New Alerts for curl, NetApp, and Linux.
When curl does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a MitM attack to go unnoticed and allows it to inject data to the client.
curl supports "chained" HTTP compression algorithms, with an unbounded number of acceptable "links" in this "decompression chain", allowing a malicious server to insert a virtually unlimited number of compression steps, resulting in an out of memory DoS.
A malicious server can serve excessive amounts of Set-Cookies headers in a HTTP response to curl and curl stores all of them, resulting in a DoS.
NetApp has published 8 new bulletins identifying vulnerabilities in third-party software included in their products. No patches yet.