-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2660-1 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 20, 2013 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : curl Vulnerability : exposure of sensitive information Problem type : remote Debian-specific: no CVE ID : CVE-2013-1944 Debian Bug : 705274 Yamada Yasuharu discovered that cURL, an URL transfer library, is vulnerable to expose potentially sensitive information when doing requests across domains with matching tails. Due to a bug in the tailmatch function when matching domain names, it was possible that cookies set for a domain 'ample.com' could accidentally also be sent by libcurl when communicating with 'example.com'. Both curl the command line tool and applications using the libcurl library are vulnerable. For the stable distribution (squeeze), this problem has been fixed in version 7.21.0-2.1+squeeze3. For the testing distribution (wheezy), this problem has been fixed in version 7.26.0-1+wheezy2. For the unstable distribution (sid), this problem has been fixed in version 7.29.0-2.1. We recommend that you upgrade your curl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJRcqt6AAoJEFb2GnlAHawEJsgH/RFAPpyxjMJs5IUbnaGBB17w p3sfg7uC92mYHvUcXb2tXLzJTJ7QBWZTbvo9Dnr0r72WU9AJCmOZ3FiSrU6hlLZG QommSJgi+614IjQV6IcYIs5MM4Ne/KNBAcz31ROr5xqRNLQo4N6cxBj9NKnsi1Ut f6xrQInVKp5WNx3qMGtxAKfVrCMcMRM0OTW+ASJI1r4smVSVdUBrJSkk0mg08jZG QQeAXtOOSbkahKpwcgGETgU+l1MTYkgjSZwwRtWJUbdPSeUrNl8SHM9Fa7h1c/j9 b/2odiynlhXYyOkj1PyPaNireEBsLOCY2xRZH27fZGh6AXFC07KS6Io4NYnDfJQ= =MBDd -----END PGP SIGNATURE-----