Executive Summary

Titlecurl security update
NameDSA-4331First vendor Publication2018-11-02
VendorDebianLast vendor Modification2018-11-02
Severity (Vendor) N/ARevision1

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score7.5Attack RangeNetwork
Cvss Impact Score6.4Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores


Two vulnerabilities were discovered in cURL, an URL transfer library.


Harry Sintonen discovered that, on systems with a 32 bit size_t, an integer overflow would be triggered when a SASL user name longer than 2GB is used. This would in turn cause a very small buffer to be allocated instead of the intended very huge one, which would trigger a heap buffer overflow when the buffer is used.


Brian Carpenter discovered that the logic in the curl tool to wrap error messages at 80 columns is flawed, leading to a read buffer overflow if a single word in the message is itself longer than 80 bytes.

For the stable distribution (stretch), these problems have been fixed in version 7.52.1-5+deb9u8.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl

Original Source

Url : http://www.debian.org/security/2018/dsa-4331

CWE : Common Weakness Enumeration

50 %CWE-125Out-of-bounds Read
50 %CWE-119Failure to Constrain Operations within the Bounds of a Memory Buffer

CPE : Common Platform Enumeration


Nessus® Vulnerability Scanner

2018-11-07Name : The remote Debian host is missing a security update.
File : debian_DLA-1568.nasl - Type : ACT_GATHER_INFO
2018-11-05Name : The remote Debian host is missing a security-related update.
File : debian_DSA-4331.nasl - Type : ACT_GATHER_INFO
2018-11-02Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_e0ab177307c146c691704c5e81c00927.nasl - Type : ACT_GATHER_INFO
2018-11-01Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2018-304-01.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
2018-12-07 21:21:51
  • Multiple Updates
2018-12-07 17:21:22
  • Multiple Updates
2018-11-03 00:18:31
  • First insertion