-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 06 Nov 2018 19:01:46 +0100 Source: curl Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg libcurl4-doc Architecture: source amd64 all Version: 7.38.0-4+deb8u13 Distribution: jessie-security Urgency: high Maintainer: Alessandro Ghedini <ghedo@debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: curl - command line tool for transferring data with URL syntax libcurl3 - easy-to-use client-side URL transfer library (OpenSSL flavour) libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours) libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour) libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour) libcurl4-doc - documentation for libcurl libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour) libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour) libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour) Changes: curl (7.38.0-4+deb8u13) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix the following security vulnerabilities: * CVE-2016-7141: When built with NSS and the libnsspem.so library is available at runtime, allows remote attacker to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420. * CVE-2016-7167: Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl allow attackerrs to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow. * CVE-2016-9586: Curl is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any applications that accept a format string from the outside without necessary input filtering, it could allow remote attacks. * CVE-2018-16839: Curl is vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service. * CVE-2018-16842: Curl is vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service. Checksums-Sha1: b34b966d02729261ecec96877371ddad1ab8d0d7 2824 curl_7.38.0-4+deb8u13.dsc ad36f716a2f43fe565c7bdaa0da0d3503d45bb31 56740 curl_7.38.0-4+deb8u13.debian.tar.xz a6ccebec9a142450aa562a0fe8fc7a1b553ba29c 201444 curl_7.38.0-4+deb8u13_amd64.deb d858fba70db29130d80d152657364f4fd0871060 260726 libcurl3_7.38.0-4+deb8u13_amd64.deb 992765bfcf6f21afb514bbd214e202089b17bf9e 252808 libcurl3-gnutls_7.38.0-4+deb8u13_amd64.deb d11605fd4fb549d83b36fd8662c700393875348a 264186 libcurl3-nss_7.38.0-4+deb8u13_amd64.deb 40fb2ddb28e0787b045195faee50d77330420cc3 338002 libcurl4-openssl-dev_7.38.0-4+deb8u13_amd64.deb c4ede5faf66c115bf9ad6941ce9950e8706cb3be 329630 libcurl4-gnutls-dev_7.38.0-4+deb8u13_amd64.deb da04f86e2560f32864d4873994d12268c563951d 342072 libcurl4-nss-dev_7.38.0-4+deb8u13_amd64.deb c75a656c4b818df9a1d0341bb7b55c00307ef671 3375356 libcurl3-dbg_7.38.0-4+deb8u13_amd64.deb d6c10ee74789621cf91b1814393a47dbd72d8920 1067858 libcurl4-doc_7.38.0-4+deb8u13_all.deb Checksums-Sha256: 0e3a424bd1c09fc2cd35711e521e2b288ef0ec6c06d899597d52a589a5e012e0 2824 curl_7.38.0-4+deb8u13.dsc 26e740e89fe36a1ed4503b0e946dd1f8bcae23b7a7d6515986c5600b3bb352d1 56740 curl_7.38.0-4+deb8u13.debian.tar.xz 