CVE-2016-8625

Published: 01 August 2018

curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
curl
Launchpad, Ubuntu, Debian
Upstream
Released (7.51.0)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(7.55.1-1ubuntu2.1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(7.55.1-1ubuntu2.1)
Ubuntu 16.04 ESM (Xenial Xerus) Ignored

Ubuntu 14.04 ESM (Trusty Tahr) Ignored

Patches:
Upstream: https://github.com/curl/curl/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece

Notes

AuthorNote
mdeslaur
upstream patch switched from libidn to libidn2 and may be
causing issues, see:
https://curl.haxx.se/mail/lib-2016-11/0033.html
http://seclists.org/oss-sec/2016/q4/333

Fixing this is intrusive and is likely to cause regressions in
stable releases. As such, we will not be fixing this issue in
Ubuntu 16.04 LTS and earlier.

References