Package : curl and curl-ssl
Problem type : remote exploit
The version of curl as distributed with Debian GNU/Linux 2.2 had a
bug in the error logging code: when it created an error message it
failed to check the size of the buffer allocated for storing the
message. This could be exploited by the remote machine by returning
an invalid response to a request from curl which overflows the
error buffer and trick curl into executing arbitrary code.
Debian ships with two versions of curl: the normal curl package,
and the crypto-enabled curl-ssl package. This bug has been fixed in
curl version 6.0-1.1 and curl-ssl version 6.0-1.2 .
We recommend you upgrade your curl or curl-ssl package
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
Debian GNU/Linux 2.1 alias slink
Slink did not contain curl or curl-ssl.
Debian GNU/Linux 2.2 alias potato
Potato was released for alpha, arm, i386, m68k, powerpc and
sparc. At this moment packages for m68k are not yet available; they
will later be announce on http://security.debian.org/ .
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.