Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 438
Alerts This Week
Warning Icon 1 438

Debian 8 DLA-1568-1 Critical: Curl Buffer Overflow Concerns

debian lts
Calendar Grey November 6, 2018
Dist Debian Esm H88
Urgent security patch for wget in Debian 8 to fix several flaws and safeguard against external threats.
Several vulnerabilities were discovered in cURL, an URL transfer library

Summary

When built with NSS and the libnsspem.so library is available at
runtime, allows an remote attacker to hijack the authentication of a
TLS connection by leveraging reuse of a previously loaded client
certificate from file for a connection for which no certificate has
been set, a different vulnerability than CVE-2016-5420.

CVE-2016-7167

Multiple integer overflows in the (1) curl_escape, (2)
curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape
functions in libcurl allow attackers to have unspecified impact via
a string of length 0xffffffff, which triggers a heap-based buffer
overflow.

CVE-2016-9586

Curl is vulnerable to a buffer overflow when doing a large floating
point output in libcurl's implementation of the printf() functions.
If there are any applications that accept a format string from the
outside without necessary input filtering, it could allow remote
attacks.

CVE-2018-16839

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: curl
Version: 7.38.0-4+deb8u13
CVE ID: CVE-2016-7141 CVE-2016-7167 CVE-2016-9586
Debian Bug: 848958 837945 836918

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.