Alerts This Week
Warning Icon 1 666
Alerts This Week
Warning Icon 1 666

openSUSE Leap 15.0: 2018-1624-1 Moderate: curl Buffer Overflow

opensuse
Calendar Grey June 9, 2018
Dist Opensuse Esm H88
An update to openSUSE addresses significant vulnerabilities in curl, providing essential patches for buffer overflow and memory over-read flaws.
An update that fixes two vulnerabilities is now available.

Description

This update for curl to version 7.60.0 fixes the following issues:

These security issues were fixed:

- CVE-2018-1000300: Prevent heap-based buffer overflow when closing down

an FTP connection with very long server command replies (bsc#1092094).

- CVE-2018-1000301: Prevent buffer over-read that could have cause reading

data beyond the end of a heap based buffer used to store downloaded RTSP

content (bsc#1092098).

These non-security issues were fixed:

- Add CURLOPT_HAPROXYPROTOCOL, support for the HAProxy PROXY protocol

- Add --haproxy-protocol for the command line tool

- Add CURLOPT_DNS_SHUFFLE_ADDRESSES, shuffle returned IP addresses

- FTP: fix typo in recursive callback detection for seeking

- test1208: marked flaky

- HTTP: make header-less responses still count correct body size

- user-agent.d:: mention --proxy-header as well

- http2: fixes typo

- cleanup: misc typos in strings and comments

- rate-limit: use three...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory buffer overflow software update moderate severity curl openSUSE

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-589=1

Package List

- openSUSE Leap 15.0 (i586 x86_64):

curl-7.60.0-lp150.2.3.1

curl-debuginfo-7.60.0-lp150.2.3.1

curl-debugsource-7.60.0-lp150.2.3.1

curl-mini-7.60.0-lp150.2.3.1

curl-mini-debuginfo-7.60.0-lp150.2.3.1

curl-mini-debugsource-7.60.0-lp150.2.3.1

libcurl-devel-7.60.0-lp150.2.3.1

libcurl-mini-devel-7.60.0-lp150.2.3.1

libcurl4-7.60.0-lp150.2.3.1

libcurl4-debuginfo-7.60.0-lp150.2.3.1

libcurl4-mini-7.60.0-lp150.2.3.1

libcurl4-mini-debuginfo-7.60.0-lp150.2.3.1

- openSUSE Leap 15.0 (x86_64):

libcurl-devel-32bit-7.60.0-lp150.2.3.1

libcurl4-32bit-7.60.0-lp150.2.3.1

libcurl4-32bit-debuginfo-7.60.0-lp150.2.3.1

References

https://www.suse.com/security/cve/CVE-2018-1000300.html

https://www.suse.com/security/cve/CVE-2018-1000301.html

https://bugzilla.suse.com/1092094

https://bugzilla.suse.com/1092098

--

Announcement ID: openSUSE-SU-2018:1624-1
Rating: moderate
Affected Products: openSUSE Leap 15.0

Topics%20covered

Topics Covered

security advisory buffer overflow software update moderate severity curl openSUSE

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here