[3.8] curl: Multiple vulnerabilities (CVE-2018-1000005, CVE-2018-1000007)
CVE-2018-1000005: HTTP/2 trailer out-of-bounds read
Affected versions:
libcurl 7.49.0 to and including 7.57.0
Not affected versions:
libcurl < 7.49.0 and >= 7.58.0
References:
https://curl.haxx.se/docs/adv\_2018-824a.html
http://openwall.com/lists/oss-security/2018/01/24/3
Patch:
https://github.com/curl/curl/commit/fa3dbb9a147488a294.patch
CVE-2018-1000007: HTTP authentication leak in redirects
Affected versions:
libcurl 7.1 to and including 7.57.0
Not affected versions:
libcurl >= 7.58.0
References:
https://curl.haxx.se/docs/adv\_2018-b3bf.html
http://openwall.com/lists/oss-security/2018/01/24/4
Patch:
https://github.com/curl/curl/commit/af32cd3859336ab.patch
(from redmine: issue id 8438, created on 2018-01-28, closed on 2018-02-08)
- Relations:
- parent #8437 (closed)