Date: Tue, 01 Mar 2005 18:18:03 -0500 From: "Frank J. Laszlo" <laszlof@tvog.net> To: "Simon L. Nielsen" <simon@FreeBSD.org> Cc: daniel quinn <freebsd@danielquinn.org> Subject: Re: curl -- authentication buffer overflow vulnerability. Message-ID: <4224F82B.3060206@tvog.net> In-Reply-To: <20050301222035.GA822@zaphod.nitro.dk> References: <200503011646.22680.freebsd@danielquinn.org> <20050301222035.GA822@zaphod.nitro.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
Simon L. Nielsen wrote: >On 2005.03.01 16:46:22 -0500, daniel quinn wrote: > > > >>Affected package: curl-7.12.3_2 >>Type of problem: curl -- authentication buffer overflow vulnerability. >>Reference: >><http://www.FreeBSD.org/ports/portaudit/96df5fd0-8900-11d9-aa18-0001020eed82.html>; >> >> >[...] > > > >>curl's website tells me that version 7.13.1 is available, so i'm thinking >>this is isolated to freebsd. >> >> > >The issue is present on all operating systems which ship curl, not >just FreeBSD. The latest version I can find is 7.13.0 which does not >have the issues fixed yet. > > Actually, the latest "FreeBSD" version is still 7.12.3. How that is any different from the others I have no idea. Thats probably the last version tested on FreeBSD. (after further reading it appears that the version reflected there is in direct relation to the version in ports.) Also note that the vulnerability only exists if you are using NTLM authentication. There is likely a way to disable this behavior if it is not being used. Hope this helps. Regards, Frank laszlo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4224F82B.3060206>