On Fri, 13 Oct 2000, Domenico Andreoli wrote:

> some debian user found a buffer overflow in curl

I know. Colin Robert Phipps posted a very detailed report and fix a few days
ago.

> at the moment i cannot check new releases of curl for still having it. it
> doesn't seem such a big security hole but nobody really knows... :)

True

> i warmly suggest to patch the cvs tree in order to avoid this problem.

You'll find the bug report here:

  http://sourceforge.net/bugs/?func=detailbug&bug_id=116688&group_id=976

You'll find a fix for the most recent version of curl at:

http://cvs.sourceforge.net/cgi-bin/cvsweb.cgi/lib/sendf.c.diff?cvsroot=curl&r1=1.10&r2=1.11&f=u

... the bug has been around for a very long time.

-- 
  Daniel Stenberg -- curl project maintainer -- http://curl.haxx.se/