Andrey Labunets of Facebook discovered that cURL, an URL transfer library, fails to properly handle URLs with embedded end-of-line characters. An attacker able to make an application using libcurl to access a specially crafted URL via an HTTP proxy could use this flaw to do additional requests in a way that was not intended, or insert additional request headers into the request.

For the stable distribution (wheezy), this problem has been fixed in version 7.26.0-1+wheezy12. For the upcoming stable distribution (jessie), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 7.38.0-4. We recommend that you upgrade your curl packages.

curl is a command line tool for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP.

curl on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2015/dsa-3122.html

---

Updated on 2015-03-25