8008eea9f79cf522064160c9599019ae5d239a8b67d4d15ce8f88ccfc1882ab3 201444 curl_7.38.0-4+deb8u13_amd64.deb 63e0e48132d2933420c7a98cae62f1644ff6aba148dd91c7c723508534051638 260726 libcurl3_7.38.0-4+deb8u13_amd64.deb 326beadc4fb48a27fc1e2a83c49c9094ffcbffcde5ef66ef8b8e5d359aea47cd 252808 libcurl3-gnutls_7.38.0-4+deb8u13_amd64.deb 9e54214aa4e04aa6a0c8717c63df1022633759449728067556ed808ae657a865 264186 libcurl3-nss_7.38.0-4+deb8u13_amd64.deb c43dc3df54530d1c449ac59918e8b5c1b4a8ea76b79978e804aa29e9caff23b1 338002 libcurl4-openssl-dev_7.38.0-4+deb8u13_amd64.deb 6abf3996558014b87e606abf607f7e40f15ed431043fd0e2e870caa779927909 329630 libcurl4-gnutls-dev_7.38.0-4+deb8u13_amd64.deb 84ed2be793d877e46322f7f6c6ac0af316f7d9abb2bf14c44251651c6dec192e 342072 libcurl4-nss-dev_7.38.0-4+deb8u13_amd64.deb 0224e5ca37af2389dd9eeedc948fb12960f17531010243e28bb8049eb89c1d07 3375356 libcurl3-dbg_7.38.0-4+deb8u13_amd64.deb e474b15ed88426d9d2923d976910156ff21328f5000a2240e5c53de5fc0b85d3 1067858 libcurl4-doc_7.38.0-4+deb8u13_all.deb Files: 2c592f28d8393c8ac6df790514b9d6d6 2824 web optional curl_7.38.0-4+deb8u13.dsc c0361514d5d5c08393c1c748cea2caaf 56740 web optional curl_7.38.0-4+deb8u13.debian.tar.xz dccd25b89a9f8962d615903ed0ba9b0d 201444 web optional curl_7.38.0-4+deb8u13_amd64.deb c532a80c27751ba4e97771d43d7e8225 260726 libs optional libcurl3_7.38.0-4+deb8u13_amd64.deb 026db28b7989c6d774aa2f29f0d2de68 252808 libs optional libcurl3-gnutls_7.38.0-4+deb8u13_amd64.deb 03c86d4f62826201643956347092d768 264186 libs optional libcurl3-nss_7.38.0-4+deb8u13_amd64.deb 61c8f1a1fda141c4b4c1504b07c37378 338002 libdevel optional libcurl4-openssl-dev_7.38.0-4+deb8u13_amd64.deb f03b1517da68e1353a218844b6c408ea 329630 libdevel optional libcurl4-gnutls-dev_7.38.0-4+deb8u13_amd64.deb 44ebdc113e5f07bd4e12bc70c7673acd 342072 libdevel optional libcurl4-nss-dev_7.38.0-4+deb8u13_amd64.deb e4549bd9cb4ac773a1895c21e71f87f8 3375356 debug extra libcurl3-dbg_7.38.0-4+deb8u13_amd64.deb 1ecfe8dd59c9b114dae174c78fa0db41 1067858 doc optional libcurl4-doc_7.38.0-4+deb8u13_all.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlvh28VfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkVgsP+QEaXe6AuiLH1MhvUtHmWPa0Y5Oq0kMCocYX dhSAuvolzRkROixFqSVCyZ18tDHpR+5UE4drx3tv7looDStPCITch/K04v8xT66f xIn3GgvYUk+eP/9RfC7N9ulg9Db6Hv1+urMPOylrERwpjL6chOF9+oZnvcUwt/gE L6UXzHDTjRFVZmq+QX6Mpf9i9kCY5BNVtj8C4G2+MJl9uYjKGxxHEtMzjCCMvHUy 7HTElyoPy79Q+LuahzXM5qr3pTe3QE3Z1hyCzvEFql8ZoOrsIawZbosuuuewkceV XFMYaxGP2YqC8TwLKZXBZbkLVr42WqmS6ER9JrJEAGwoPw7GmbD7QDdlx91B6MfA ZcnZDZWxi6nIYS3Gymn5b+6o3jl9ZfFzHTLFr0wiBeIqvHFLzvzXhMaMH9yWOkSx ZywxbnUrdtUim341xr+lX9qxVS2aznwr6OrHdjZ7VcIIi9dU13Jn6M1sCvO6Vi1r AQduMXojAWZYfmvhg/sc3w6rVYzHUwkuziuN9sepe9Bfwu/bPix3MBabf0gxl2hE WBTE7gONsli+hPf9YO0BnOJO1YAuXKW4afmL9QKMQJ6zs2bX9s7ObHNHFNB6SeaB d+vdAe4FcNepBEiMMsin+Ty/iCyUocLQmCOAWII7YU7LwNfIGN2AVQh11mxWhAti qfWbOX3L =y6OB -----END PGP SIGNATURE-----