-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3455-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini January 27, 2016 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : curl CVE ID : CVE-2016-0755 Isaac Boukris discovered that cURL, an URL transfer library, reused NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for the new transfer. This could lead to HTTP requests being sent over the connection authenticated as a different user. For the stable distribution (jessie), this problem has been fixed in version 7.38.0-4+deb8u3. For the unstable distribution (sid), this problem has been fixed in version 7.47.0-1. We recommend that you upgrade your curl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJWqLUPAAoJEK+lG9bN5XPLsy4P/3R2RbmDfBUUODkb+1sJlGY5 DJBcPwyy/oGA4RRYDqDUhFPp8vnxSFjud1hsjw0vOq3BPo0Tk8x1nVl7iv2vAvWr CICXdTIWj1oWjNKD7ZtP69LoPxNMwxYpj5T4dvC+n2yeiTDXxkPrUoucoDVtA45T VibBgOf/NmsEQDKMjxtjpHEGnyLqcgIKGtmpU7rhKg/V6cG8Uz2Td3AYc/R74h9O i57rmEaHN62C8a0C9V46X529tuOLw0x5Kz16x1vQcywecI6dxtYtE5MQ2khZvMwA jD7ibINp0+nLA3pzfi2rNo/0S1SXwlaLCQjEam8olgdwA6oMBPTZXw17pu0S0mmt YbIWzLosOAYZIonnaPYiLC3PWtEGEeBWIIXR1oBCCOUxHZ9uXAesEaa/gc71J/EF bUHGU4vUvAm3JHDmYGvfMxF5SuTFjdHAJl1rwCJ8/LZbgAN169cDpYdjm79P/rng zcovi0qSawaIdKqIeuaSZGiMGvIUmM2HDYV66PvgPVokAy2mawKwdxTaP8sWd++z WyhtP3xXj/Q3NXHByAUa+91bDwLFpnKVTbIe2SKNLCYrfrSkRTPxpIZV688eftsr AzwHk4sGkOcsnQ9O3JmS5uY8wxiEUM9TH3AevgwNFFPuW78dHhnn7AhccDnOijzO F0MGJ6q014k7/oUfHVW9 =l4R6 -----END PGP SIGNATURE-----