CVE-2014-3707
curl - security update
EPSS 0.23%
Description
The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information.
How to fix CVE-2014-3707
To remediate CVE-2014-3707, upgrade the affected package to a fixed version below.
- Debian/curl—upgrade to 7.38.0-3 or later
- Debian/curl—upgrade to 7.21.0-2.1+squeeze10 or later
- —upgrade to 7.26.0-1+wheezy11 or later
Is CVE-2014-3707 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 7.38.0-3
- from 0, < 7.21.0-2.1+squeeze10
- from 0, < 7.26.0-1+wheezy11