libcurl vulnerability
Vladimir Panteleev
vladimir at thecybershadow.net
Fri Feb 8 00:25:51 PST 2013
Hello everyone,
Please be advised that the curl library, versions 7.26.0 to and
including 7.28.1, is vulnerable to a buffer overflow
vulnerability. Although the vulnerability is in email-related
code (and thus affects the POP3, SMTP and IMAP protocols), a
malicious/compromised HTTP server can still redirect a library
request to a malicious mail server by using an HTTP redirect to a
pop3:// URL.
More information can be found here:
* http://curl.haxx.se/docs/adv_20130206.html
* http://blog.volema.com/curl-rce.html
I am posting this to digitalmars.D.announce, as D's standard
library includes bindings and wrappers for the curl library
(etc.c.curl and std.net.curl), so D users may be indirectly
affected.
Windows users who downloaded a precompiled curl library file from
http://dlang.org/download.html shouldn't be affected, as the
version of the library linked there (7.24.0) is not vulnerable.
More information about the Digitalmars-d-announce
mailing list