[3.6] curl: Multiple vulnerabilities (CVE-2018-1000005, CVE-2018-1000007)
CVE-2018-1000005: HTTP/2 trailer out-of-bounds read
Affected versions:
libcurl 7.49.0 to and including 7.57.0
Not affected versions:
libcurl < 7.49.0 and >= 7.58.0
References:
https://curl.haxx.se/docs/adv\_2018-824a.html
http://openwall.com/lists/oss-security/2018/01/24/3
Patch:
https://github.com/curl/curl/commit/fa3dbb9a147488a294.patch
CVE-2018-1000007: HTTP authentication leak in redirects
Affected versions:
libcurl 7.1 to and including 7.57.0
Not affected versions:
libcurl >= 7.58.0
References:
https://curl.haxx.se/docs/adv\_2018-b3bf.html
http://openwall.com/lists/oss-security/2018/01/24/4
Patch:
https://github.com/curl/curl/commit/af32cd3859336ab.patch
(from redmine: issue id 8440, created on 2018-01-28, closed on 2018-02-17)
- Relations:
- parent #8437 (closed)
- Changesets:
- Revision d44a5b86 on 2018-02-08T08:26:45Z:
main/curl: security upgrade to 7.58.0
CVE-2018-1000005, CVE-2018-1000007
Fixes #8440