Opened 9 years ago

Closed 9 years ago

#5773 closed enhancement (fixed)


Reported by: Fernando de Oliveira Owned by: Fernando de Oliveira
Priority: high Milestone: 7.7
Component: BOOK Version: SVN
Severity: normal Keywords:


CVE-2014-3707: libcurl duphandle read out of bounds


    Affected versions: from libcurl 7.17.1 to and including 7.38.0
    Not affected versions: libcurl >= 7.39.0



We suggest you take one of the following actions immediately,
in order of preference:

A - Upgrade to curl and libcurl 7.39.0

B - Apply the patch and rebuild libcurl

C - Avoid using CURLOPT_COPYPOSTFIELDS then curl_easy_duphandle()

If you are using PHP/CURL, we advice you to avoid
curl_copy_handle() after CURLOPT_POSTFIELDS, since
PHP then uses CURLOPT_COPYPOSTFIELDS "under the hood".

A patch for this problem is available at:

 Fixed in 7.39.0 - November 5 2014


    SSLv3 is disabled by default
    build: Added WinIDN build configuration options to Visual Studio projects
    ssh: improve key file search
    SSL: public key pinning. Use CURLOPT_PINNEDPUBLICKEY and --pinnedpubkey
    vtls: remove QsoSSL support, use gskit!
    mk-ca-bundle: added SHA-384 signature algorithm
    docs: added many examples for libcurl opts and other doc improvements
    build: Added VC ssh2 target to main Makefile
    MinGW: Added support to build with nghttp2
    NetWare: Added support to build with nghttp2
    build: added Watcom support to build with WinSSL
    build: Added optional specific version generation of VC project files 


Change History (3)

comment:1 by Fernando de Oliveira, 9 years ago

Owner: changed from blfs-book@… to Fernando de Oliveira
Status: newassigned

comment:2 by Fernando de Oliveira, 9 years ago

Priority: normalhigh

comment:3 by Fernando de Oliveira, 9 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r14846.

Note: See TracTickets for help on using tickets.