Opened 9 years ago
Closed 9 years ago
#5773 closed enhancement (fixed)
|Reported by:||Fernando de Oliveira||Owned by:||Fernando de Oliveira|
CVE-2014-3707: libcurl duphandle read out of bounds
... Affected versions: from libcurl 7.17.1 to and including 7.38.0 Not affected versions: libcurl >= 7.39.0 ... RECOMMENDATIONS We suggest you take one of the following actions immediately, in order of preference: A - Upgrade to curl and libcurl 7.39.0 B - Apply the patch and rebuild libcurl C - Avoid using CURLOPT_COPYPOSTFIELDS then curl_easy_duphandle() If you are using PHP/CURL, we advice you to avoid curl_copy_handle() after CURLOPT_POSTFIELDS, since PHP then uses CURLOPT_COPYPOSTFIELDS "under the hood". ... A patch for this problem is available at: http://curl.haxx.se/CVE-2014-3707.patch
Fixed in 7.39.0 - November 5 2014 Changes: SSLv3 is disabled by default CURLOPT_COOKIELIST: Added "RELOAD" command build: Added WinIDN build configuration options to Visual Studio projects ssh: improve key file search SSL: public key pinning. Use CURLOPT_PINNEDPUBLICKEY and --pinnedpubkey vtls: remove QsoSSL support, use gskit! mk-ca-bundle: added SHA-384 signature algorithm docs: added many examples for libcurl opts and other doc improvements build: Added VC ssh2 target to main Makefile MinGW: Added support to build with nghttp2 NetWare: Added support to build with nghttp2 build: added Watcom support to build with WinSSL build: Added optional specific version generation of VC project files Bugfixes: ...
Change History (3)
comment:1 by , 9 years ago
|Status:||new → assigned|
comment:2 by , 9 years ago
|Priority:||normal → high|
comment:3 by , 9 years ago
|Status:||assigned → closed|
Note: See TracTickets for help on using tickets.
Fixed at r14846.