Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 735
Alerts This Week
Warning Icon 1 735

Debian Wheezy DLA-1309-1 Critical: curl FTP and LDAP Issues

debian lts
Calendar Grey March 18, 2018
Dist Debian Esm H88
Several security flaws in cURL addressed through an update for Debian Wheezy. Users are advised to upgrade.
Multiple vulnerabilities were found in cURL, an URL transfer library: CVE-2018-1000120

Summary

CVE-2018-1000120

Duy Phan Thanh reported that curl could be fooled into writing a zero byte
out of bounds when curl was told to work on an FTP URL, with the setting to
only issue a single CWD command. The issue could be triggered if the
directory part of the URL contained a "%00" sequence.

CVE-2018-1000121

Dario Weisser reported that curl might dereference a near-NULL address when
getting an LDAP URL. A malicious server that sends a particularly crafted
response could made crash applications that allowed LDAP URL relying on
libcurl.

CVE-2018-1000122

OSS-fuzz and Max Dymond found that curl can be tricked into copying data
beyond the end of its heap based buffer when asked to transfer an RTSP URL.
curl could calculate a wrong data length to copy from the read buffer.
This could lead to information leakage or a denial of service.


For Debian 7 "Wheezy", these problems have been fixed in version
7.26.0-1+wheezy25.

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

<pre><font face="Courier">Package: curl
Version: 7.26.0-1+wheezy25
CVE ID: CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.