Debian Security Advisory DSA-4051-1 security@debian.org

https://www.debian.org/security/ Yves-Alexis Perez

November 29, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------



Package : curl

CVE ID : CVE-2017-8816 CVE-2017-8817



Two vulnerabilities were discovered in cURL, an URL transfer library.



CVE-2017-8816



Alex Nichols discovered a buffer overrun flaw in the NTLM authentication

code which can be triggered on 32bit systems where an integer overflow

might occur when calculating the size of a memory allocation.



CVE-2017-8817



Fuzzing by the OSS-Fuzz project led to the discovery of a read out of

bounds flaw in the FTP wildcard function in libcurl. A malicious server

could redirect a libcurl-based client to an URL using a wildcard pattern,

triggering the out-of-bound read.



For the oldstable distribution (jessie), these problems have been fixed

in version 7.38.0-4+deb8u8.



For the stable distribution (stretch), these problems have been fixed in

version 7.52.1-5+deb9u3.



We recommend that you upgrade your curl packages.



For the detailed security status of curl please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/curl



Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/



Mailing list: debian-security-announce@lists.debian.org

