|
|
Subscribe / Log in / New account

curl: information leak

Package(s):curl CVE #(s):CVE-2014-3707
Created:November 7, 2014 Updated:January 5, 2015
Description:

From the Debian advisory:

Symeon Paraschoudis discovered that the curl_easy_duphandle() function in cURL, an URL transfer library, has a bug that can lead to libcurl eventually sending off sensitive data that was not intended for sending, while performing a HTTP POST operation.

This bug requires CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle() to be used in that order, and then the duplicate handle must be used to perform the HTTP POST. The curl command line tool is not affected by this problem as it does not use this sequence.

Alerts:
Scientific Linux SLSA-2015:2159-6 curl 2015-12-21
Oracle ELSA-2015-2159 curl 2015-11-23
Red Hat RHSA-2015:2159-06 curl 2015-11-19
Scientific Linux SLSA-2015:1254-2 curl 2015-08-03
Oracle ELSA-2015-1254 curl 2015-07-29
Red Hat RHSA-2015:1254-02 curl 2015-07-22
Mandriva MDVSA-2015:098 curl 2015-03-28
openSUSE openSUSE-SU-2015:0248-1 curl 2015-02-10
Fedora FEDORA-2014-16690 curl 2015-01-03
Fedora FEDORA-2014-17601 mingw-curl 2015-01-02
Fedora FEDORA-2014-16538 curl 2014-12-13
Fedora FEDORA-2014-16605 curl 2014-12-15
Fedora FEDORA-2014-17596 mingw-curl 2015-01-02
Fedora FEDORA-2014-15706 curl 2014-12-01
Mandriva MDVSA-2014:213 curl 2014-11-18
Mageia MGASA-2014-0444 curl 2014-11-14
Ubuntu USN-2399-1 curl 2014-11-10
Fedora FEDORA-2014-14354 curl 2014-11-10
Debian DSA-3069-1 curl 2014-11-07
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds