www.digitalmars.com         C & C++   DMDScript  

digitalmars.D.announce - libcurl vulnerability

Hello everyone,

Please be advised that the curl library, versions 7.26.0 to and 
including 7.28.1, is vulnerable to a buffer overflow 
vulnerability. Although the vulnerability is in email-related 
code (and thus affects the POP3, SMTP and IMAP protocols), a 
malicious/compromised HTTP server can still redirect a library 
request to a malicious mail server by using an HTTP redirect to a 
pop3:// URL.

More information can be found here:

* http://curl.haxx.se/docs/adv_20130206.html
* http://blog.volema.com/curl-rce.html

I am posting this to digitalmars.D.announce, as D's standard 
library includes bindings and wrappers for the curl library 
(etc.c.curl and std.net.curl), so D users may be indirectly 
affected.

Windows users who downloaded a precompiled curl library file from 
http://dlang.org/download.html shouldn't be affected, as the 
version of the library linked there (7.24.0) is not vulnerable.
Feb 08 2013