Debian 10225 Published by

The following security updates has been released for Debian 6 LTS:

[DLA 84-1] curl security update
[DLA 85-1] libxml-security-java security update



[DLA 84-1] curl security update

Package : curl
Version : 7.21.0-2.1+squeeze10
CVE ID : CVE-2014-3707

Symeon Paraschoudis discovered that the curl_easy_duphandle() function
in cURL, an URL transfer library, has a bug that can lead to libcurl
eventually sending off sensitive data that was not intended for sending,
while performing a HTTP POST operation.

This bug requires CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle() to be
used in that order, and then the duplicate handle must be used to
perform the HTTP POST. The curl command line tool is not affected by
this problem as it does not use this sequence.

[DLA 85-1] libxml-security-java security update

Package : libxml-security-java
Version : 1.4.3-2+deb6u1
CVE ID : CVE-2013-2172

James Forshaw discovered that, in Apache Santuario XML Security for
Java, CanonicalizationMethod parameters were incorrectly validated:
by specifying an arbitrary weak canonicalization algorithm, an
attacker could spoof XML signatures.