digitalmars.D.announce - libcurl vulnerability
- Vladimir Panteleev (18/18) Feb 08 2013 Hello everyone,
Hello everyone, Please be advised that the curl library, versions 7.26.0 to and including 7.28.1, is vulnerable to a buffer overflow vulnerability. Although the vulnerability is in email-related code (and thus affects the POP3, SMTP and IMAP protocols), a malicious/compromised HTTP server can still redirect a library request to a malicious mail server by using an HTTP redirect to a pop3:// URL. More information can be found here: * http://curl.haxx.se/docs/adv_20130206.html * http://blog.volema.com/curl-rce.html I am posting this to digitalmars.D.announce, as D's standard library includes bindings and wrappers for the curl library (etc.c.curl and std.net.curl), so D users may be indirectly affected. Windows users who downloaded a precompiled curl library file from http://dlang.org/download.html shouldn't be affected, as the version of the library linked there (7.24.0) is not vulnerable.
Feb 08 2013