Back to search

DSA-2398-2 curl -- several vulnerabilities

Severity CVSS Published Added Modified
8 (AV:N/AC:L/Au:N/C:P/I:P/A:P) April 13, 2012 January 28, 2013 March 03, 2014

Description

curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now

References

Solution

Upgrade all packages built against source package curl.

Use `apt-get install` to upgrade any installed packages from this list:

  • curl
  • libcurl3
  • libcurl3-dbg
  • libcurl3-gnutls
  • libcurl3-nss
  • libcurl4-gnutls-dev
  • libcurl4-nss-dev
  • libcurl4-openssl-dev

Related Vulnerabilities