Arch Linux Security Advisory ASA-201411-7 ========================================= Severity: Medium Date : 2014-11-11 CVE-ID : CVE-2014-3707 Package : curl Type : out-of-bounds read Remote : No Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package curl before version 7.39.0-1 is vulnerable to out-of-bounds read which may lead to information disclosure. Resolution ========== Upgrade to 7.39.0-1. # pacman -Syu "curl>=7.39.0-1" The problem has been fixed upstream [0] in version 7.39.0. Workaround ========== None. Description =========== Symeon Paraschoudis discovered that the curl_easy_duphandle() function has a bug that can lead to libcurl eventually sending off sensitive data that was not intended for sending. Impact ====== This bug requires CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle() to be used in that order, and then the duplicate handle must be used to perform the HTTP POST. The curl command line tool is not affected by this problem as it does not use this sequence. References ========== [0] https://github.com/bagder/curl/commit/b38756 https://access.redhat.com/security/cve/CVE-2014-3707 http://curl.haxx.se/docs/adv_20141105.html