(Ubuntu Issues Fix) cURL TFTP URL Processing Bug Lets Remote Users Obtain Potentially Sensitive Information on the Target System
|
SecurityTracker Alert ID: 1039545 |
SecurityTracker URL: http://securitytracker.com/id/1039545
|
CVE Reference:
CVE-2017-1000100
(Links to External Site)
|
Date: Oct 11 2017
|
Impact:
Disclosure of system information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 7.15.0 - 7.54.1
|
Description:
A vulnerability was reported in cURL. A remote user can obtain potentially sensitive information on the target system.
A remote user (e.g., HTTP server) can redirect the target user's curl request to a TFTP URL with a long filename to cause the target user's curl application to send portions of system memory to the remote user.
Both the curl command line tool and the libcurl library are affected.
Even Rouault reported this vulnerability.
|
Impact:
A remote user can obtain potentially sensitive information on the target system.
|
Solution:
Ubuntu has issued a fix.
The Ubuntu advisory is available at:
https://www.ubuntu.com/usn/usn-3441-1
|
Vendor URL: www.ubuntu.com/usn/usn-3441-1 (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS: Linux (Ubuntu)
|
Underlying OS Comments: 14.04 LTS, 16.04 LTS, 17.04
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|