Two vulnerabilities were discovered in cURL, an URL transfer library. CVE-2018-1000005 Zhouyihai Ding discovered an out-of-bounds read in the code handling HTTP/2 trailers. This issue doesn't affect the oldstable distribution (jessie). CVE-2018-1000007 Craig de Stigter discovered that authentication data might be leaked to third parties when following HTTP redirects. For the oldstable distribution (jessie), these problems have been fixed in version 7.38.0-4+deb8u9. For the stable distribution (stretch), these problems have been fixed in version 7.52.1-5+deb9u4. We recommend that you upgrade your curl packages. For the detailed security status of curl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl
Two vulnerabilities were discovered in cURL, an URL transfer library.
Zhouyihai Ding discovered an out-of-bounds read in the code handling HTTP/2 trailers. This issue doesn't affect the oldstable distribution (jessie).
Craig de Stigter discovered that authentication data might be leaked to third parties when following HTTP redirects.
For the oldstable distribution (jessie), these problems have been fixed in version 7.38.0-4+deb8u9.
For the stable distribution (stretch), these problems have been fixed in version 7.52.1-5+deb9u4.
We recommend that you upgrade your curl packages.
For the detailed security status of curl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl