Debian 10261 Published by

A curl security update has been released for Debian GNU/Linux 8 Extended LTS to address a security issue where a malicious server could force curl to overwrite the contents of local files with incoming HTTP headers.



ELA-251-1 curl security update

Package curl
Version 7.38.0-4+deb8u17
Related CVE CVE-2020-8177

A vulnerability was found in curl, a command line tool for transferring data with URL syntax.

When using when using -J (–remote-header-name) and -i (–include) in the same command line, a malicious server could force curl to overwrite the contents of local files with incoming HTTP headers.

For Debian 8 jessie, these problems have been fixed in version 7.38.0-4+deb8u17.

We recommend that you upgrade your curl packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-251-1 curl security update