), this problem has been fixed in version 7.26.0-1+wheezy2. For the unstable distribution (sid), this problem has been fixed in version 7.29.0-2.1. We recommend that you upgrade your curl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.