News

=========================================================== Ubuntu Security Notice USN-228-1 December 12, 2005 curl vulnerability CVE-2005-4077 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: libcurl2 libcurl3 The problem can be corrected by upgrading the affected package to version 7.12.0.is.7.11.2-1ubuntu0.3 (for Ubuntu 4.10), 7.12.3-2ubuntu3.5 (libcurl3 for Ubuntu 5.04), 1:7.11.2-12ubuntu3.3 (libcurl2 for Ubuntu 5.04), or 7.14.0-2ubuntu1.2 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Stefan Esser discovered several buffer overflows in the handling of URLs. By attempting to load an URL with a specially crafted invalid hostname, a local attacker could exploit this to execute arbitrary code with the privileges of the application that uses the cURL library. It is not possible to trick cURL into loading a malicious URL with an HTTP redirect, so this vulnerability was usually not exploitable remotely. However, it could be exploited locally to e. g. circumvent PHP security restrictions.