cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Bug#342696: curl's off-by-one error (#342696, CVE-2005-4077) update for sarge

From: Domenico Andreoli <cavok_at_debian.org>
Date: Fri, 3 Mar 2006 17:22:24 +0100

On Wed, Mar 01, 2006 at 10:54:18PM +0100, Martin Schulze wrote:
> Domenico Andreoli wrote:
> > long time ago the upstream developer informed me that the fix for
> > curl's CVE-2005-4077 now in sarge with 7.13.2-2sarge4 is not enough.
>
> Ouch!
>
> > i finally came with a fixed curl 7.13.2-2sarge5 package. it is available
> > at http://people.debian.org/~cavok/curl/.
>
> Thanks a lot. Uploaded.
>
> I've also added the first part of the patch to the woody update.
>
> Could you tell us which version in sid corrects the correction?

7.15.1-1 already fixed this. please read
http://curl.haxx.se/mail/lib-2005-12/0119.html.

this correction is required only for version between 7.11.2 (included)
and 7.14.0 (included). versions before 7.11.2 are not affected. after
7.14.0, the first patch (the one applied to get 7.13.2-2sarge3)
is enough.

cheers
domenico

-----[ Domenico Andreoli, aka cavok
 --[ http://people.debian.org/~cavok/gpgkey.asc
   ---[ 3A0F 2F80 F79C 678A 8936 4FEE 0677 9033 A20E BC50

Received on 2006-03-03