On Tue, Feb 12, 2013 at 08:31:38PM +0100, Andreas Färber wrote: > Am 08.02.2013 08:49, schrieb Stefan Hajnoczi: > > There is a buffer overflow in libcurl POP3/SMTP/IMAP. The workaround is > > simple: disable extra protocols so that they cannot be exploited. Full > > details here: > > > > http://curl.haxx.se/docs/adv_20130206.html > > > > QEMU only cares about HTTP, HTTPS, FTP, FTPS, and TFTP. I have tested > > that this fix prevents the exploit on my host with > > libcurl-7.27.0-5.fc18. > > > > Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com> > > --- > > The vulnerability public and is in libcurl, not QEMU. We can work around > > it in order to protect users whose machines have libcurl <7.29. > > > > Please add to QEMU 1.4-rc2. > > Stefan, this seems to have broken my setup on Mac OS X. You seem to > require a newer version of cURL than configure checks...
Sending a fix. Stefan
